text code block:host.os.type:windows and event.category:library and dll.name:("System.Management.Automation.dll" or "System.Management.Automation.ni.dll") and not ( process.code_signature.subject_name:( "Microsoft Corporation" or "Microsoft Dynamic Code Publisher" or "Microsoft Windows" ) and process.code_signature.trusted:true and not process.name.caseless:"regsvr32.exe" ) and not ( process.executable:(C\:\\Program*Files*\(x86\)\\*.exe or C\:\\Program*Files\\*.exe) and process.code_signature.trusted:true ) and not ( process.executable: C\:\\Windows\\Lenovo\\*.exe and process.code_signature.subject_name:"Lenovo" and process.code_signature.trusted:true ) and not ( process.executable: C\:\\Windows\\AdminArsenal\\PDQInventory-Scanner\\service-*\\exec\\PDQInventoryScanner.exe and process.code_signature.subject_name:"PDQ.com Corporation" and process.code_signature.trusted:true ) and not ( process.name: (_is*.exe or "DellInstaller_x64.exe") and process.code_signature.subject_name:("Dell Technologies Inc." or "Dell Inc" or "Dell Inc.") and process.code_signature.trusted:true ) and not ( process.executable: C\:\\ProgramData\\chocolatey\\* and process.code_signature.subject_name:("Chocolatey Software, Inc." or "Chocolatey Software, Inc") and process.code_signature.trusted:true ) and not ( process.name: "Docker Desktop Installer.exe" and process.code_signature.subject_name:"Docker Inc" and process.code_signature.trusted:true ) and not process.executable : ( "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" or "C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe" )
Install detection rules in Elastic Security
Detect Suspicious PowerShell Engine ImageLoad in the Elastic Security detection engine by installing this rule into your Elastic Stack.
To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).