title: PowerShell Execution Remote Command
title_jp: Powershellのリモートコマンドの実行
description: Powershell command executed remotely.
description_jp: Powershell command executed remotely.
author: Eric Conrad
contributor: Zach Mathis
mitre_attack: T1059
level: medium
detection:
    selection:
        Channel: Microsoft-Windows-PowerShell/Operational
        EventID: 4104
        Path: null
        ScriptBlockText|re: '.+'
    # condition: selection
falsepositives:
    - normal system usage
output: 'Command = %ScriptBlockText%'
output: 'コマンド = %ScriptBlockText%'
creation_date: 2020/11/08
updated_date:  2021/11/06