Suspicious process loads a known PowerShell module

Cortex XDR Analytics Alert Reference by Alert name

Product
Cortex XDR
Last date published
2024-06-04
Category
Analytics Alert Reference
Order
Alert name

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

N/A (single event)

Deduplication Period

8 Hours

Required Data

  • Requires:
    • XDR Agent

Detection Modules

ATT&CK Tactic

Execution (TA0002)

ATT&CK Technique

Command and Scripting Interpreter: PowerShell (T1059.001)

Severity

Informational

Description

A non-PowerShell process loaded a known PowerShell module. This image load may be an indication of PowerShell execution without directly invoking the PowerShell.exe binary.

Attacker's Goals

An attacker is attempting to run PowerShell without PowerShell.exe to evade detection.

Investigative actions

Investigate the process and command line executed and whether it's benign or normal for this host.

Variations

Suspicious unsigned process loads a known PowerShell module

Synopsis

ATT&CK Tactic

Execution (TA0002)

ATT&CK Technique

Command and Scripting Interpreter: PowerShell (T1059.001)

Severity

Low

Description

A non-PowerShell process loaded a known PowerShell module. This image load may be an indication of PowerShell execution without directly invoking the PowerShell.exe binary.

Attacker's Goals

An attacker is attempting to run PowerShell without PowerShell.exe to evade detection.

Investigative actions

Investigate the process and command line executed and whether it's benign or normal for this host.


Office process loads a known PowerShell DLL

Synopsis

ATT&CK Tactic

Execution (TA0002)

ATT&CK Technique

Command and Scripting Interpreter: PowerShell (T1059.001)

Severity

High

Description

A Microsoft Office process loaded a known PowerShell module. This image load may be a sign of PowerShell execution without directly invoking the PowerShell.exe binary.

Attacker's Goals

An attacker is attempting to run PowerShell without PowerShell.exe to evade detection.

Investigative actions

Investigate the process and command line executed and whether it's benign or normal for this host.