host.os.type:windows and event.category:library and
dll.name:("System.Management.Automation.dll" or "System.Management.Automation.ni.dll") and
not (
process.code_signature.subject_name:("Microsoft Corporation" or "Microsoft Dynamic Code Publisher" or "Microsoft Windows") and process.code_signature.trusted:true and not process.name.caseless:("regsvr32.exe" or "rundll32.exe")
) and
not (
process.executable.caseless:(C\:\\Program*Files*\(x86\)\\*.exe or C\:\\Program*Files\\*.exe) and
process.code_signature.trusted:true
) and
not (
process.executable.caseless: C\:\\Windows\\Lenovo\\*.exe and process.code_signature.subject_name:"Lenovo" and
process.code_signature.trusted:true
) and
not (
process.executable.caseless: "C:\\ProgramData\\chocolatey\\choco.exe" and
process.code_signature.subject_name:"Chocolatey Software, Inc." and process.code_signature.trusted:true
) and not process.executable.caseless : "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe"
Install detection rules in Elastic Security
Detect Suspicious PowerShell Engine ImageLoad in the Elastic Security detection engine by installing this rule into your Elastic Stack.
To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).