likely. many admin scripts and tools leverage powershell in their bat or vb scripts which may trigger this rule often. it is best to add additional filters or use this to hunt for anomalies

Techniques

Sample rules

Non Interactive PowerShell Process Spawned

source: sigma
technicques:
- t1059
- t1059.001

Description

Detects non-interactive PowerShell activity by looking at the “powershell” process with a non-user GUI process such as “explorer.exe” as a parent.

Detection logic

condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
filter_main_generic:
  ParentImage|endswith:
  - :\Windows\explorer.exe
  - :\Windows\System32\CompatTelRunner.exe
  - :\Windows\SysWOW64\explorer.exe
filter_main_windows_update:
  ParentImage: :\$WINDOWS.~BT\Sources\SetupHost.exe
filter_optional_terminal:
  ParentImage|contains: :\Program Files\WindowsApps\Microsoft.WindowsTerminal_
  ParentImage|endswith: \WindowsTerminal.exe
filter_optional_vscode:
  ParentCommandLine|contains: ' --ms-enable-electron-run-as-node '
  ParentImage|endswith: \AppData\Local\Programs\Microsoft VS Code\Code.exe
selection:
- Image|endswith:
  - \powershell.exe
  - \pwsh.exe
- OriginalFileName:
  - PowerShell.EXE
  - pwsh.dll