Powershell.exe

Powershell.exe is a a task-based command-line shell built on .NET.

Paths

• C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
• C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Commands

Execute

Set the execution policy to bypass and execute a PowerShell script without warning

Use case: Execute PowerShell cmdlets, .NET code, and just about anything else your heart desires

Privileges: User

powershell.exe -ep bypass -file c:\path\to\a\script.ps1

Execute

Set the execution policy to bypass and execute a PowerShell command

Use case: Execute PowerShell cmdlets, .NET code, and just about anything else your heart desires

Privileges: User

powershell.exe -ep bypass -command "Invoke-AllTheThings..."

Execute

Set the execution policy to bypass and execute a very malicious PowerShell encoded command

Use case: Execute PowerShell cmdlets, .NET code, and just about anything else your heart desires

Privileges: User

powershell.exe -ep bypass -ec IgBXAGUAIAA8ADMAIABMAE8ATABCAEEAUwAiAA==

Detection

• Sigma: https://github.com/SigmaHQ/sigma/tree/71ae004b32bb3c7fb04714f8a051fc8e5edda68c/rules/windows/powershell

Resources

• https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_powershell_exe?view=powershell-5.1
• https://attack.mitre.org/techniques/T1059/001/