EXPLORE
Sign In
← Back to Explore
T1059.001

PowerShell

Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.(Citation: TechNet PowerShell) Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the <code>Start-Process</code> cmdlet which can be used to run an executable and the <code>Invoke-Command</code> cmdlet which runs a co...

Windows
338
Detections
4
Sources
83
Threat Actors

BY SOURCE

177sigma101elastic57splunk_escu3crowdstrike_cql

PROCEDURES (122)

Obfuscat24 detections

Auto-extracted: 24 detections for obfuscat

Obfuscat19 detections

Auto-extracted: 19 detections for obfuscat

Powershell16 detections

Auto-extracted: 16 detections for powershell

Powershell13 detections

Auto-extracted: 13 detections for powershell

Obfuscat13 detections

Auto-extracted: 13 detections for obfuscat

Amsi10 detections

Auto-extracted: 10 detections for amsi

Suspicious9 detections

Auto-extracted: 9 detections for suspicious

Process Creation Monitoring8 detections

Auto-extracted: 8 detections for process creation monitoring

Script Execution Monitoring7 detections

Auto-extracted: 7 detections for script execution monitoring

Powershell7 detections

Auto-extracted: 7 detections for powershell

Base647 detections

Auto-extracted: 7 detections for base64

Download6 detections

Auto-extracted: 6 detections for download

Base645 detections

Auto-extracted: 5 detections for base64

Child Process5 detections

Auto-extracted: 5 detections for child process

Suspicious5 detections

Auto-extracted: 5 detections for suspicious

Exfiltrat5 detections

Auto-extracted: 5 detections for exfiltrat

Remote4 detections

Auto-extracted: 4 detections for remote

Suspicious4 detections

Auto-extracted: 4 detections for suspicious

Script Block4 detections

Auto-extracted: 4 detections for script block

Service4 detections

Auto-extracted: 4 detections for service

Lateral4 detections

Auto-extracted: 4 detections for lateral

Credential4 detections

Auto-extracted: 4 detections for credential

Unusual3 detections

Auto-extracted: 3 detections for unusual

General Monitoring3 detections

Auto-extracted: 3 detections for general monitoring

Lateral3 detections

Auto-extracted: 3 detections for lateral

Ransomware3 detections

Auto-extracted: 3 detections for ransomware

Registry3 detections

Auto-extracted: 3 detections for registry

Bypass3 detections

Auto-extracted: 3 detections for bypass

Remote3 detections

Auto-extracted: 3 detections for remote

Child Process3 detections

Auto-extracted: 3 detections for child process

Service3 detections

Auto-extracted: 3 detections for service

Token3 detections

Auto-extracted: 3 detections for token

Persist3 detections

Auto-extracted: 3 detections for persist

Email3 detections

Auto-extracted: 3 detections for email

Remote3 detections

Auto-extracted: 3 detections for remote

Suspicious2 detections

Auto-extracted: 2 detections for suspicious

Bypass2 detections

Auto-extracted: 2 detections for bypass

Download2 detections

Auto-extracted: 2 detections for download

Exfiltrat2 detections

Auto-extracted: 2 detections for exfiltrat

Inject2 detections

Auto-extracted: 2 detections for inject

Wmi2 detections

Auto-extracted: 2 detections for wmi

Phish2 detections

Auto-extracted: 2 detections for phish

Registry Monitoring2 detections

Auto-extracted: 2 detections for registry monitoring

Parent Process2 detections

Auto-extracted: 2 detections for parent process

Powershell2 detections

Auto-extracted: 2 detections for powershell

Powershell2 detections

Auto-extracted: 2 detections for powershell

Powershell2 detections

Auto-extracted: 2 detections for powershell

Exfiltrat2 detections

Auto-extracted: 2 detections for exfiltrat

Phish2 detections

Auto-extracted: 2 detections for phish

Evasion2 detections

Auto-extracted: 2 detections for evasion

Service2 detections

Auto-extracted: 2 detections for service

Wmi2 detections

Auto-extracted: 2 detections for wmi

Api2 detections

Auto-extracted: 2 detections for api

Kerbero2 detections

Auto-extracted: 2 detections for kerbero

Reflection2 detections

Auto-extracted: 2 detections for reflection

Ransomware2 detections

Auto-extracted: 2 detections for ransomware

Download2 detections

Auto-extracted: 2 detections for download

Registry2 detections

Auto-extracted: 2 detections for registry

Scheduled Task2 detections

Auto-extracted: 2 detections for scheduled task

Service2 detections

Auto-extracted: 2 detections for service

Encoded Command2 detections

Auto-extracted: 2 detections for encoded command

Remote2 detections

Auto-extracted: 2 detections for remote

Http2 detections

