search
githubEdit

PowerShell Attack & Detection Techniques

hashtag
Overview

PowerShell is a robust task automation framework built into Windows. Its deep system integration, .NET access, and remote execution capabilities make it an essential tool for both system administrators and attackers. This guide covers offensive techniques mapped to MITRE ATT&CK tactics with comprehensive detection and defence strategies.

hashtag
Learning Workflow

Phase 1: Foundations — PowerShell internals, security controls, logging Phase 2: Reconnaissance — Network/AD enumeration, service discovery Phase 3: Initial Access — Download cradles, payload delivery, phishing Phase 4: Execution — Script execution, fileless attacks, AMSI bypass Phase 5: Persistence — Registry, scheduled tasks, WMI subscriptions Phase 6: Privilege Escalation — UAC bypass, token manipulation Phase 7: Defence Evasion — Obfuscation, logging bypass, AMSI evasion Phase 8: Credential Access — Mimikatz, SAM dumping, credential harvesting Phase 9: Discovery — System/network/AD enumeration Phase 10: Lateral Movement — PSRemoting, WMI, DCOM, SMB Phase 11: Collection — Data staging, clipboard, keylogging Phase 12: Command & Control — C2 frameworks, reverse shells Phase 13: Exfiltration — Data transfer, covert channels

hashtag
Phase 1: PowerShell Foundations

hashtag
PowerShell Versions & Locations

Version
Windows Version
Key Features

2.0

Win 7/2008 R2

Basic, often used for downgrade attacks

3.0

Win 8/2012

Workflows, scheduled jobs

4.0

Win 8.1/2012 R2

Desired State Configuration

5.0

Win 10/2016

Classes, Script Block Logging

5.1

Win 10/2016+

Latest Windows PowerShell

7.x

Cross-platform

PowerShell Core (pwsh.exe)

# Check PowerShell version
$PSVersionTable.PSVersion
$host.Version

# PowerShell locations
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe  # 64-bit
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe  # 32-bit
C:\Program Files\PowerShell\7\pwsh.exe                      # PS Core

# Force specific version (downgrade attack)
powershell.exe -Version 2 -Command "Get-Host"

hashtag
Execution Policies

Policy
Description

Restricted

No scripts allowed (default on clients)

AllSigned

Only signed scripts

RemoteSigned

Local scripts run; remote need signing

Unrestricted

All scripts run (warning for remote)

Bypass

Nothing blocked, no warnings

Undefined

Remove policy at this scope

hashtag
Security Controls

hashtag
AMSI (Antimalware Scan Interface)

