EXPLORE
Sign In
← Back to Explore
sigmalowHunting

Non Interactive PowerShell Process Spawned

Detects non-interactive PowerShell activity by looking at the "powershell" process with a non-user GUI process such as "explorer.exe" as a parent.

MITRE ATT&CK

T1059.001
execution

Detection Query

selection:
  - Image|endswith:
      - \powershell.exe
      - \pwsh.exe
  - OriginalFileName:
      - PowerShell.EXE
      - pwsh.dll
filter_main_generic:
  ParentImage|endswith:
    - :\Windows\explorer.exe
    - :\Windows\System32\CompatTelRunner.exe
    - :\Windows\SysWOW64\explorer.exe
filter_main_windows_update:
  ParentImage: :\$WINDOWS.~BT\Sources\SetupHost.exe
filter_optional_vscode:
  ParentImage|endswith: \AppData\Local\Programs\Microsoft VS Code\Code.exe
  ParentCommandLine|contains: " --ms-enable-electron-run-as-node "
filter_optional_terminal:
  ParentImage|contains: :\Program Files\WindowsApps\Microsoft.WindowsTerminal_
  ParentImage|endswith: \WindowsTerminal.exe
filter_optional_defender:
  ParentImage|endswith: :\Program Files\Windows Defender Advanced Threat Protection\SenseIR.exe
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*

Author

Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements)

Created

2019-09-12

Data Sources

windowsProcess Creation Events

Platforms

windows

References

Tags

attack.executionattack.t1059.001
Raw Content
title: Non Interactive PowerShell Process Spawned
id: f4bbd493-b796-416e-bbf2-121235348529
status: test
description: Detects non-interactive PowerShell activity by looking at the "powershell" process with a non-user GUI process such as "explorer.exe" as a parent.
references:
    - https://web.archive.org/web/20200925032237/https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190410151110.html
author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements)
date: 2019-09-12
modified: 2025-02-28
tags:
    - attack.execution
    - attack.t1059.001
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        - Image|endswith:
              - '\powershell.exe'
              - '\pwsh.exe'
        - OriginalFileName:
              - 'PowerShell.EXE'
              - 'pwsh.dll'
    filter_main_generic:
        ParentImage|endswith:
            - ':\Windows\explorer.exe'
            - ':\Windows\System32\CompatTelRunner.exe'
            - ':\Windows\SysWOW64\explorer.exe'
    filter_main_windows_update:
        ParentImage: ':\$WINDOWS.~BT\Sources\SetupHost.exe' # During Windows updates/upgrades
        # CommandLine: powershell.exe -ExecutionPolicy Restricted -Command Write-Host 'Final result: 1';
    filter_optional_vscode:
        # Triggered by VsCode when you open a Shell inside the workspace
        ParentImage|endswith: '\AppData\Local\Programs\Microsoft VS Code\Code.exe'
        ParentCommandLine|contains: ' --ms-enable-electron-run-as-node '
    filter_optional_terminal:
        ParentImage|contains: ':\Program Files\WindowsApps\Microsoft.WindowsTerminal_'
        ParentImage|endswith: '\WindowsTerminal.exe'
    filter_optional_defender:
        ParentImage|endswith: ':\Program Files\Windows Defender Advanced Threat Protection\SenseIR.exe'
    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - Likely. Many admin scripts and tools leverage PowerShell in their BAT or VB scripts which may trigger this rule often. It is best to add additional filters or use this to hunt for anomalies
level: low