Auto-extracted: 2 detections for http

Bypass2 detections

Auto-extracted: 2 detections for bypass

Command Line Monitoring1 detections

Auto-extracted: 1 detections for command line monitoring

Amsi1 detections

Auto-extracted: 1 detections for amsi

Child Process1 detections

Auto-extracted: 1 detections for child process

Powershell1 detections

Auto-extracted: 1 detections for powershell

Lateral1 detections

Auto-extracted: 1 detections for lateral

Event Log1 detections

Auto-extracted: 1 detections for event log

Encoded Command1 detections

Auto-extracted: 1 detections for encoded command

Unusual1 detections

Auto-extracted: 1 detections for unusual

Command And Control1 detections

Auto-extracted: 1 detections for command and control

Exfiltrat1 detections

Auto-extracted: 1 detections for exfiltrat

Powershell1 detections

Auto-extracted: 1 detections for powershell

Privilege1 detections

Auto-extracted: 1 detections for privilege

Ntds1 detections

Auto-extracted: 1 detections for ntds

Parent Process1 detections

Auto-extracted: 1 detections for parent process

Lateral1 detections

Auto-extracted: 1 detections for lateral

Lateral1 detections

Auto-extracted: 1 detections for lateral

Email1 detections

Auto-extracted: 1 detections for email

Lsass1 detections

Auto-extracted: 1 detections for lsass

Token1 detections

Auto-extracted: 1 detections for token

Child Process1 detections

Auto-extracted: 1 detections for child process

Tamper1 detections

Auto-extracted: 1 detections for tamper

Ransomware1 detections

Auto-extracted: 1 detections for ransomware

File Monitoring1 detections

Auto-extracted: 1 detections for file monitoring

Api1 detections

Auto-extracted: 1 detections for api

C21 detections

Auto-extracted: 1 detections for c2

Tamper1 detections

Auto-extracted: 1 detections for tamper

Wmi1 detections

Auto-extracted: 1 detections for wmi

Anomal1 detections

Auto-extracted: 1 detections for anomal

Ransomware1 detections

Auto-extracted: 1 detections for ransomware

Event Log1 detections

Auto-extracted: 1 detections for event log

Dump1 detections

Auto-extracted: 1 detections for dump

Persist1 detections

Auto-extracted: 1 detections for persist

Evasion1 detections

Auto-extracted: 1 detections for evasion

Anomal1 detections

Auto-extracted: 1 detections for anomal

Lsass1 detections

Auto-extracted: 1 detections for lsass

Persist1 detections

Auto-extracted: 1 detections for persist

Azure1 detections

Auto-extracted: 1 detections for azure

Mimikatz1 detections

Auto-extracted: 1 detections for mimikatz

Bypass1 detections

Auto-extracted: 1 detections for bypass

Parent Process1 detections

Auto-extracted: 1 detections for parent process

C21 detections

Auto-extracted: 1 detections for c2

Http1 detections

Auto-extracted: 1 detections for http

Dns1 detections

Auto-extracted: 1 detections for dns

Startup1 detections

Auto-extracted: 1 detections for startup

Ntds1 detections

Auto-extracted: 1 detections for ntds

Ntds1 detections

Auto-extracted: 1 detections for ntds

Dns1 detections

Auto-extracted: 1 detections for dns

Command And Control1 detections

Auto-extracted: 1 detections for command and control

Dns1 detections

Auto-extracted: 1 detections for dns

Http1 detections

Auto-extracted: 1 detections for http

Scheduled Task1 detections

Auto-extracted: 1 detections for scheduled task

Wmi1 detections

Auto-extracted: 1 detections for wmi

Reflection1 detections

Auto-extracted: 1 detections for reflection

Parent Process1 detections

Auto-extracted: 1 detections for parent process

Mimikatz1 detections

Auto-extracted: 1 detections for mimikatz

Bypass1 detections

Auto-extracted: 1 detections for bypass

Inject1 detections

Auto-extracted: 1 detections for inject

Startup1 detections

Auto-extracted: 1 detections for startup

THREAT ACTORS (83)

AkiraAPT19APT28APT29APT3APT32APT33APT38APT39APT41APT42APT5Aquatic PandaBlackByteBlue MockingbirdBRONZE BUTLERChimeraCinnamon TempestCobalt GroupConfuciusCopyKittensCURIUMDaggerflyDarkHydrusDarkVishnyaDeep PandaDragonflyEarth LuscaEmber BearFIN10FIN13FIN6FIN7FIN8Fox KittenGALLIUMGallmakerGamaredon GroupGOLD SOUTHFIELDGorgon GroupHAFNIUMHEXANEInceptionIndrik SpiderKimsukyLazarus GroupLazyScripterLeviathanMagic HoundMedusa GroupmenuPassMoleratsMoustachedBouncerMuddyWaterMustang PandaNomadic OctopusOilRigPatchworkPlayPoseidon GroupRedCurlSaint BearSandworm TeamScattered SpiderSidewinderSilenceStealth FalconStorm-0501Storm-1811TA2541TA459TA505TeamTNTThreat Group-3390ThripToddyCatTonto TeamTurlaUNC3886Volt TyphoonWinter VivernWIRTEWizard Spider

DETECTIONS (338)

