Synopsis
Activation Period |
14 Days |
Training Period |
30 Days |
Test Period |
N/A (single event) |
Deduplication Period |
1 Hour |
Required Data |
|
Detection Modules |
|
Detector Tags |
|
ATT&CK Tactic |
|
ATT&CK Technique |
|
Severity |
Low |
Description
Attackers often leverage PowerShell one-liners, in which PowerShell is executed with suspicious options on the command line.
Attacker's Goals
Gain code execution on the host.
Investigative actions
Check whether the command line executed is benign or normal for the host and/or user performing it. For example, the command line may be an administrative script.