PowerShell (T1086)

View on ATT&CK

In Playbook

Technique & Subtechniques

  • PowerShell

Associated Tactics

  • Execution

Execution (TA0002)

The adversary is trying to run malicious code. Execution consists of techniques that result in adversary-controlled code running on a local or remote system. Techniques that run malicious code are often paired with techniques from all other tactics to achieve broader goals, like exploring a network or stealing data. For example, an adversary might use a remote access tool to run a PowerShell script that does Remote System Discovery.

View on ATT&CK

Procedure Examples

Description Source(s)
Microsoft. (n.d.). Windows PowerShell Scripting. Retrieved April 28, 2016. TechNet PowerShell
PowerSploit. (n.d.). Retrieved December 4, 2014. Powersploit
Haight, J. (2016, April 21). PS>Attack. Retrieved June 1, 2016. Github PSAttack
Warner, J.. (2015, January 6). Inexorable PowerShell – A Red Teamer’s Tale of Overcoming Simple AppLocker Policies. Retrieved December 8, 2018. Sixdub PowerPick Jan 2016
Christensen, L.. (2015, December 28). The Evolution of Offensive PowerShell Invocation. Retrieved December 8, 2018. SilentBreak Offensive PS Dec 2015
Babinec, K. (2014, April 28). Executing PowerShell scripts from C#. Retrieved April 22, 2019. Microsoft PSfromCsharp APR 2014
Malware Archaeology. (2016, June). WINDOWS POWERSHELL LOGGING CHEAT SHEET - Win 7/Win 2008 or later. Retrieved June 24, 2016. Malware Archaeology PowerShell Cheat Sheet
Dunwoody, M. (2016, February 11). GREATER VISIBILITY THROUGH POWERSHELL LOGGING. Retrieved February 16, 2016. FireEye PowerShell Logging 2016