Alternate PowerShell Hosts - PowerShell Module
sigmamedium
Alternate PowerShell Hosts Pipe
sigmamedium
AppLocker Prevented Application or Script from Running
sigmamedium
AWS EC2 Startup Shell Script Change
sigmahigh
AWS SSM `SendCommand` with Run Shell Command Parameters
elasticmedium
Bad Opsec Powershell Code Artifacts
sigmacritical
Base64 Encoded PowerShell Command Detected
sigmahigh
BloodHound Collection Files
sigmahigh
Certificate Exported Via PowerShell
sigmamedium
Change PowerShell Policies to an Insecure Level
sigmamedium
Change PowerShell Policies to an Insecure Level - PowerShell
sigmamedium
Cisco Secure Firewall - Communication Over Suspicious Ports
splunk_escu
Cisco Secure Firewall - Veeam CVE-2023-27532 Exploitation Activity
splunk_escu
Clearing Windows Console History
elasticmedium
Cmd.EXE Missing Space Characters Execution Anomaly
sigmahigh
Command and Scripting Interpreter via Windows Scripts
elastichigh
Command Execution via SolarWinds Process
elasticmedium
Command Line Execution with Suspicious URL and AppData Strings
sigmamedium
Command Line Obfuscation via Whitespace Padding
elasticmedium
Command Shell Activity Started via RunDLL32
elasticlow
ConvertTo-SecureString Cmdlet Usage Via CommandLine
sigmamedium
CrushFTP Authentication Bypass Exploitation
splunk_escu
Delayed Execution via Ping
elasticlow
Deprecated - Potential PowerShell Obfuscated Script
elasticlow
Detect Certify With PowerShell Script Block Logging
splunk_escu
Detect Empire with PowerShell Script Block Logging
splunk_escu
Detect Mimikatz With PowerShell Script Block Logging
splunk_escu
Detection of PowerShell Execution via Sqlps.exe
sigmamedium
Disabling Windows Defender Security Settings via PowerShell
elasticmedium
DNS Staging Detection: ClickFix-Inspired nslookup Execution
crowdstrike_cql
DSInternals Suspicious PowerShell Cmdlets
sigmahigh
DSInternals Suspicious PowerShell Cmdlets - ScriptBlock
sigmahigh
Dynamic IEX Reconstruction via Method String Access
elasticlow
Entra ID PowerShell Sign-in
elasticlow
Exchange PowerShell Module Usage
splunk_escu
Exchange PowerShell Snap-Ins Usage
sigmahigh
Execute Code with Pester.bat
sigmamedium
Execute Code with Pester.bat as Parent
sigmamedium
Execution from Unusual Directory - Command Line
elasticmedium
Execution of a Downloaded Windows Script
elasticmedium
Execution of Persistent Suspicious Program
elasticmedium
Execution of Powershell Script in Public Folder
sigmahigh
Execution via GitHub Actions Runner
elasticmedium
Execution via OpenClaw Agent
elasticmedium
Execution with Explicit Credentials via Scripting
elasticmedium
Exporting Exchange Mailbox via PowerShell
elasticmedium
Get-ForestTrust with PowerShell Script Block
splunk_escu
GetLocalUser with PowerShell Script Block
splunk_escu
GetWmiObject User Account with PowerShell Script Block
splunk_escu
HackTool - Bloodhound/Sharphound Execution
sigmahigh
HackTool - Covenant PowerShell Launcher
