PowerShell is one of the most powerful administration tools available in Windows environments. It enables administrators to automate repetitive tasks, manage Active Directory, configure servers, and interact with cloud services. Because of its flexibility and extensive capabilities, PowerShell has become a standard tool in enterprise IT. Unfortunately, attackers also take advantage of these same capabilities to execute commands, download payloads, and perform post-compromise activities.
For Security Operations Center (SOC) analysts, PowerShell logging is an essential source of information during incident investigations. Rather than simply identifying that PowerShell was executed, detailed logs help analysts understand what commands were run, who executed them, and what actions followed. Both the MITRE ATT&CK framework and the NIST Cybersecurity Framework (CSF) emphasize the importance of visibility and monitoring when detecting malicious behavior.
Understanding PowerShell Logging
Windows provides several logging options that improve visibility into PowerShell activity.
Depending on the organization’s configuration, PowerShell logs may capture:
- Process creation events
- Command-line arguments
- Module usage
- Script block execution
- PowerShell operational events
These logs provide valuable information during investigations because they allow analysts to reconstruct what occurred on the endpoint.
For example, knowing that powershell.exe started is useful, but seeing the actual commands that were executed provides significantly more context.
Organizations that enable detailed logging are generally better positioned to investigate suspicious activity than those that rely only on standard process monitoring.
PowerShell and MITRE ATT&CK
The MITRE ATT&CK framework documents T1059.001 – Command and Scripting Interpreter: PowerShell as one of the most common execution techniques.
Attackers frequently use PowerShell because it is installed by default, trusted by Windows, and capable of interacting with many operating system components.
However, PowerShell itself is not malicious.
SOC analysts should instead focus on behaviors such as:
- Encoded commands.
- PowerShell launched by unusual parent processes.
- Network connections immediately after execution.
- PowerShell creating additional child processes.
- Repeated PowerShell execution from unexpected user accounts.
These behaviors often provide stronger evidence of malicious activity than the executable name alone.
NIST Recommendations
The NIST Cybersecurity Framework recommends enabling sufficient logging to support security monitoring and incident response.
Organizations should collect PowerShell logs alongside Windows Security Events, endpoint telemetry, firewall logs, and authentication records.
NIST also recommends protecting log integrity and retaining logs for future investigations. Without reliable logging, analysts may be unable to determine how an attacker executed commands or what actions were performed during an incident.
Combining detailed logging with the Principle of Least Privilege further limits the ability of compromised accounts to abuse administrative tools.
Investigation Tips
When reviewing PowerShell activity, SOC analysts should ask several important questions:
- Which process launched PowerShell?
- Which account executed the commands?
- Were encoded or obfuscated commands used?
- Did the process communicate with external systems?
- Were additional MITRE ATT&CK techniques observed afterwards?
Correlating PowerShell logs with EDR telemetry, authentication events, DNS activity, and firewall logs provides valuable context and supports more accurate investigations.
Conclusion
PowerShell remains one of the most valuable administrative tools in Windows environments, but it is also one of the most frequently abused by attackers. Enabling and monitoring PowerShell logging provides organizations with the visibility needed to distinguish legitimate administration from malicious activity.
By combining detailed PowerShell logs with the behavioral guidance of the MITRE ATT&CK framework and the monitoring recommendations of the NIST Cybersecurity Framework, SOC analysts can improve threat detection, reduce false positives, and conduct more effective incident investigations. Strong visibility into PowerShell activity is an essential component of modern enterprise security.