While intended for system administration and the automation of daily maintenance and management tasks, PowerShell has become a preferred tool for cybercriminals. Using the framework’s flexibility to carry out reconnaissance, download payloads, and create lateral movement, threat actors are able to quickly create malicious scripts capable of downloading payloads, sniffing out passwords or even downloading and installing PowerShell if it isn’t already installed on the targeted computer.
Dealing with the full capabilities of PowerShell based, fileless attacks is daunting. The ability of PowerShell to run virtually invisibly on local systems as well as its ability to move throughout the Microsoft ecosystem makes it not only a challenging threat today, but one that will evolve rapidly.