Command and Scripting Interpreter: PowerShell
PowerShell
A Powerful Command-Line Interface and Scripting Platform in Windows
PowerShell is a powerful command-line interface and scripting platform provided in Windows,
which adversaries can exploit for information gathering, remote control, malware execution, and other malicious activities.
How Attackers Abuse PowerShell
Command Execution: Execute files using Start-Process
Remote Command Execution: Control remote systems using Invoke-Command (Administrator privileges required)
File Download and Execution: Download malicious files from the internet and execute them in memory without writing to disk
Advanced PowerShell Attack Techniques
Even without directly executing PowerShell,
adversaries can bypass detection by leveraging the .NET framework and Windows CLI to call PowerShell’s core library (System.Management.Automation DLL) directly.
Common PowerShell-Based Attack Tools Used by Adversaries
✔ Empire – Remote control and persistence
✔ PowerSploit – Penetration testing and malware execution
✔ PoshC2 – Command & Control (C2) attack framework
✔ PSAttack – PowerShell-based attack automation
PowerShell is a powerful tool, but when abused by attackers, it can become a serious security threat.