Malware behavioral indicators: unusual parent-child process relationships (Word spawning PowerShell), outbound beaconing at regular intervals, new registry run keys, credential dumping API calls, file encryption (ransomware).
EDR platforms detect these behavioral patterns even without signatures. MITRE ATT&CK maps these behaviors to specific techniques. Baseline normal PowerShell usage to detect malicious PowerShell — it's the same binary, only behavior differs.