SOP-25: Malicious PowerShell / Script Engine Execution Response
SOC analyst playbook for detecting and responding to malicious PowerShell abuse including encoded commands, AMSI bypass, and download cradles. Event 4104 Script Block Logging, MDE DeviceProcessEvents. KQL for Sentinel, SPL for Splunk.
Rudra Verma, Senior Security Architect & Researcher