Suspicious Non-Interactive PowerShell Process Creation
Detects PowerShell processes spawned by non-interactive parent processes, potentially indicating malicious script execution or automation bypassing user interaction.
This detection identifies instances of PowerShell (powershell.exe or pwsh.exe) being launched by parent processes typically associated with non-interactive or automated execution environments. This scenario can be indicative of malicious activity where attackers leverage PowerShell for command execution, script deployment, or lateral movement without requiring direct user interaction. This activity is often seen when adversaries attempt to bypass traditional security measures that rely on user-initiated processes. The detection specifically focuses on identifying PowerShell processes with parent processes such as explorer.exe, CompatTelRunner.exe, SetupHost.exe (during Windows updates), or processes related to VS Code or Windows Terminal, after excluding common benign scenarios.
Attack Chain
- Initial Access: An attacker gains initial access to the system through an exploit, or other means (not covered in the source).
- Privilege Escalation (Optional): The attacker may use exploits or other techniques to elevate privileges to gain SYSTEM or administrator rights.
- Non-Interactive Process Spawn: A non-interactive process such as
explorer.exeorCompatTelRunner.exespawns a PowerShell process (powershell.exeorpwsh.exe). - PowerShell Execution: The PowerShell process executes malicious commands or scripts, potentially downloaded from an external source or embedded within the initial exploit.
- Defense Evasion: PowerShell is used to disable security controls, bypass execution policies, or obfuscate malicious code.
- Lateral Movement: PowerShell is leveraged to move laterally to other systems within the network by using techniques such as WMI or SMB.
- Command and Control: The compromised system connects to a command and control server using PowerShell to establish a persistent backdoor.
- Data Exfiltration/Ransomware: The attacker uses PowerShell to exfiltrate sensitive data or deploy ransomware across the network.
Impact
Successful exploitation can lead to a wide range of malicious activities, including data theft, system compromise, and ransomware deployment. The impact can range from minor data breaches to complete network compromise, depending on the attacker's objectives and the organization's security posture. Affected systems may be rendered unusable, resulting in significant financial and reputational damage.
Recommendation
- Deploy the Sigma rule "Suspicious Non-Interactive PowerShell Process Creation" to your SIEM (Security Information and Event Management) to detect potential malicious PowerShell execution.
- Investigate any alerts generated by the Sigma rule, paying close attention to the parent process and the executed PowerShell commands.
- Enable and review process creation logs in Windows to provide the necessary data for the Sigma rule to function effectively.
- Consider implementing PowerShell Constrained Language Mode to limit the capabilities of PowerShell and prevent malicious scripts from executing (reference the general technique of restricting PowerShell usage).
- Harden endpoints to prevent initial access using standard security best practices.
Detection coverage 2
Suspicious Non-Interactive PowerShell Process Creation
mediumDetects non-interactive PowerShell activity by looking at the powershell process with a non-user GUI process as a parent.
PowerShell from Windows Update SetupHost.exe
lowDetects PowerShell spawned from SetupHost.exe during Windows updates, which can be abused.
Detection queries are available on the platform. Get full rules →