detection.wiki

ATT&CK coverage › Technique

Command and Scripting Interpreter: PowerShell T1059.001

Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the <code>Start-Process</code> cmdlet which can be used to run an executable and the <code>Invoke-Command</code> cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).

Events covered

21 catalog events are tagged with this technique by at least one rule.

ProviderEvent IDTitle
Sysmon1Process creation
Sysmon3Network connection
Sysmon7Image loaded
Sysmon8CreateRemoteThread
Sysmon10ProcessAccess
Sysmon11FileCreate
Sysmon13RegistryEvent (Value Set)
Sysmon17PipeEvent (Pipe Created)
Sysmon18PipeEvent (Pipe Connected)
Security-Auditing4688A new process has been created.
Security-Auditing4697A service was installed in the system.
Security-Auditing5156The Windows Filtering Platform has permitted a connection.
Defender-DeviceProcessEvents9001000Process activity (any)
AppLocker8004FilePathBuffer was prevented from running.
AppLocker8007FilePathBuffer was prevented from running.
AppLocker8022PackageBuffer was prevented from running.
AppLocker8025PackageBuffer was prevented from running.
PowerShell4103Payload Context: ContextInfo User Data: UserData.
PowerShell4104Creating Scriptblock text (MessageNumber of MessageTotal).
PowerShell400
Service-Control-Manager7045A service was installed in the system.

Authoring guide

Patterns shared across the 229 rules above: which fields they filter on, what specific values they look for, and what they exclude. Field names are normalized across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.

Fields filtered most (47 distinct)

The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.

FieldRulesHowSample values
ScriptBlockText77match 36, eq 25, in 13, regex_match 8, ends_with 1shellexec_rundll, iex, New-Object, +, `
CommandLine72match 65, regex_match 8, ends_with 2, eq 1, is_null 1powershell, -f, InstallProduct(, -e, FromBase64String
Image55ends_with 50, eq 5, match 4, starts_with 3, is_null 2\powershell.exe, \pwsh.exe, \powershell_ise.exe, \schtasks.exe, \cmd.exe
EventID35eq 354104
OriginalFileName32eq 32pwsh.dll, PowerShell.EXE, PowerShell_ISE.EXE, schtasks.exe, powershell_ise.exe
ParentImage23ends_with 12, eq 9, match 6\pwsh.exe, C:\Windows\System32\msiexec.exe, \sqlagent.exe, \powershell.exe, \gc_worker.exe
Payload14match 7, regex_match 7, ends_with 1shellexec_rundll, Failed to update Help for the module, Update-Help, tifkin_, harmj0y
Esql.script_block_pattern_count10ge 101, 2, 20, 5
ServiceFileName10match 10cmd, &&, shellexec_rundll, -f, clipboard]::
ImagePath10match 10cmd, &&, shellexec_rundll, -f, clipboard]::
Provider_Name10eq 10Service Control Manager
Esql.script_block_length8gt 8500, 1000
ContextInfo6match 6ConfigSyncRun.exe, = C:/Windows/System32/WindowsPowerShell/v1.0/powershell, = C:/Windows/SysWOW64/WindowsPowerShell/v1.0/powershell, Invoke-CredentialsPhish.ps1, Invoke-ConPtyShell.ps1
Data6match 6, regex_match 1EngineVersion=2., powershell, [1], -type=txt http, EngineVersion=4.
file.directory4is_null 4

Top indicator values (2879 distinct)

Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique.

FieldKindValueRules (here)Corpus reach
EventIDeq410435108
Imageends_with\powershell.exe33143
Imageends_with\pwsh.exe32140
OriginalFileNameeqpwsh.dll2372
OriginalFileNameeqPowerShell.EXE2264
Provider_NameeqService Control Manager1043
Esql.script_block_pattern_countge166
Esql.script_block_lengthgt50066
Imageends_with\schtasks.exe645
Imageends_with\powershell_ise.exe527
Imageends_with\cmd.exe592
CommandLinematch/Create44
ServiceFileNamematchcmd45
ImagePathmatchcmd45
CommandLinematchhttp331
ParentImageends_with\powershell.exe316
ParentImageends_with\pwsh.exe316
ServiceFileNamematch&&33
ImagePathmatch&&34
ImagePathmatch/c34

Common exclusions (12 distinct)

Field/operator/value combinations that rules under this technique routinely exclude (top-level not() clauses). These are the false-positive paths the community has learned to filter out. A new rule that ignores the high-count entries here will likely fire on the same noisy paths.

FieldKindValueRules excluding
ScriptBlockTextmatch[System.IO.File]::Open('C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender...1
ScriptBlockTextmatch$([char]0x1b)]6331
ScriptBlockTextmatch:::::\\\\windows\\\\sentinel1
ScriptBlockTextmatch$local:Bypassed1
ScriptBlockTextmatchorigPSExecutionPolicyPreference1
ScriptBlockTextmatch$s.BranchBehindStatusSymbol.Text1
ScriptBlockTextmatchGitBranchStatus1
ScriptBlockTextmatchsentinelbreakpoints1
ScriptBlockTextmatchGENESIS-56541
ScriptBlockTextin"*DeriveBytes*"1
ScriptBlockTextin"*SHA*"1
ScriptBlockTextin"*MD5*"1

Rules under this technique

Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.

Sigma 175 rules

Elastic 12 rules

Splunk 40 rules

Kusto Query Language 2 rules