Description
Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.(Citation: TechNet PowerShell) Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the Start-Process cmdlet which can be used to run an executable and the Invoke-Command cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
PowerShell may also be used to download and run executables from the Internet, which can be executed from disk or in memory without touching disk.
A number of PowerShell-based offensive testing tools are available, including Empire, PowerSploit, PoshC2, and PSAttack.(Citation: Github PSAttack)
PowerShell commands/scripts can also be executed without directly invoking the powershell.exe binary through interfaces to PowerShell's underlying System.Management.Automation assembly DLL exposed through the .NET framework and Windows Common Language Interface (CLI).(Citation: Sixdub PowerPick Jan 2016)(Citation: SilentBreak Offensive PS Dec 2015)(Citation: Microsoft PSfromCsharp APR 2014)
Reverse Shell Cheatsheet
Read our in-depth pentesting guide related to this technique
Platforms
Mitigations (5)
Disable or Remove Feature or ProgramM1042
It may be possible to remove PowerShell from systems when not needed, but a review should be performed to assess the impact to an environment, since it could be in use for many legitimate purposes and administrative functions.
Disable/restrict the WinRM Service to help prevent uses of PowerShell for remote execution.
Antivirus/AntimalwareM1049
Anti-virus can be used to automatically quarantine suspicious files.
Code SigningM1045
Set PowerShell execution policy to execute only signed scripts.
Privileged Account ManagementM1026
When PowerShell is necessary, consider restricting PowerShell execution policy to administrators. Be aware that there are methods of bypassing the PowerShell execution policy, depending on environment configuration.(Citation: Netspi PowerShell Execution Policy Bypass)
PowerShell JEA (Just Enough Administration) may also be used to sandbox administration and limit what commands admins/users can ex
Execution PreventionM1038
Use application control where appropriate. PowerShell Constrained Language mode can be used to restrict access to sensitive or otherwise dangerous language elements such as those used to execute arbitrary Windows APIs or files (e.g., Add-Type).(Citation: Microsoft PowerShell CLM)
Threat Groups (85)
| ID | Group | Context |
|---|---|---|
| G0090 | WIRTE | [WIRTE](https://attack.mitre.org/groups/G0090) has used PowerShell for script execution.(Citation: Lab52 WIRTE Apr 2019) |
| G1044 | APT42 | [APT42](https://attack.mitre.org/groups/G1044) has downloaded and executed PowerShell payloads.(Citation: Mandiant APT42-charms) |
| G1023 | APT5 | [APT5](https://attack.mitre.org/groups/G1023) has used PowerShell to accomplish tasks within targeted environments.(Citation: Mandiant Pulse Secure Up... |
| G0108 | Blue Mockingbird | [Blue Mockingbird](https://attack.mitre.org/groups/G0108) has used PowerShell reverse TCP shells to issue interactive commands over a network connecti... |
| G0087 | APT39 | [APT39](https://attack.mitre.org/groups/G0087) has used PowerShell to execute malicious code.(Citation: BitDefender Chafer May 2020)(Citation: Symante... |
| G0059 | Magic Hound | [Magic Hound](https://attack.mitre.org/groups/G0059) has used PowerShell for execution and privilege escalation.(Citation: Unit 42 Magic Hound Feb 201... |
| G0073 | APT19 | [APT19](https://attack.mitre.org/groups/G0073) used PowerShell commands to execute payloads.(Citation: FireEye APT19) |
| G0007 | APT28 | [APT28](https://attack.mitre.org/groups/G0007) downloads and executes PowerShell scripts and performs PowerShell commands.(Citation: Palo Alto Sofacy ... |
