Adversaries may load PowerShell core DLLs via non-PowerShell processes to execute malicious code stealthily. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential command and control or persistence mechanisms.
Detection Rule
title: PowerShell Core DLL Loaded By Non PowerShell Process
id: 092bc4b9-3d1d-43b4-a6b4-8c8acd83522f
related:
- id: 867613fb-fa60-4497-a017-a82df74a172c
type: obsolete
- id: fe6e002f-f244-4278-9263-20e4b593827f
type: obsolete
status: test
description: |
Detects loading of essential DLLs used by PowerShell by non-PowerShell process.
Detects behavior similar to meterpreter's "load powershell" extension.
references:
- https://adsecurity.org/?p=2921
- https://github.com/p3nt4/PowerShdll
author: Tom Kern, oscd.community, Natalia Shornikova, Tim Shelton, Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2019-11-14
modified: 2025-10-07
tags:
- attack.t1059.001
- attack.execution
logsource:
category: image_load
product: windows
detection:
selection:
- Description: 'System.Management.Automation'
- OriginalFileName: 'System.Management.Automation.dll'
- ImageLoaded|endswith:
- '\System.Management.Automation.dll'
- '\System.Management.Automation.ni.dll'
filter_main_powershell:
Image:
- 'C:\Program Files\PowerShell\7-preview\pwsh.exe' # PowerShell 7 preview
- 'C:\Program Files\PowerShell\7\pwsh.exe' # PowerShell 7
- 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe'
- 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'
- 'C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe'
- 'C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe'
filter_main_pwsh_preview:
Image|contains:
- 'C:\Program Files\WindowsApps\Microsoft.PowerShellPreview'
- '\AppData\Local\Microsoft\WindowsApps\Microsoft.PowerShellPreview'
Image|endswith: '\pwsh.exe'
filter_main_generic:
Image:
- 'C:\Windows\System32\dsac.exe'
- 'C:\WINDOWS\System32\RemoteFXvGPUDisablement.exe'
- 'C:\Windows\System32\runscripthelper.exe'
- 'C:\WINDOWS\System32\sdiagnhost.exe'
- 'C:\Windows\System32\ServerManager.exe'
- 'C:\Windows\System32\SyncAppvPublishingServer.exe'
- 'C:\Windows\System32\winrshost.exe'
- 'C:\Windows\System32\wsmprovhost.exe'
- 'C:\Windows\SysWOW64\winrshost.exe'
- 'C:\Windows\SysWOW64\wsmprovhost.exe'
filter_main_dotnet:
Image|startswith:
- 'C:\Windows\Microsoft.NET\Framework\'
- 'C:\Windows\Microsoft.NET\FrameworkArm\'
- 'C:\Windows\Microsoft.NET\FrameworkArm64\'
- 'C:\Windows\Microsoft.NET\Framework64\'
Image|endswith: '\mscorsvw.exe'
filter_optional_sql_server_mgmt:
Image|startswith:
- 'C:\Program Files (x86)\Microsoft SQL Server Management Studio'
- 'C:\Program Files\Microsoft SQL Server Management Studio'
Image|endswith: '\IDE\Ssms.exe'
filter_optional_sql_server_tools:
Image|startswith:
- 'C:\Program Files (x86)\Microsoft SQL Server\'
- 'C:\Program Files\Microsoft SQL Server\'
Image|endswith: '\Tools\Binn\SQLPS.exe'
filter_optional_citrix:
Image|endswith: '\Citrix\ConfigSync\ConfigSyncRun.exe'
filter_optional_vs:
Image|startswith:
- 'C:\Program Files (x86)\Microsoft Visual Studio\'
- 'C:\Program Files\Microsoft Visual Studio\'
filter_optional_chocolatey:
Image|startswith: 'C:\ProgramData\chocolatey\choco.exe'
filter_optional_nextron:
Image|startswith: 'C:\Windows\Temp\asgard2-agent\'
Image|endswith:
- '\thor64.exe'
- '\thor.exe'
# User: 'NT AUTHORITY\SYSTEM' # if set, matches all powershell processes not launched by SYSTEM
filter_optional_aurora:
# This filter is to avoid a race condition FP with this specific ETW provider in aurora
Image: null
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Used by some .NET binaries, minimal on user workstation.
