PowerShell Snippets to Monitor

March 24, 2025 by Anthony Rosa

Introduction

PowerShell is both a friend and a foe to blue-teamers. PowerShell Remoting is the most secure way to manage systems, PowerShell is a stellar productivity tool, and it is essentially uninstallable anyways. However, as a native, powerful scripting platform, PowerShell can be used to support malicious actions. Therefore, it is important to adequately monitor.

Below are PowerShell snippets you should pay special attention to and set up alerts for. Now, you might be wondering why I didn't include popular PowerShell modules like Invoke-Obfuscation. The reason is because when researchers tested these modules, they found that they do not bypass detection (Mosch, 2025).

In fact, "all of the public bypasses themselves are signatured and flagged by AMSI itself, at least when implementing them in one of the mentioned scripting languages such as Powershell. So for all of them, it's necessary to manually modify or obfuscate the code so that the bypass itself is no longer flagged" (Mosch, 2025).

Therefore, the snippets I listed are more general and usually included in other malicious scripts. They are simple, non-regex based items, and thus implementable in all environments without requiring customization.

Snippets

Set-MpPreference -DisableRealtimeMonitoring (Rousseau, 2017, p. 6). Real time protection provides "always-on scanning, using file and process behavior monitoring and other heuristics" (Davis et al., 2025). Disabling this is indicative of trying to bypass antivirus protections. It is possible your organization would use this in testing, but it is unlikely, unnecessary, and should be monitored regardless.
Set-MpPreference -DisableScriptScanning (Microsoft, 2025-b). This setting "specifies whether to disable the scanning of scripts during malware scans. If you specify a value of $False or do not specify a value, Windows Defender does not scan scripts" (Microsoft, 2025-b). Not good!
AddMpPreference -ExclusionPath (Zahravi, 2025). The exclusion path "disables Windows Defender scheduled and real-time scanning for files in this folder" (Microsoft, 2025-a). If you're using Defender, and managing rules through PowerShell, this may be legitimately used. However, it absolutely should be monitored, as it is often used in attack chains, as the Zahravi reference demonstrates. If you see this command, and there's no approved change occurring, this is a major red flag!
Remove-Item -Path $MyInvocation.MyCommand.Source (Maynard, 2018). This deletes the script after it executes, making file detection and analysis more difficult. There is no reason your organization should permit this action.
New-Object System.Net.Sockets.TCPClient. This code establishes a TCP connection through PowerShell and can be used to communicate back to a malicious server. This can be legitimately used by the organization, but should be monitored for IPs outside of a whitelist.
-ExecutionPolicy Bypass (Y.D., 2024). Execution policies in PowerShell are easily bypassed, and thus should not be considered a security boundary. They moreso function as a barrier against accidental execution to help employees comply with policy. With that being said, bypassing the execution policy is indicative of an insider (malicious or not) or external threat.
System.Reflection.Assembly (Splunk, 2021). Fileless malware is a common technique to avoid antivirus solutions. This snippet is a potential indicator of in-memory (fileless) malware designed to avoid detection on disk.

References

Davis, C., Walsh, E., Mandalika, S., & Athavale, M. (2025, March 26). Configure behavioral, heuristic, and real-time protection. Microsoft Learn. https://learn.microsoft.com/en-us/defender-endpoint/configure-protection-features-microsoft-defender-antivirus
Maynard, T. (2018, September 9). Self-destruction script. Tommy Maynard. https://tommymaynard.com/self-destruction-script-2018/
Microsoft. (2025-a). Add-MpPreference. Microsoft Learn. https://learn.microsoft.com/en-us/powershell/module/defender/add-mppreference?view=windowsserver2025-ps
Microsoft. (2025-b). Set-MpPreference. Microsoft Learn. https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2025-ps
Mosch, F. (2025, February). Bypass AMSI in 2025. rtec. https://www.r-tec.net/r-tec-blog-bypass-amsi-in-2025.html
Rousseau, A. (2017). Hijacking .NET to defend PowerShell/em>. Retrieved June 23, 2024, from https://arxiv.org/pdf/1709.07508
Splunk (2021, September 17). Hunting for malicious PowerShell using script block logging. https://www.splunk.com/en_us/blog/security/hunting-for-malicious-powershell-using-script-block-logging.html#:~:text=Defense%20Evasion
Y. D. (2024, April 15). Bypass and set PowerShell script execution policies. Sentry. https://sentry.io/answers/bypass-and-set-powershell-script-execution-policies/
Zahravi, A. (2025, March 25). CVE-2025–26633: How Water Gamayun weaponizes MUIPath using MSC EvilTwin. TrendMicro. https://www.trendmicro.com/en_us/research/25/c/cve-2025-26633-water-gamayun.html