| G0096 | APT41 | [APT41](https://attack.mitre.org/groups/G0096) leveraged PowerShell to deploy malware families in victims’ environments.(Citation: FireEye APT41 Aug 2... |
| G0034 | Sandworm Team | [Sandworm Team](https://attack.mitre.org/groups/G0034) has used PowerShell scripts to run a credential harvesting tool in memory to evade defenses.(Ci... |
| G1055 | VOID MANTICORE | [VOID MANTICORE](https://attack.mitre.org/groups/G1055) has utilized PowerShell to execute malware in victim environments.(Citation: DOJ FBI Handala H... |
| G1019 | MoustachedBouncer | [MoustachedBouncer](https://attack.mitre.org/groups/G1019) has used plugins to execute PowerShell scripts.(Citation: MoustachedBouncer ESET August 202... |
| G0052 | CopyKittens | [CopyKittens](https://attack.mitre.org/groups/G0052) has used PowerShell Empire.(Citation: ClearSky Wilted Tulip July 2017) |
| G0076 | Thrip | [Thrip](https://attack.mitre.org/groups/G0076) leveraged PowerShell to run commands to download payloads, traverse the compromised networks, and carry... |
| G1053 | Storm-0501 | [Storm-0501](https://attack.mitre.org/groups/G1053) has leveraged PowerShell to execute commands and scripts.(Citation: Microsoft Storm-501 Sabbath Ra... |
| G1046 | Storm-1811 | [Storm-1811](https://attack.mitre.org/groups/G1046) has used PowerShell for multiple purposes, such as using PowerShell scripts executing in an infini... |
| G1016 | FIN13 | [FIN13](https://attack.mitre.org/groups/G1016) has used PowerShell commands to obtain DNS data from a compromised network.(Citation: Mandiant FIN13 Au... |
| G0078 | Gorgon Group | [Gorgon Group](https://attack.mitre.org/groups/G0078) malware can use PowerShell commands to download and execute a payload and open a decoy document ... |
| G1040 | Play | [Play](https://attack.mitre.org/groups/G1040) has used Base64-encoded PowerShell scripts to disable Microsoft Defender.(Citation: Trend Micro Ransomwa... |
| G0046 | FIN7 | [FIN7](https://attack.mitre.org/groups/G0046) used a PowerShell script to launch shellcode that retrieved an additional payload.(Citation: FireEye FIN... |
Associated Software (131)
| ID | Name | Type | Context |
|---|---|---|---|
| S1212 | RansomHub | Malware | [RansomHub](https://attack.mitre.org/software/S1212) can use PowerShell to delete volume shadow copies.(Citation: Group-IB RansomHub FEB 2025) |
| S1081 | BADHATCH | Malware | [BADHATCH](https://attack.mitre.org/software/S1081) can utilize `powershell.exe` to execute commands on a compromised host.(Citation: Gigamon BADHATCH... |
| S0363 | Empire | Tool | [Empire](https://attack.mitre.org/software/S0363) leverages PowerShell for the majority of its client-side agent tasks. [Empire](https://attack.mitre.... |
| S0330 | Zeus Panda | Malware | [Zeus Panda](https://attack.mitre.org/software/S0330) uses PowerShell to download and execute the payload.(Citation: Talos Zeus Panda Nov 2017) |
| S9001 | SystemBC | Malware | [SystemBC](https://attack.mitre.org/software/S9001) has used hidden scheduled tasks to execute PowerShell commands by adding the following: `-WindowSt... |
| S0650 | QakBot | Malware | [QakBot](https://attack.mitre.org/software/S0650) can use PowerShell to download and execute payloads.(Citation: Group IB Ransomware September 2020) |
| S0622 | AppleSeed | Malware | [AppleSeed](https://attack.mitre.org/software/S0622) has the ability to execute its payload via PowerShell.(Citation: Malwarebytes Kimsuky June 2021) |
| S1141 | LunarWeb | Malware | [LunarWeb](https://attack.mitre.org/software/S1141) has the ability to run shell commands via PowerShell.(Citation: ESET Turla Lunar toolset May 2024) |
