PowerShell is rapidly becoming a weapon of choice for post-breach (infiltration) steps, used in many recent high profile breaches. PowerShell, according to Dave Kennedy, is “BASH for Windows” – it’s a scripting language and framework that in Windows is used for automation and control. In the past few years, PowerShell tools, such as PowerSploit, Nishang, PowerUp, and Empire have made PowerShell one of an attacker’s choice weapons.
As Symantec’s recent PowerShell paper reported, many attackers are using PowerShell because it’s a native tool, can execute in memory, and malicious use of it unlikely to be flagged. One recent large breach, likely Anthem, was shown to have been aided by very clever use of PowerShell to hide and facilitate the attackers’ movements – it became a cat and mouse game.