hashtag
Constrained Language Mode

hashtag
Script Block Logging

hashtag
Transcription Logging

hashtag
Important Event IDs

Event ID
Log
Description

4103

PowerShell/Operational

Module logging

4104

PowerShell/Operational

Script block logging

4105

PowerShell/Operational

Script block start

4106

PowerShell/Operational

Script block stop

400

Windows PowerShell

Engine start

403

Windows PowerShell

Engine stop

500

Windows PowerShell

Command start

501

Windows PowerShell

Command stop

600

Windows PowerShell

Provider start

800

Windows PowerShell

Pipeline execution

hashtag
Phase 2: Reconnaissance

hashtag
Attack Techniques

hashtag
Network Reconnaissance

hashtag
Active Directory Reconnaissance

hashtag
Service Enumeration

hashtag
Detection Strategies

hashtag
Log Analysis

hashtag
Network Detection

hashtag
Detection Script

hashtag
Phase 3: Initial Access

hashtag
Attack Techniques

hashtag
Download Cradles

hashtag
Encoded Commands

hashtag
File Download Methods

hashtag
Phishing Payloads

hashtag
Detection Strategies

hashtag
Log Indicators

hashtag
Network Detection

hashtag
Detection Script

hashtag
Defensive Measures

hashtag
Phase 4: Execution

hashtag
Attack Techniques

hashtag
Script Execution Methods

hashtag
Fileless Execution

hashtag
Alternative Execution Hosts

hashtag
AMSI Bypass Techniques

hashtag
Detection Strategies

hashtag
Log Analysis

hashtag
Process Detection

hashtag
Detection Script

hashtag
Phase 5: Persistence

hashtag
Attack Techniques

hashtag
Registry Persistence

hashtag
Scheduled Tasks

hashtag
WMI Event Subscriptions

hashtag
Service Persistence

hashtag
Startup Folder

hashtag
Detection Strategies

hashtag
Registry Monitoring

hashtag
Scheduled Task Monitoring

hashtag
WMI Subscription Detection

hashtag
Detection Script

hashtag
Phase 6: Privilege Escalation

hashtag
Attack Techniques

hashtag
UAC Bypass Methods

hashtag
Token Manipulation

hashtag
Service Exploitation

hashtag
AlwaysInstallElevated

hashtag
DLL Hijacking

hashtag
Detection Strategies

hashtag
UAC Bypass Detection

hashtag
Token Detection

hashtag
Detection Script

hashtag
Phase 7: Defense Evasion

hashtag
Attack Techniques

hashtag
Obfuscation Methods

hashtag
Logging Evasion

hashtag
AMSI Bypass Techniques

hashtag
Process Injection

hashtag
Living Off the Land

hashtag
Detection Strategies

hashtag
Obfuscation Detection

hashtag
Logging Evasion Detection

hashtag
Detection Script

hashtag
Phase 8: Credential Access

hashtag
Attack Techniques

hashtag
Mimikatz via PowerShell

hashtag
SAM/SYSTEM Dump

hashtag
LSASS Dump

hashtag
Credential Harvesting

hashtag
Kerberos Attacks

hashtag
Detection Strategies

hashtag
Credential Dumping Detection

hashtag
Detection Script

hashtag
Phase 9: Discovery

hashtag
Attack Techniques

hashtag
System Enumeration

hashtag
Network Enumeration

hashtag
Active Directory Enumeration

hashtag
Detection Strategies

hashtag
Log Analysis

hashtag
Detection Script

hashtag
Phase 10: Lateral Movement

hashtag
Attack Techniques

hashtag
PowerShell Remoting

hashtag
WMI Execution

hashtag
SMB Execution

hashtag
DCOM Execution

hashtag
Pass the Hash/Ticket

hashtag
Detection Strategies

hashtag
Log Analysis

hashtag
Detection Script

hashtag
Phase 11: Collection

hashtag
Attack Techniques

hashtag
Data Staging

hashtag
Clipboard Capture

hashtag
Keylogging

hashtag
Screenshot Capture

hashtag
Detection Strategies

hashtag
Phase 12: Command & Control

hashtag
Attack Techniques

hashtag
PowerShell Reverse Shells

hashtag
HTTP/HTTPS C2

hashtag
DNS C2

hashtag
C2 Frameworks (PowerShell agents)

hashtag
Detection Strategies

hashtag
C2 Detection Script

hashtag
Phase 13: Exfiltration

hashtag
Attack Techniques

hashtag
HTTP/HTTPS Exfiltration

hashtag
DNS Exfiltration

hashtag
Cloud Exfiltration

hashtag
Email Exfiltration

hashtag
Detection Strategies

hashtag
Exfiltration Detection Script

hashtag
Comprehensive Detection Script

hashtag
Quick Reference Card

hashtag
Common Attack Patterns

Technique
Command Pattern
Detection

Download cradle

IEX (New-Object Net.WebClient).DownloadString(...)

Event 4104 + network indicators

Encoded command

powershell -EncodedCommand <base64>

Event 4104 + 4688

Persistence

Register-ScheduledTask, Run keys

Task Scheduler logs, registry audit

Credential dump

Invoke-Mimikatz, LSASS access

Event 4663, 4688

Lateral movement

Invoke-Command -ComputerName

WinRM logs, network logon events

C2 beacon

while($true){...Sleep...}

Network connections, Event 4104

hashtag
Critical Event IDs

Event ID
Log
Description

4104

PowerShell/Operational

Script block logging

4103

PowerShell/Operational

Module logging

400/403

Windows PowerShell

Engine start/stop

4688

Security

Process creation

4624

Security

Logon events

4663

Security

Object access

7045

System

Service creation

hashtag
Defensive Controls

hashtag
MITRE ATT&CK Mapping

Tactic
Technique
PowerShell Usage

Reconnaissance

T1595

Port scanning, AD queries

Initial Access

T1566

Phishing payloads, download cradles

Execution

T1059.001

PowerShell scripts, fileless malware

Persistence

T1053.005

Scheduled tasks

Persistence

T1547.001

Registry run keys

Privilege Escalation

T1548.002

UAC bypass

Defense Evasion

T1027

Obfuscation

Defense Evasion

T1562.001

Disable logging

Credential Access

T1003

Mimikatz, LSASS dump

Discovery

T1087

User/group enumeration

Lateral Movement

T1021.006

WinRM/PSRemoting

Collection

T1560

Archive/compress data

C2

T1071.001

HTTP/HTTPS channels

Exfiltration

T1041

Exfil over C2 channel

PreviousNetcat: Attack & Detection TechniquesNextThreat Detection

Last updated