powershell_ise.exe
- File Path:
C:\windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe - Description: Windows PowerShell ISE
Screenshot
Hashes
| Type | Hash |
|---|---|
| MD5 | 579D1F6B52ADDDB09A75094382D3F6BC |
| SHA1 | C890036DC533028E18BFE3ADE2CFFCBA929E87B9 |
| SHA256 | AA300B32CBE3C2109AC25BFC50A3A08DE43EFBA5889DED23CE20A828978AD616 |
| SHA384 | 4A3B32B1B0BE7F1469BB1CC569D0A9BD869124BC69710E0664B60DAB0E765E7B94C7E96E9C9278951E8D9587BAB4A76C |
| SHA512 | 5CA6E3D377E10B2DE2505723496699145C33EF2917EB334F0B03FCB414149D5B6E8FE0FAC7F0454FF7E8AA3E595F380649BF42A165AF2EB0366E9BACF22CCA93 |
| SSDEEP | 6144:+C+sE4Duz2C+sEQDu0irIuU5pmZbgXooP:+jsfK2jsx085pmZUP |
Signature
- Status: The file C:\windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe is not digitally signed. You cannot run this script on the current system. For more information about running scripts and setting execution policy, see about_Execution_Policies at http://go.microsoft.com/fwlink/?LinkID=135170
- Serial: ``
- Thumbprint: ``
- Issuer:
- Subject:
File Metadata
- Original Filename: powershell_ise.EXE
- Product Name: Microsoft Windows Operating System
- Company Name: Microsoft Corporation
- File Version: 6.3.9600.17399 (winblue_r4.141010-1702)
- Product Version: 6.3.9600.17399
- Language: English (United States)
- Legal Copyright: Microsoft Corporation. All rights reserved.
File Similarity (ssdeep match)
| File | Score |
|---|---|
| C:\windows\system32\WindowsPowerShell\v1.0\powershell_ise.exe | 96 |
Possible Misuse
The following table contains possible examples of powershell_ise.exe being misused. While powershell_ise.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.
| Source | Source File | Example | License |
|---|---|---|---|
| sigma | image_load_in_memory_powershell.yml | - '\powershell_ise.exe' |
DRL 1.0 |
| sigma | pipe_created_alternate_powershell_hosts_pipe.yml | - '\powershell_ise.exe' |
DRL 1.0 |
| sigma | proc_creation_win_renamed_binary.yml | - 'powershell_ise.exe' |
DRL 1.0 |
| sigma | proc_creation_win_renamed_binary.yml | - '\powershell_ise.exe' |
DRL 1.0 |
| sigma | proc_creation_win_renamed_binary_highly_relevant.yml | - 'powershell_ise.exe' |
DRL 1.0 |
| sigma | proc_creation_win_renamed_binary_highly_relevant.yml | - '\powershell_ise.exe' |
DRL 1.0 |
| sigma | proc_creation_win_renamed_powershell.yml | - '\powershell_ise.exe' |
DRL 1.0 |
| sigma | proc_creation_win_susp_bitstransfer.yml | - '\powershell_ise.exe' |
DRL 1.0 |
| atomic-red-team | T1059.001.md | 1. Open Powershell_ise as a Privileged Account | MIT License. © 2018 Red Canary |
Additional Info*
*The information below is copied from MicrosoftDocs, which is maintained by Microsoft. Available under CC BY 4.0 license.
PowerShell_ise
Windows PowerShell Integrated Scripting Environment (ISE) is a graphical host application that enables you to read, write, run, debug, and test scripts and modules in a graphic-assisted environment. Key features such as IntelliSense, Show-Command, snippets, tab completion, syntax-coloring, visual debugging, and context-sensitive Help provide a rich scripting experience.
Using PowerShell.exe
The PowerShell_ISE.exe tool starts a Windows PowerShell ISE session. When you use PowerShell_ISE.exe, you can use its optional parameters to open files in Windows PowerShell ISE or to start a Windows PowerShell ISE session with no profile or with a multithreaded apartment.
-
To start a Windows PowerShell ISE session in a Command Prompt window, in Windows PowerShell, or at the Start menu, type:
PowerShell_Ise.exe -
To open a script (.ps1), script module (.psm1), module manifest (.psd1), XML file, or any other supported file in Windows PowerShell ISE, type:
PowerShell_Ise.exe <filepath>In Windows PowerShell 3.0, you can use the optional File parameter as follows:
PowerShell_Ise.exe -file <filepath> -
To start a Windows PowerShell ISE session without your Windows PowerShell profiles, use the NoProfile parameter. (The NoProfile parameter is introduced in Windows PowerShell 3.0.), type:
PowerShell_Ise.exe -NoProfile -
To see the PowerShell_ISE.exe help file, type:
PowerShell_Ise.exe -help PowerShell_Ise.exe -? PowerShell_Ise.exe /?
Remarks
-
For a complete list of the PowerShell_ISE.exe command-line parameters, see about_PowerShell_Ise.Exe.
-
For information about other ways to start Windows PowerShell, see Starting Windows PowerShell.
-
Windows PowerShell runs on the Server Core installation option of Windows Server operating systems. However, because Windows PowerShell ISE requires a graphic user interface, it does not run on Server Core installations.
Additional References
MIT License. Copyright (c) 2020-2021 Strontic.