PowerShell

Executive Summary

PowerShell is a Windows automation and configuration environment built on .NET. Adversaries abuse it for execution, discovery, download, credential access, and administration because it is widely installed and can interact with operating-system and cloud APIs. PowerShell use is not inherently suspicious; reliable detection depends on script content, execution context, ancestry, network behavior, and the account's normal activity.

Why Attackers Use It

• PowerShell is available by default on supported Windows systems and common in administration.
• It can execute scripts, load .NET assemblies, invoke native APIs, query management interfaces, and communicate over the network.
• Encoding, string construction, compression, and in-memory loading can obscure intent.
• Legitimate administrative volume creates cover and makes simplistic process-name alerts noisy.

MITRE Description

MITRE classifies PowerShell as T1059.001 under Command and Scripting Interpreter. The technique includes interactive commands, script files, remoting, encoded commands, downloaded content, and PowerShell-hosted functionality. PowerShell may be launched through powershell.exe, pwsh.exe, another process hosting the engine, or a management product.

Attack Flow

1. An initial process, user, scheduled task, service, Office application, or remote-management channel starts PowerShell or hosts its engine.
2. The command or script gathers context, decodes content, loads functionality, or retrieves a payload.
3. PowerShell invokes cmdlets, .NET methods, COM objects, WMI, or native programs.
4. Follow-on actions perform discovery, persistence, credential access, collection, or command and control.
5. The adversary may clear history, disable logging, terminate the process, or move execution into another host process.

Prerequisites

• PowerShell or a compatible hosting environment on the endpoint.
• Execution rights under the current identity.
• Network access when remote content or remoting is used.
• Additional privileges for actions affecting protected resources.

Common Tools

• Windows PowerShell and PowerShell 7
• PowerShell remoting and WinRM
• Administrative frameworks and configuration-management products
• Offensive frameworks implemented partly in PowerShell
• Applications that host the PowerShell engine without launching the standard executable

Commands

Representative patterns for recognition and controlled testing:

powershell.exe -NoProfile -NonInteractive -EncodedCommand <base64-data>
powershell.exe -ExecutionPolicy Bypass -File <script-path>
Invoke-Command -ComputerName <host> -ScriptBlock { Get-Process }
Invoke-WebRequest -Uri https://example.invalid/file -OutFile <path>

EncodedCommand uses UTF-16LE Base64 and is not proof of malicious intent. Execution-policy flags do not bypass operating-system authorization boundaries and are also used by legitimate automation.

Network Traffic

• PowerShell can use HTTP/S through .NET web clients, REST cmdlets, or background transfer mechanisms.
• PowerShell remoting commonly uses WinRM on TCP 5985 or 5986.
• Web traffic may inherit user-agent, proxy, and TLS behavior from the selected .NET API or system configuration.
• Useful indicators include script interpreters contacting rare domains, direct IP destinations, unusual ports, first-seen downloads, and network connections from unexpected parent processes.

Windows Events

Sysmon Events

Detection Opportunities

• Detect suspicious script-block content such as download-and-execute chains, reflection, dynamic invocation, credential access, security-control changes, and high-entropy encoded material.
• Identify unusual parents such as Office applications, browsers, archive utilities, or public-facing service processes launching PowerShell.
• Correlate PowerShell with new network destinations, file creation, scheduled tasks, services, WMI, or remoting.
• Detect logging-policy modification, operational-log clearing, and anti-malware interface tampering.
• Baseline automation accounts, deployment systems, login scripts, and administrative workstations.
• Monitor hosted PowerShell activity so detection does not depend exclusively on powershell.exe.

Sigma Rules

title: Suspicious PowerShell Script Block Behaviors
id: 49d907be-20c5-4aef-964c-2d566f2d6303
status: experimental
description: Detects selected high-risk behaviors in PowerShell Script Block Logging.
logsource:
  product: windows
  category: ps_script
detection:
  selection:
    ScriptBlockText|contains:
      - 'FromBase64String'
      - 'DownloadString'
      - 'Invoke-Expression'
      - 'Reflection.Assembly'
      - 'System.Management.Automation.AmsiUtils'
  condition: selection
falsepositives:
  - Administrative scripts and security-testing tools
level: medium
tags:
  - attack.execution
  - attack.t1059.001

Splunk Queries

index=windows sourcetype="WinEventLog:Microsoft-Windows-PowerShell/Operational" EventCode=4104
| eval script=lower(ScriptBlockText)
| where match(script,"frombase64string|downloadstring|invoke-expression|reflection\\.assembly|amsiutils")
| stats count values(ScriptBlockText) as script_blocks min(_time) as firstTime max(_time) as lastTime by host user Path
| convert ctime(firstTime) ctime(lastTime)

Investigation Workflow

1. Retrieve the complete script block, message sequence, host, user, engine version, process ID, and script path.
2. Decode encoded content in an isolated analysis environment and reconstruct split or concatenated strings.
3. Review parent and child processes, command line, integrity level, logon session, and whether the user normally executes PowerShell.
4. Extract URLs, domains, IP addresses, file paths, registry paths, scheduled-task names, services, and invoked binaries.
5. Correlate network, DNS, proxy, file, registry, WMI, and remoting telemetry.
6. Determine the initial execution source and all follow-on actions performed by the script.
7. Search across the environment for matching script-block hashes, distinctive fragments, destinations, and artifacts.

Containment

1. Stop confirmed malicious execution and isolate affected hosts when necessary.
2. Disable compromised identities and revoke remote sessions or tokens.
3. Block confirmed malicious destinations, files, hashes, and scripts.
4. Preserve script-block logs and decoded content before removal.
5. Remove persistence and recover affected systems according to the broader intrusion scope.

Mitigation

• Enable Script Block Logging, Module Logging where justified, process command-line auditing, and centralized retention.
• Prefer current PowerShell versions and remove obsolete PowerShell 2.0 components.
• Use application control and constrained administration to restrict who can run unapproved code.
• Limit PowerShell remoting endpoints and privileged access.
• Apply endpoint protection and attack-surface-reduction controls appropriate to the environment.
• Sign and protect administrative scripts while recognizing that execution policy is not a security boundary.

Related Techniques

• T1027.010 — Command Obfuscation
• T1059 — Command and Scripting Interpreter
• T1059.003 — Windows Command Shell
• T1071.001 — Web Protocols
• T1105 — Ingress Tool Transfer
• T1140 — Deobfuscate/Decode Files or Information