- Used by Microsoft SQL Server Management Studio
level: medium
DeviceImageLoadEvents
| where (InitiatingProcessVersionInfoFileDescription =~ "System.Management.Automation" or InitiatingProcessVersionInfoOriginalFileName =~ "System.Management.Automation.dll" or (FolderPath endswith "\\System.Management.Automation.dll" or FolderPath endswith "\\System.Management.Automation.ni.dll")) and (not(((InitiatingProcessFolderPath in~ ("C:\\Program Files\\PowerShell\\7-preview\\pwsh.exe", "C:\\Program Files\\PowerShell\\7\\pwsh.exe", "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell_ise.exe", "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", "C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell_ise.exe", "C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe")) or ((InitiatingProcessFolderPath contains "C:\\Program Files\\WindowsApps\\Microsoft.PowerShellPreview" or InitiatingProcessFolderPath contains "\\AppData\\Local\\Microsoft\\WindowsApps\\Microsoft.PowerShellPreview") and InitiatingProcessFolderPath endswith "\\pwsh.exe") or (InitiatingProcessFolderPath in~ ("C:\\Windows\\System32\\dsac.exe", "C:\\WINDOWS\\System32\\RemoteFXvGPUDisablement.exe", "C:\\Windows\\System32\\runscripthelper.exe", "C:\\WINDOWS\\System32\\sdiagnhost.exe", "C:\\Windows\\System32\\ServerManager.exe", "C:\\Windows\\System32\\SyncAppvPublishingServer.exe", "C:\\Windows\\System32\\winrshost.exe", "C:\\Windows\\System32\\wsmprovhost.exe", "C:\\Windows\\SysWOW64\\winrshost.exe", "C:\\Windows\\SysWOW64\\wsmprovhost.exe")) or ((InitiatingProcessFolderPath startswith "C:\\Windows\\Microsoft.NET\\Framework\\" or InitiatingProcessFolderPath startswith "C:\\Windows\\Microsoft.NET\\FrameworkArm\\" or InitiatingProcessFolderPath startswith "C:\\Windows\\Microsoft.NET\\FrameworkArm64\\" or InitiatingProcessFolderPath startswith "C:\\Windows\\Microsoft.NET\\Framework64\\") and InitiatingProcessFolderPath endswith "\\mscorsvw.exe")))) and (not((((InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\Microsoft SQL Server Management Studio" or InitiatingProcessFolderPath startswith "C:\\Program Files\\Microsoft SQL Server Management Studio") and InitiatingProcessFolderPath endswith "\\IDE\\Ssms.exe") or ((InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\Microsoft SQL Server\\" or InitiatingProcessFolderPath startswith "C:\\Program Files\\Microsoft SQL Server\\") and InitiatingProcessFolderPath endswith "\\Tools\\Binn\\SQLPS.exe") or InitiatingProcessFolderPath endswith "\\Citrix\\ConfigSync\\ConfigSyncRun.exe" or (InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\Microsoft Visual Studio\\" or InitiatingProcessFolderPath startswith "C:\\Program Files\\Microsoft Visual Studio\\") or InitiatingProcessFolderPath startswith "C:\\ProgramData\\chocolatey\\choco.exe" or (InitiatingProcessFolderPath startswith "C:\\Windows\\Temp\\asgard2-agent\\" and (InitiatingProcessFolderPath endswith "\\thor64.exe" or InitiatingProcessFolderPath endswith "\\thor.exe")) or isnull(InitiatingProcessFolderPath))))Scenario: Scheduled Task Running PowerShell Script
Description: A legitimate scheduled task is configured to run a PowerShell script, and the script loads a PowerShell DLL as part of its execution.
Filter/Exclusion: Check the process name and parent process. Exclude processes with powershell.exe or schtasks.exe as the parent.
Example Filter: process.parent.name != "powershell.exe" or process.name == "powershell.exe"
Scenario: System Update or Patching Tool Using PowerShell DLLs
Description: A system update tool (e.g., Windows Update, SCCM, or Microsoft Endpoint Manager) may load PowerShell DLLs as part of its execution or dependency resolution.
Filter/Exclusion: Exclude processes associated with system update tools like wuauclt.exe, msiexec.exe, or setup.exe.
Example Filter: process.name in ("wuauclt.exe", "msiexec.exe", "setup.exe")
Scenario: Administrative Task Using PowerShell Cmdlets via COM Interop
Description: A legacy application or script may use COM interop to invoke PowerShell cmdlets, which could result in loading PowerShell DLLs by a non-PowerShell process.
Filter/Exclusion: Exclude processes known to use COM interop with PowerShell, such as sqlps.exe (SQL Server PowerShell), vss_ps.exe (Volume Shadow Copy), or taskhost.exe (Task Scheduler).
Example Filter: process.name in ("sqlps.exe", "vss_ps.exe", "taskhost.exe")
Scenario: Third-Party Monitoring or Logging Tool Using PowerShell DLLs
Description: A third-party monitoring or logging tool (e.g., Splunk, Logstash, or custom monitoring scripts) may load PowerShell DLLs as part of its operation.