Powershell
| Revised Date | Author | Comment |
|---|---|---|
| 21.03.2025 | Roger Johnsen | Article added |
Introduction
Understanding PowerShell flags and commonly abused cmdlets is vital for threat hunters as attackers frequently exploit them for stealthy execution, data exfiltration, and persistence. This knowledge helps identify malicious activity, map it to known attack techniques like those in MITRE ATT&CK, and strengthen detection and response strategies against threats effectively.
Powershell Command Flags and Cmdlets
PowerShell Command Flags
| Flag | Description | MITRE ATT&CK Technique |
|---|---|---|
-ExecutionPolicy | Overrides the execution policy for the session. Example: -ExecutionPolicy Bypass. | T1059.001 (PowerShell) |
-EncodedCommand | Executes a base64-encoded command. Example: -EncodedCommand <BASE64_STRING>. | T1027 (Obfuscated Files or Information) , T1059.001 |
-NoProfile | Runs PowerShell without loading user-specific profiles. | T1059.001 (PowerShell) |
-File | Runs a specified script file. Example: -File script.ps1. | T1204.002 (Malicious File) |
-Command | Executes specified commands directly. Example: -Command Write-Host "Hello, world!". | T1059.001 (PowerShell) |
-WindowStyle | Controls the window appearance. Example: -WindowStyle Hidden. | T1564.003 (Hide Artifacts) |
-InputFormat | Specifies the format of input data, either Text or XML. | T1123 (Audio Capture) , depending on malicious use. |
-OutputFormat | Specifies the format of output data, either Text or XML. | T1020 (Data Transfer) |
-Version | Specifies the version of PowerShell to run. Example: -Version 2.0. | T1070.004 (Indicator Removal on Host) |
-NoExit | Keeps the PowerShell session open after execution. | T1059.001 (PowerShell) |
Commonly Abused Cmdlets
| Cmdlet | Description | MITRE ATT&CK Technique |
|---|---|---|
Invoke-Expression | Executes a string as a PowerShell command. | T1059.001 (PowerShell) |
Invoke-WebRequest | Downloads files or sends requests over the web. | T1105 (Ingress Tool Transfer) |
Start-Process | Starts a new process on the system. | T1543 (Create or Modify System Processes) |
New-Object | Creates and initializes a .NET object, often used maliciously to download files or execute code. | T1129 (Execution through Module Load) |
Import-Module | Loads a PowerShell module. | T1059.001 (PowerShell) |
Set-ExecutionPolicy | Changes the PowerShell execution policy, potentially disabling security controls. | T1059.001 (PowerShell) |
Add-Member | Adds properties or methods to an object. Used for advanced customization, sometimes maliciously. | T1059.001 (PowerShell) |
Get-Credential | Prompts for user credentials in a secure dialog box. | T1056.004 (Credential API Hooking) |
Export-Csv | Exports data to a CSV file. | T1020 (Data Transfer) |
Where-Object | Filters objects in the pipeline. May be used in scripts to obfuscate data collection. | T1059.001 (PowerShell) |