Built off the open source project Osquery
Description: Checks to see if the Cross Platform Powershell Core is installed.
What The Data Shows: Some AV's where Powershell Console use is blocked does not block powershell core, this will show what machines/users may be trying to bypass restrictions.
SQL:
SELECT filename,attributes,
datetime(mtime,"unixepoch","localtime") AS "Modified",
datetime(ctime,"unixepoch","localtime") AS "Created",
datetime(atime,"unixepoch","localtime") AS "Accessed"
FROM file
WHERE path = '\Program Files\Powershell\6\pwsh.exe';
Copyright © 2005-2023 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.