Why should Powershell usage be monitored for suspicious activity?
- Powershell is a very powerful CLI which can start new processes.
- Powershell is a common tool used by users to perform many daily Windows activities.
- Powershell is a shell only accepts and returns text—not objects.
- Powershell is not a built-in tool with Windows 10.
| Explanation & Hint:
The best reason to monitor PowerShell usage for suspicious activity is that “PowerShell is a very powerful CLI which can start new processes.” This aspect of PowerShell makes it a potent tool for system administration but also a significant target for misuse by attackers. Its ability to start new processes and execute a wide range of commands means that PowerShell can be used to carry out complex and potentially harmful activities, such as running malicious scripts, automating data exfiltration, or facilitating lateral movement within a network. Monitoring its usage can help in identifying and mitigating such threats. |