title: Accessing WinAPI in PowerShell. Code Injection.
id: eeb2e3dc-c1f4-40dd-9bd5-149ee465ad50
status: test
description: Detecting Code injection with PowerShell in another process
author: Nikita Nazarov, oscd.community
references:
  - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse
date: 2020/10/06
modified: 2021/11/27
logsource:
  product: windows
  category: create_remote_thread
  definition: 'Note that you have to configure logging for CreateRemoteThread in Symson config'
detection:
  selection:
    SourceImage|endswith: '\powershell.exe'
  condition: selection
falsepositives:
  - Unknown
level: high
tags:
  - attack.execution
  - attack.t1059.001