Skip Navigation
Get a Demo
 
 
 
 
 
 
 
 
 
Resources Blog Threat detection

Threat Detection Series: Watch the PowerShell power hour

Experts from Red Canary, MITRE, and VMware break down how adversaries abuse the Windows automation and configuration framework

Susannah Clark Matt
Originally published . Last modified .

For the fifth year in a row, PowerShell (T1059.001) placed high among the most prevalent ATT&CK techniques ranked in Red Canary’s annual Threat Detection Report. Coming in at number 2 this year, PowerShell abuse shows no signs of slowing down, as adversaries find new ways to automate malicious behavior that blends in with normal Windows configurations. Recently, VMware’s Casey Parman and Jamie Williams from the MITRE ATT&CK® team joined Red Canary’s Matt Graeber and Sarah Lewis for the latest installment of our Threat Detection Series—a PowerShell power hour, if you will. The full webinar is available on-demand, and you can watch clips below.

First things first, is PowerShell a tool or technique?

Direct from the ATT&CK team itself: The answer is yes. PowerShell is a powerful tool that provides a foundation for countless other Windows ATT&CK techniques. Jamie Williams explains why PowerShell is like a “swiss army knife” to administrators and adversaries alike.

 

 

 

Which threats abuse PowerShell and how?

In 2022, Red Canary observed Yellow Cockatoo, Gootloader, Mimikatz, and other threats leveraging PowerShell as part of an intrusion chain. Jamie Williams highlights the ways that PowerShell tradecraft has evolved over the years.

 

 

How do I collect PowerShell telemetry?

Red Canary’s Director of Threat Research Matt Graeber highlights some key data sources for collecting PowerShell telemetry, including automatic scriptblock logging, deep scriptblock logging, and the Antimalware Scan Interface (AMSI).

 

 

How do I distinguish malicious PowerShell behavior from legitimate use?

Given that PowerShell is included by default on most Windows environments, detecting malicious use is not as simple as flagging powershell.exe. Senior Detection Engineer Sarah Lewis walks through some distinguishing elements of PowerShell abuse that defenders can build detection logic around, including unexpected parent and child processes and obfuscated command-line arguments. The PowerShell page in the Threat Detection Report also lists a number of proven detection opportunities.

 

 

Are there any preventive measures I can take to mitigate this behavior?

Matt Graeber explains how defenders can reduce their exposure to PowerShell abuse by implementing Microsoft’s Constrained Language mode.

 

 

How can I validate my detection coverage for PowerShell abuse?

There are dozens of Atomic Red Team tests that emulate suspicious PowerShell activity. You can also leverage AMSI in your testing efforts. Along with Matt Graeber’s Send-AmsiContent script, Casey Parman shares his custom AMSI provider–SoYouWannaBeAnAMSIProvider–that defenders can install locally to analyze key logs.

 

 

 

Incorporating AI agents into SOC workflows

 

Shrinking the haystack: The six phases of cloud threat detection

 

Shrinking the haystack: Building a cloud threat detection engine

 

A defender’s guide to identity attacks

Subscribe to our blog

 
 
Back to Top