Description: This query looks for all versions (6,7, preview versions) of PowerShell Core installed on Linux and Windows. PowerShell can be used maliciously used and should be monitored as some AV products only block the PowerShell.exe and PowerShell_ISE.exe not the PowerShell dll (system.management_automation.dll). Another way hackers can bypass the PowerShell blocking is by installing PowerShell Core.
What The Data Shows: Shows all versions of PowerShell Core on Windows and Linux (tested on CentOS and Ubuntu).
SQL: SELECT filename,path,attributes, datetime(mtime,"unixepoch","localtime") AS "Modified", datetime(ctime,"unixepoch","localtime") AS "Created", datetime(atime,"unixepoch","localtime") AS "Accessed" FROM file WHERE path like '/opt/microsoft/powershell/%/pwsh' or path like '\Program Files\Powershell\%\pwsh.exe' or path like '/usr/%/bin/pwsh';