title: T1086 PowerShell Execution
id: ac7102b4-9e1e-4802-9b4f-17c5524c015c
description: Detects execution of PowerShell
status: experimental
date: 2019/09/12
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
tags:
    - attack.execution
    - attack.t1059.001
references:
    - https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190410151110.html
logsource:
    product: windows
    category: pipe_created
detection:
    selection:
        PipeName|startswith: '\PSHost'
    condition: selection
falsepositives:
    - Unknown
level: informational