sigmahigh
HackTool - CrackMapExec Execution
sigmahigh
HackTool - CrackMapExec Execution Patterns
sigmahigh
HackTool - CrackMapExec PowerShell Obfuscation
sigmahigh
HackTool - Default PowerSploit/Empire Scheduled Task Creation
sigmahigh
HackTool - Empire PowerShell Launch Parameters
sigmahigh
Hidden Powershell in Link File Pattern
sigmamedium
HTML Help HH.EXE Suspicious Child Process
sigmahigh
Import PowerShell Modules From Suspicious Directories
sigmamedium
Import PowerShell Modules From Suspicious Directories - ProcCreation
sigmamedium
Incoming Execution via PowerShell Remoting
elasticmedium
Invoke-Obfuscation CLIP+ Launcher
sigmahigh
Invoke-Obfuscation CLIP+ Launcher - PowerShell
sigmahigh
Invoke-Obfuscation CLIP+ Launcher - PowerShell Module
sigmahigh
Invoke-Obfuscation CLIP+ Launcher - Security
sigmahigh
Invoke-Obfuscation CLIP+ Launcher - System
sigmahigh
Invoke-Obfuscation COMPRESS OBFUSCATION
sigmamedium
Invoke-Obfuscation COMPRESS OBFUSCATION - PowerShell
sigmamedium
Invoke-Obfuscation COMPRESS OBFUSCATION - PowerShell Module
sigmamedium
Invoke-Obfuscation COMPRESS OBFUSCATION - Security
sigmamedium
Invoke-Obfuscation COMPRESS OBFUSCATION - System
sigmamedium
Invoke-Obfuscation Obfuscated IEX Invocation
sigmahigh
Invoke-Obfuscation Obfuscated IEX Invocation - PowerShell
sigmahigh
Invoke-Obfuscation Obfuscated IEX Invocation - PowerShell Module
sigmahigh
Invoke-Obfuscation RUNDLL LAUNCHER - PowerShell
sigmamedium
Invoke-Obfuscation RUNDLL LAUNCHER - PowerShell Module
sigmamedium
Invoke-Obfuscation RUNDLL LAUNCHER - Security
sigmamedium
Invoke-Obfuscation RUNDLL LAUNCHER - System
sigmamedium
Invoke-Obfuscation STDIN+ Launcher
sigmahigh
Invoke-Obfuscation STDIN+ Launcher - Powershell
sigmahigh
Invoke-Obfuscation STDIN+ Launcher - PowerShell Module
sigmahigh
Invoke-Obfuscation STDIN+ Launcher - Security
sigmahigh
Invoke-Obfuscation STDIN+ Launcher - System
sigmahigh
Invoke-Obfuscation VAR+ Launcher
sigmahigh
Invoke-Obfuscation VAR+ Launcher - PowerShell
sigmahigh
Invoke-Obfuscation VAR+ Launcher - PowerShell Module
sigmahigh
Invoke-Obfuscation VAR+ Launcher - Security
sigmahigh
Invoke-Obfuscation VAR+ Launcher - System
sigmahigh
Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION
sigmahigh
Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - PowerShell
sigmahigh
Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - PowerShell Module
sigmahigh
Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - Security
sigmahigh
Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - System
sigmahigh
Invoke-Obfuscation Via Stdin
sigmahigh
Invoke-Obfuscation Via Stdin - Powershell
sigmahigh
Invoke-Obfuscation Via Stdin - PowerShell Module
sigmahigh
Invoke-Obfuscation Via Stdin - Security
sigmahigh
Invoke-Obfuscation Via Stdin - System
sigmahigh
Invoke-Obfuscation Via Use Clip
sigmahigh
Invoke-Obfuscation Via Use Clip - Powershell
sigmahigh
