Synopsis
Activation Period |
14 Days |
Training Period |
30 Days |
Test Period |
N/A (single event) |
Deduplication Period |
8 Hours |
Required Data |
|
Detection Modules |
|
Detector Tags |
|
ATT&CK Tactic |
|
ATT&CK Technique |
|
Severity |
Informational |
Description
A non-PowerShell process loaded a known PowerShell module. This image load may be an indication of PowerShell execution without directly invoking the PowerShell.exe binary.
Attacker's Goals
An attacker is attempting to run PowerShell without PowerShell.exe to evade detection.
Investigative actions
Investigate the process and command line executed and whether it's benign or normal for this host.
Variations
Suspicious unsigned process loads a known PowerShell moduleOffice process loads a known PowerShell DLL