This note documents detection patterns related to PowerShell Abuse within Windows environments.

Direct Indicators

Log	Event ID	Meaning	Forensic Value	Notes
PowerShell	4104	Script block logging	Critical	Highest-value PowerShell content visibility.
PowerShell	4103	Module logging	Critical	Captures cmdlet execution and parameters.
Security	4688	Process creation	Critical	Detects PowerShell launch arguments and parent process.
Sysmon	1	Process creation	Critical	Best execution source for PowerShell lineage and hashes.
Sysmon	3	Network connection	High	Outbound activity from PowerShell process.
Sysmon	11	File create	High	Payload drop, temp scripts, decoded output.
Sysmon	22	DNS query	High	Domain resolution during retrieval or beaconing.
Security	400 / 403	Engine start / stop	Medium	Session lifecycle context.

Indirect Indicators

Indicator	What To Look For	Forensic Value	Notes
EncodedCommand used	`-enc`, `-EncodedCommand`	Critical	Strong attacker indicator.
Hidden window flags	`-w hidden`, `-nop`	Critical	Common stealth execution.
Download cradle	`Invoke-WebRequest`, `DownloadString`, `WebClient`	Critical	Classic staging pattern.
Office or LOLBIN parent	winword, mshta, regsvr32	Critical	Strong malicious chain.
PowerShell spawning LOLBINs	certutil, bitsadmin, rundll32	High	Multi-stage execution.
PowerShell under SYSTEM unexpectedly	Service or task abuse	High	Persistence or privesc clue.
Short-lived PowerShell + network	Beacon staging	Critical	Common implant launch.

Common Tools

Tool	Usage
powershell.exe	Native execution engine
pwsh.exe	PowerShell Core
PowerView	Reconnaissance
Empire	Offensive framework
Cobalt Strike	Payload staging
Nishang	Offensive scripts
custom scripts	In-memory execution

Relevant Artifacts

PowerShell Event IDs 4103, 4104
Security Event ID 4688
Sysmon Event IDs 1, 3, 11, 22
PowerShell history:
- %APPDATA%\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
Prefetch: POWERSHELL.EXE
Amcache / ShimCache
MFT / USN for scripts
EDR script lineage

MITRE ATT&CK References

T1059.001 PowerShell
T1105 Ingress Tool Transfer
T1027 Obfuscated Files or Information

Decision Tree

Which PowerShell launched?
- powershell.exe
- pwsh.exe
Command suspicious?
- Encoded?
- Hidden?
- Downloading?
Parent suspicious?
- Office
- Browser
- Service
Follow-up activity?
- Network
- File create
- Child process
Expand:
- Persistence
- Credential access
- Lateral movement
Scope:
- Single script
- Framework use
- Multi-host execution

Example Detection Templates

KQL

SecurityEvent
| where EventID == 4688
| where NewProcessName has "powershell.exe"
| project TimeGenerated, Computer, Account, CommandLine, ParentProcessName

PowerShell
| where EventID == 4104
| project TimeGenerated, Computer, ScriptBlockText

EQL

process where process.name == "powershell.exe"

sequence by host.name with maxspan=5m
  [ process where process.name == "powershell.exe" ]
  [ network where process.name == "powershell.exe" ]

Sigma

title: Suspicious PowerShell Abuse
id: 6b4f2a91-powershell-abuse
status: experimental
description: Detects suspicious PowerShell execution patterns
references:
  - https://attack.mitre.org/
author: Vergil
date: 2026-03-07
logsource:
  product: windows
  service: security
detection:
  selection:
    NewProcessName|endswith: '\powershell.exe'
  keywords:
    CommandLine|contains:
      - '-enc'
      - '-nop'
      - 'DownloadString'
      - 'Invoke-WebRequest'
  condition: selection and keywords
fields:
  - CommandLine
  - ParentProcessName
falsepositives:
  - Administrative automation
level: high
tags:
  - attack.execution
  - attack.t1059.001

Mitigation & Hardening

Control Area	Mitigation	Effectiveness	Notes
Script block logging	Enable 4104	Critical	Highest-value content source
Module logging	Enable 4103	Critical	Captures cmdlet detail
Constrained language mode	Restrict advanced features	High	Reduces abuse
AppLocker / WDAC	Limit PowerShell execution	High	Strong control
Parent-child monitoring	Alert on suspicious launch chains	Critical	Essential triage