Unmanaged PowerShell Execution: Hunting Beyond powershell.exe

This report examines unmanaged PowerShell execution—techniques where adversaries host the PowerShell runtime inside other processes (e.g., via PowerShdll and SharpPick) to evade detections—and demonstrates hunting/detection strategies using Elastic and Sysmon by looking for non-powershell processes loading System.Management.Automation.dll and abnormal PowerShell-related named pipe activity; it also highlights APT35 as a known actor using this tradecraft.