Detecting PowerShell Abuse That Other Tools Miss (Release Date: March 31)

Posted on March 30, 2026 by danielsylvester723b460d01

We’ve introduced an enhancement to PowerShell threat detection that significantly improves visibility into real attacker behavior while continuing to keep alert noise extremely low.

This update uses advanced AI-driven behavioral analysis to evaluate all PowerShell activity in real time, allowing us to detect high‑confidence threats earlier and with greater clarity, without increasing alert volume.

What’s Changed

PowerShell activity is now continuously evaluated using AI models that analyze behaviour patterns as they occur, not just activity that already appears suspicious. This enables earlier identification of meaningful risk when normal administrative behaviour shifts into potential attacker activity. 

Only detections that meet a high confidence threshold are surfaced. Each alert has already undergone AI‑driven analysis and validation, making PowerShell alerts easier to trust and faster to act on

Why This Matters

PowerShell remains one of the commonly abused tools in modern attacks. Traditional approaches often rely on aggressive pre‑filtering or static signatures, which can either miss real threats or overwhelm teams with false positives.

This enhancement focuses on attacker intent, allowing detection of:

  • Abuse of legitimate administrative cmdlets, e.g deleting shadow copies or calling WMI objects
  • Living‑off‑the‑land techniques, e.g using PS to create scheduled tasks to achieve Persistence
  • Previously unseen or zero‑day attacker behaviour

By creating a baseline of what ‘Normal’ looks like in a given environment, Adlumin can identify meaningful deviations that indicate real risk without flagging expected administrative activity. 

Benefits:

  • Earlier visibility into risky PowerShell behaviour, often before lateral movement or broader compromise occurs
  • Fewer alerts that require interpretation, as uncertainty is reduced before alerts are surfaced
  • Clear, explainable detections that show what happened, why it mattered and what actions were taken or initiated

Anomalous PowerShell Detection at Scale

  • Analysis of approximately 1 billion PowerShell commands per week
  • Surfaces alerts for less than 0.0001% of observed commands
  • Generates ~1 alert per week per 1,000 endpoints, on average

This ensures comprehensive coverage without introducing additional noise.

How can customers access this

This enhanced detection capability is automatically enabled as an upgrade to existing coverage.

No configuration changes are required. Customers only need to review surfaced incidents if additional remediation is recommended.

This entry was posted in Adlumin. Bookmark the permalink.