Phase 2·T1059.001·Moderate
PowerShell + Outbound Network Correlation
Correlate a PowerShell process with its first external network connection.
#Sysmon#Wazuh#Correlation
Detection Objective
Detect short-lived PowerShell processes that immediately initiate outbound connections to non-internal IPs.
Real-World Attack Scenario
A stager downloads next-stage shellcode within seconds of spawning.
Why This Detection Matters
Forces the adversary into a behavior they cannot easily hide.
ATT&CK Mapping
T1059.001 · PowerShell
Tactic: Execution
Required Telemetry
- SysmonEID 1 (process) + EID 3 (network)
Windows Event IDs
—
Sysmon Event IDs
1, 3
Wazuh Log Source
Sysmon/Operational
Setup Steps
- Sysmon config with network logging for powershell.exe.
Safe Validation Command
Localhost fetch — safe.
powershell.exe -c "Invoke-WebRequest http://127.0.0.1 -UseBasicParsing"⚠ lab use only · this project does not execute real malware
Expected Log Output
Sysmon EID 1 → EID 3 with matching ProcessGuidDetection Logic (Wazuh rule concept)
Sysmon EID 3 where Image matches powershell|pwsh AND DestinationIp NOT in (RFC1918, 127.0.0.0/8) within 60s of EID 1 with the same ProcessGuid.False Positives
- Admin scripts reaching SaaS APIs
Tuning Recommendations
- Allowlist known destinations (Graph, Azure mgmt, GitHub raw).
Analyst Triage Notes
- Pivot on DestinationIp reputation.
Detection Improvement Ideas
- Add JA3/JA4 fingerprinting via Zeek for TLS context.
log analysis layer
Detection is not complete until the logs prove what happened. The sections below show the telemetry produced by the validation above, how to read it like an analyst, and why this pattern matters.
siem · log evidence
rule 100713
PowerShell + Outbound Network Correlation
Sysmon/Operational
Event ID
Sysmon EID 1
Image
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Parent
C:\Windows\explorer.exe
CommandLine
powershell.exe -c "Invoke-WebRequest http://127.0.0.1 -UseBasicParsing"
User
CORP\j.doe
Agent
WIN10-LAB-01
Timestamp
2026-05-26T14:32:11Z
analyst note
Pivot on DestinationIp reputation.
Parent → Child Analysis
explorer.exe → powershell.exe — review whether this lineage is expected for WIN10-LAB-01 and user CORP\j.doe.
Command-Line Flags Observed
- DownloadString / IWRPulls a remote payload into memory for execution.
Parsed Fields the Analyst Reads
- Image — Process binary that executed — confirms PowerShell.C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
- ParentImage — Who launched it — context for legitimacy.C:\Windows\explorer.exe
- CommandLine — Arguments — where attacker intent shows up.powershell.exe -c "Invoke-WebRequest http://127.0.0.1 -UseBasicParsing"
- User — Account context — service vs interactive vs SYSTEM.CORP\j.doe
- EventID — Telemetry channel and event type.Sysmon EID 1
- Wazuh Rule ID — Rule that matched and produced this alert.100713
- Agent — Endpoint that produced the telemetry.WIN10-LAB-01
- Timestamp — When it happened — anchor for correlation.2026-05-26T14:32:11Z
Malicious Pattern
pattern
PowerShell + Outbound Network Correlation
description
A stager downloads next-stage shellcode within seconds of spawning.
analyst takeaway
Forces the adversary into a behavior they cannot easily hide. Treat this signal as higher-risk when combined with suspicious parents, hidden windows, download cradles, or unusual user context.
proof the detection worked
test command
powershell.exe -c "Invoke-WebRequest http://127.0.0.1 -UseBasicParsing"expected event
Sysmon EID 1 on WIN10-LAB-01 with Image=powershell.exe and the validation command above in CommandLine.
expected wazuh alert
Wazuh rule 100713 — "PowerShell + Outbound Network Correlation" fires at a level matching severity=high.
confirming log fields
ImageParentImageCommandLineUserEventID
analyst interpretation
The recorded fields satisfy every clause of the detection logic. Parent process, user context, and command-line arguments together prove the behavior was observed end to end.
conclusion
Detection succeeded: telemetry was captured, the rule matched, and the alert reached the analyst with enough context to triage.