Invoke-Obfuscation Via Use Clip - PowerShell Module
sigmahigh
Invoke-Obfuscation Via Use Clip - Security
sigmahigh
Invoke-Obfuscation Via Use Clip - System
sigmahigh
Invoke-Obfuscation Via Use MSHTA
sigmahigh
Invoke-Obfuscation Via Use MSHTA - PowerShell
sigmahigh
Invoke-Obfuscation Via Use MSHTA - PowerShell Module
sigmahigh
Invoke-Obfuscation Via Use MSHTA - Security
sigmahigh
Invoke-Obfuscation Via Use MSHTA - System
sigmahigh
Invoke-Obfuscation Via Use Rundll32 - PowerShell
sigmahigh
Invoke-Obfuscation Via Use Rundll32 - PowerShell Module
sigmahigh
Invoke-Obfuscation Via Use Rundll32 - Security
sigmahigh
Invoke-Obfuscation Via Use Rundll32 - System
sigmahigh
M365 SharePoint/OneDrive File Access via PowerShell
elasticmedium
Malicious Base64 Encoded PowerShell Keywords in Command Lines
sigmahigh
Malicious Nishang PowerShell Commandlets
sigmahigh
Malicious PowerShell Commandlets - PoshModule
sigmahigh
Malicious PowerShell Commandlets - ProcessCreation
sigmahigh
Malicious PowerShell Commandlets - ScriptBlock
sigmahigh
Malicious PowerShell Keywords
sigmamedium
Malicious PowerShell Process - Execution Policy Bypass
splunk_escu
Malicious PowerShell Process With Obfuscation Techniques
splunk_escu
Malicious PowerShell Scripts - FileCreation
sigmahigh
Malicious PowerShell Scripts - PoshModule
sigmahigh
Malicious ShellIntel PowerShell Commandlets
sigmahigh
Microsoft Build Engine Started an Unusual Process
elasticlow
Microsoft Build Engine Started by a Script Process
elasticmedium
Microsoft Exchange Worker Spawning Suspicious Processes
elastichigh
Net WebClient Casing Anomalies
sigmahigh
New ActiveSyncAllowedDeviceID Added via PowerShell
elasticmedium
New PowerShell Instance Created
sigmainformational
Nishang PowershellTCPOneLine
splunk_escu
Non Interactive PowerShell Process Spawned
sigmalow
Nslookup PowerShell Download Cradle
sigmamedium
NTFS Alternate Data Stream
sigmahigh
Obfuscated PowerShell MSI Install via WindowsInstaller COM
sigmahigh
Obfuscated PowerShell OneLiner Execution
sigmahigh
Outbound Scheduled Task Activity via PowerShell
elasticmedium
Possible Lateral Movement PowerShell Spawn
splunk_escu
Potential Antimalware Scan Interface Bypass via PowerShell
elastichigh
Potential Command Shell via NetCat
elastichigh
Potential Data Exfiltration Activity Via CommandLine Tools
sigmahigh
Potential DLL File Download Via PowerShell Invoke-WebRequest
sigmamedium
Potential Dynamic IEX Reconstruction via Environment Variables
elasticmedium
Potential Encoded PowerShell Patterns In CommandLine
sigmalow
Potential Execution via FileFix Phishing Attack
elastichigh
Potential Fake CAPTCHA Phishing Attack
elastichigh
Potential Invoke-Mimikatz PowerShell Script
elasticcritical
Potential Malicious PowerShell Based on Alert Correlation
elastichigh
Potential Persistence Via Powershell Search Order Hijacking - Task
sigmahigh
Potential PowerShell Command Line Obfuscation
sigmahigh
Potential PowerShell Downgrade Attack