| S1202 | LockBit 3.0 | Malware | [LockBit 3.0](https://attack.mitre.org/software/S1202) can use PowerShell to apply Group Policy changes.(Citation: Joint Cybersecurity Advisory LockBi... |
| S1140 | Spica | Malware | [Spica](https://attack.mitre.org/software/S1140) can use an obfuscated PowerShell command to create a scheduled task for persistence.(Citation: Google... |
| S1155 | Covenant | Tool | [Covenant](https://attack.mitre.org/software/S1155) can create PowerShell-based launchers for Grunt installation.(Citation: Github Covenant) |
| S0496 | REvil | Malware | [REvil](https://attack.mitre.org/software/S0496) has used PowerShell to delete volume shadow copies and download files.(Citation: Secureworks GandCrab... |
| S0534 | Bazar | Malware | [Bazar](https://attack.mitre.org/software/S0534) can execute a PowerShell script received from C2.(Citation: NCC Group Team9 June 2020)(Citation: Crow... |
| S1201 | TRANSLATEXT | Malware | [TRANSLATEXT](https://attack.mitre.org/software/S1201) has used PowerShell to collect system information and to upload the collected data to a Github ... |
| S1065 | Woody RAT | Malware | [Woody RAT](https://attack.mitre.org/software/S1065) can execute PowerShell commands and scripts with the use of .NET DLL, `WoodyPowerSession`.(Citati... |
| S0192 | Pupy | Tool | [Pupy](https://attack.mitre.org/software/S0192) has a module for loading and executing PowerShell scripts.(Citation: GitHub Pupy) |
| S0514 | WellMess | Malware | [WellMess](https://attack.mitre.org/software/S0514) can execute PowerShell scripts received from C2.(Citation: PWC WellMess July 2020)(Citation: CISA ... |
| S0689 | WhisperGate | Malware | [WhisperGate](https://attack.mitre.org/software/S0689) can use PowerShell to support multiple actions including execution and defense evasion.(Citatio... |
| S0393 | PowerStallion | Malware | [PowerStallion](https://attack.mitre.org/software/S0393) uses PowerShell loops to iteratively check for available commands in its OneDrive C2 server.(... |
| S0389 | JCry | Malware | [JCry](https://attack.mitre.org/software/S0389) has used PowerShell to execute payloads.(Citation: Carbon Black JCry May 2019) |
Related CWE Weaknesses
References
- Babinec, K. (2014, April 28). Executing PowerShell scripts from C#. Retrieved April 22, 2019.
- Christensen, L.. (2015, December 28). The Evolution of Offensive PowerShell Invocation. Retrieved December 8, 2018.
- Dunwoody, M. (2016, February 11). GREATER VISIBILITY THROUGH POWERSHELL LOGGING. Retrieved February 16, 2016.
- Haight, J. (2016, April 21). PS>Attack. Retrieved September 27, 2024.
- Hastings, M. (2014, July 16). Investigating PowerShell Attacks. Retrieved December 1, 2021.
- Malware Archaeology. (2016, June). WINDOWS POWERSHELL LOGGING CHEAT SHEET - Win 7/Win 2008 or later. Retrieved June 24, 2016.
- Microsoft. (n.d.). Windows PowerShell Scripting. Retrieved April 28, 2016.
- Warner, J.. (2015, January 6). Inexorable PowerShell – A Red Teamer’s Tale of Overcoming Simple AppLocker Policies. Retrieved December 8, 2018.
Frequently Asked Questions
What is T1059.001 (PowerShell)?
T1059.001 is a MITRE ATT&CK technique named 'PowerShell'. It belongs to the Execution tactic(s). Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.(Cit...
How can T1059.001 be detected?
Detection of T1059.001 (PowerShell) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1059.001?
There are 5 documented mitigations for T1059.001. Key mitigations include: Disable or Remove Feature or Program, Antivirus/Antimalware, Code Signing, Privileged Account Management, Execution Prevention.
Which threat groups use T1059.001?
Known threat groups using T1059.001 include: WIRTE, APT42, APT5, Blue Mockingbird, APT39, Magic Hound, APT19, APT28.