DET0455: Abuse of PowerShell for Arbitrary Execution

This detection strategy is meant to help defenders identify abuse of PowerShell for arbitrary execution. Its practical significance is that PowerShell is a...

EnterpriseDET0455Detection StrategyObject v1.0 Modified May 12, 2026, 16:34 UTC (UTC+00:00)

This detection strategy is meant to help defenders identify abuse of PowerShell for arbitrary execution. Its practical significance is that PowerShell is a built-in Windows scripting and command environment, so malicious use can blend with legitimate administration. For leaders, the key question is not simply “do we block PowerShell,” but whether the organization can distinguish approved administrative automation from suspicious execution activity during an incident.

Executive priority

Prioritize this as a Windows execution visibility and response-readiness issue. Because the related ATT&CK technique is PowerShell under the Execution tactic, coverage affects how quickly SOC and IR teams can validate whether script or command activity is legitimate, unauthorized, or part of a broader intrusion. Executives should ask whether PowerShell monitoring is consistently collected, retained, and reviewed across important Windows assets, and whether exceptions for administrators are governed and auditable.

Technical view

The supplied ATT&CK object is a detection strategy for T1059.001 PowerShell. Since the official detection and description fields are not provided, teams should validate coverage against the related technique context: adversaries may abuse PowerShell commands and scripts to execute code or run commands on Windows. SOC teams should confirm visibility into PowerShell process execution, command-line content where available, script or module logging where enabled, parent-child process context, user identity, host identity, and remote execution indicators. Detection engineering should focus on separating expected administrative PowerShell from unusual execution patterns, especially by user, host role, parent process, execution frequency, and command characteristics.

Likely telemetry

Windows process creation events involving PowerShell executables or hosts
Command-line arguments and process ancestry for PowerShell-related execution
PowerShell script block, module, or transcript logging where enabled
User, host, and privilege context for PowerShell activity
Remote command execution or administrative session evidence where available

Detection direction

Validate that PowerShell activity is visible on Windows systems that matter to business operations, not only on endpoints already covered by EDR.
Tune detections around context: expected administrator automation, management tools, scheduled tasks, and maintenance scripts can create false positives.
Review parent-child process relationships and user context to identify PowerShell launched from unusual applications or by unusual accounts.
Confirm retention is sufficient for incident response timelines; PowerShell execution may need historical reconstruction.
Because the ATT&CK object provides no official detection logic, avoid assuming coverage from the strategy name alone; test local telemetry and alert behavior against approved benign simulations.

Mitigation priorities

Establish governance for legitimate PowerShell administration, including approved users, hosts, and automation paths.
Enable and retain appropriate Windows and PowerShell logging where operationally feasible.
Apply least privilege for administrative accounts that can run PowerShell across systems.
Use endpoint and identity controls to review unusual script execution and remote command activity.
Document detection coverage and exceptions as compliance and incident response evidence.

Analyst notes and limits

The ATT&CK object itself is a detection strategy, not a technique, and its official description and detection fields are not populated in the supplied data. The useful context comes from its relationship to T1059.001 PowerShell, which is an Enterprise ATT&CK Windows execution technique. Glexia’s recommended focus is therefore validation of Windows PowerShell visibility, tuning, and response usability rather than any specific analytic rule.

This take is limited to the supplied STIX fields, external reference, and relationship context. No official detection logic, data sources, platforms on the detection-strategy object, mitigations, or procedure examples were provided. Local environment evidence is required to determine actual exposure, normal administrative behavior, and detection coverage.

Official MITRE ATT&CK definition

Abuse of PowerShell for Arbitrary Execution

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

Filter related techniques 1 rows

Domain	ID	Name	Relationship / procedure
Enterprise	T1059.001	PowerShell Sub-technique	This object detects PowerShell.

Relationship explorer

All related ATT&CK context

detects · Technique T1059.001: PowerShell Enterprise

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 1.0
Created: Oct 21, 2025, 15:10 UTC (UTC+00:00)
Modified: May 12, 2026, 16:34 UTC (UTC+00:00)
Raw hash: ef9de5b0a9b89add...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	May 18, 2026, 07:08 UTC (UTC+00:00)	1.0	May 12, 2026, 16:34 UTC (UTC+00:00)	Current bundle	`ef9de5b0a9b8…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
mitre-attack DET0455
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use