Adversaries may use interactive PowerShell in the SYSTEM context to execute commands stealthily and maintain persistence. SOC teams should proactively hunt for this behavior to identify potential privilege escalation or lateral movement tactics in their Azure Sentinel environment.
Detection Rule
title: Suspicious Interactive PowerShell as SYSTEM
id: 5b40a734-99b6-4b98-a1d0-1cea51a08ab2
status: test
description: Detects the creation of files that indicator an interactive use of PowerShell in the SYSTEM user context
references:
- https://jpcertcc.github.io/ToolAnalysisResultSheet/details/PowerSploit_Invoke-Mimikatz.htm
author: Florian Roth (Nextron Systems)
date: 2021-12-07
modified: 2022-08-13
tags:
- attack.execution
- attack.t1059.001
logsource:
product: windows
category: file_event
detection:
selection:
TargetFilename:
- 'C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt'
- 'C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive'
condition: selection
falsepositives:
- Administrative activity
- PowerShell scripts running as SYSTEM user
level: high
imFileEvent
| where TargetFileName in~ ("C:\\Windows\\System32\\config\\systemprofile\\AppData\\Roaming\\Microsoft\\Windows\\PowerShell\\PSReadLine\\ConsoleHost_history.txt", "C:\\Windows\\System32\\config\\systemprofile\\AppData\\Local\\Microsoft\\Windows\\PowerShell\\StartupProfileData-Interactive")Scenario: Scheduled Task Running PowerShell as SYSTEM
Description: A legitimate scheduled task uses PowerShell to perform system maintenance, such as updating software or cleaning up logs.
Filter/Exclusion: Exclude processes initiated by scheduled tasks (e.g., schtasks.exe) or check for the presence of a .job file in the Task Scheduler directory.
Scenario: System File Integrity Check Using PowerShell
Description: A security tool or script runs PowerShell as SYSTEM to verify the integrity of system files using tools like DISM or sfc /scannow.
Filter/Exclusion: Exclude processes that match known integrity check commands or are initiated by trusted security software (e.g., Microsoft Defender ATP).
Scenario: PowerShell Script for System Configuration via Group Policy
Description: A Group Policy Object (GPO) triggers a PowerShell script that runs under SYSTEM context to configure system settings.
Filter/Exclusion: Exclude processes initiated by Group Policy (gpupdate.exe or gpolusr.exe) or check for the presence of a GPO-related script path.
Scenario: PowerShell Used for System Updates via Windows Update
Description: Windows Update may use PowerShell scripts to install updates, which could be flagged as interactive PowerShell under SYSTEM.
Filter/Exclusion: Exclude processes that originate from the Windows Update service (svchost.exe with svchost -k netsvcs) or check for known Windows Update script paths.
Scenario: PowerShell Used for System Monitoring by IT Admins
Description: An IT administrator uses PowerShell to monitor system performance or collect logs, running scripts under SYSTEM for elevated access.
Filter/Exclusion: Exclude processes initiated by known admin tools (e.g., PowerShell.exe launched from taskmgr.exe or mmc.exe) or check for user-defined admin script directories