PowerShell Detection
Engineering Lab
Detecting attacker abuse of PowerShell before privilege escalation or persistence.
Mission — interrupt attacker progression early by detecting suspicious PowerShell behavior using Windows-native logging, Sysmon, Wazuh, and analyst-driven log interpretation.
Every tool in this lab supports the cycle
Learn, Build, Secure, Test, Improve — each phase has a purpose and a toolset.
- · MITRE ATT&CK T1059.001
- · Windows Internals
- · IOA concepts
- · Windows Event Logs
- · PowerShell Logging
- · Sysmon
- · Wazuh Agent
- · Wazuh Manager
- · Group Policy
- · Windows security policy
- · Endpoint hardening
- · Atomic Red Team
- · Safe PowerShell validation
- · VMware lab
- · Log analysis
- · Wazuh rule tuning
- · Detection confidence scoring
- · ATT&CK chain correlation
Immediate High-Value Detections
Simple, high-signal detections that catch common PowerShell abuse early.
Detecting PowerShell EncodedCommand Abuse
Catch base64-encoded PowerShell payloads — a hallmark of loaders, droppers, and post-exploitation frameworks.
Detecting Invoke-Expression (IEX) Misuse
Flag Invoke-Expression / IEX patterns that execute downloaded or in-memory strings.
Detecting DownloadString / Invoke-WebRequest Staging
Surface PowerShell pulling remote payloads via WebClient or IWR.
Detecting Hidden-Window PowerShell
PowerShell launched with -WindowStyle Hidden is rarely benign on workstations.
Detecting -ExecutionPolicy Bypass
Catch attempts to neutralize ExecutionPolicy from the command line.
Detecting Office Applications Spawning PowerShell
Word/Excel/Outlook spawning powershell.exe is a textbook macro-payload pattern.
Contextual Correlation
Combine PowerShell behavior with surrounding system and network context.
PowerShell + Outbound Network Correlation
Correlate a PowerShell process with its first external network connection.
PowerShell + Persistence Indicator Correlation
Tie PowerShell execution to Run-key writes, scheduled tasks, or service installs.
Suspicious Parent/Child Process Relationships
Detect anomalous lineage like services.exe → powershell.exe or w3wp.exe → powershell.exe.
Office → Script Interpreter Execution Chains
Office → wscript/cscript/mshta → powershell is a textbook delivery chain.
Advanced Detection Engineering
Evasive and memory-based tradecraft: AMSI, reflection, entropy, chains.
Detecting AMSI Bypass Attempts
Identify in-script AMSI tampering patterns.
Detecting .NET Reflection Loading in PowerShell
Catch [Reflection.Assembly]::Load and friends used to run in-memory .NET.
Memory-Only PowerShell Execution
Detect VirtualAlloc/CreateThread patterns used for fileless shellcode.
Obfuscation Scoring of PowerShell Script Blocks
Score script blocks for obfuscation heuristics (backticks, char arrays, splatting).
Entropy Analysis on Decoded PowerShell Payloads
Flag high-entropy decoded blobs likely to be packed shellcode.
End-to-End ATT&CK Chain Correlation
Stitch multiple weak signals into one high-confidence chain alert.