sigmamedium
Potential PowerShell HackTool Script by Author
elastichigh
Potential PowerShell HackTool Script by Function Names
elasticmedium
Potential PowerShell Obfuscated Script via High Entropy
elasticlow
Potential PowerShell Obfuscation Using Alias Cmdlets
sigmalow
Potential PowerShell Obfuscation Using Character Join
sigmalow
Potential PowerShell Obfuscation via Backtick-Escaped Variable Expansion
elastichigh
Potential PowerShell Obfuscation via Character Array Reconstruction
elastichigh
Potential PowerShell Obfuscation via Concatenated Dynamic Command Invocation
elastichigh
Potential PowerShell Obfuscation via High Numeric Character Proportion
elasticlow
Potential PowerShell Obfuscation via Invalid Escape Sequences
elasticmedium
Potential PowerShell Obfuscation via Reverse Keywords
elasticlow
Potential PowerShell Obfuscation Via Reversed Commands
sigmahigh
Potential PowerShell Obfuscation via Special Character Overuse
elasticmedium
Potential PowerShell Obfuscation via String Concatenation
elastichigh
Potential PowerShell Obfuscation via String Reordering
elasticmedium
Potential PowerShell Obfuscation Via WCHAR/CHAR
sigmahigh
Potential PowerShell Pass-the-Hash/Relay Script
elastichigh
Potential Powershell ReverseShell Connection
sigmahigh
Potential Process Injection via PowerShell
elastichigh
Potential Remote PowerShell Session Initiated
sigmahigh
Potential SAP NetWeaver Exploitation
elastichigh
Potential SharpRDP Behavior
elastichigh
Potential Suspicious PowerShell Keywords
sigmamedium
Potential Veeam Credential Access Command
elasticmedium
Potential WinAPI Calls Via PowerShell Scripts
sigmahigh
Potential WMI Lateral Movement WmiPrvSE Spawned PowerShell
sigmamedium
Potentially Suspicious Command Executed Via Run Dialog Box - Registry
sigmahigh
Potentially Suspicious WebDAV LNK Execution
sigmamedium
PowerShell - Connect To Internet With Hidden Window
splunk_escu
PowerShell 4104 Hunting
splunk_escu
PowerShell ADRecon Execution
sigmahigh
PowerShell Base64 Encoded FromBase64String Cmdlet
sigmahigh
PowerShell Base64 Encoded IEX Cmdlet
sigmahigh
PowerShell Base64 Encoded Invoke Keyword
sigmahigh
PowerShell Base64 Encoded Reflective Assembly Load
sigmahigh
PowerShell Base64 Encoded WMI Classes
sigmahigh
PowerShell Called from an Executable Version Mismatch
sigmahigh
Powershell COM Hijacking InprocServer32 Modification
splunk_escu
Powershell Command Length Anomaly Detection
crowdstrike_cql
PowerShell Core DLL Loaded By Non PowerShell Process
sigmamedium
PowerShell Create Local User
sigmamedium
Powershell Creating Thread Mutex
splunk_escu
PowerShell Credential Prompt
sigmahigh
PowerShell Domain Enumeration
splunk_escu
PowerShell Downgrade Attack - PowerShell
sigmamedium
PowerShell Download Pattern
sigmamedium
PowerShell Enable PowerShell Remoting
splunk_escu
Powershell Execute COM Object
splunk_escu
Powershell Executed From Headless ConHost Process
sigmamedium