MITRE ATT&CK / T1086
T1086
PowerShell
Description
PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. (Citation: TechNet PowerShell) Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the Start-Process cmdlet which can be used to run an executable and the Invoke-Command cmdlet which runs a command locally or on a remote computer.PowerShell may also be used to download and run executables from the Internet, which can be executed from disk or in memory without touching disk.Administrator permissions are required to use PowerShell to connect to remote systems.A number of PowerShell-based offensive testing tools are available, including [Empire](https://attack.mitre.org/software/S0363), PowerSploit, (Citation: Powersploit) and PSAttack. (Citation: Github PSAttack)PowerShell commands/scripts can also be executed without directly invoking the powershell.exe binary through interfaces to PowerShell's underlying System.Management.Automation assembly exposed through the .NET framework and Windows Common Language Interface (CLI). (Citation: Sixdub PowerPick Jan 2016)(Citation: SilentBreak Offensive PS Dec 2015) (Citation: Microsoft PSfromCsharp APR 2014)
Platforms
Use our free MITRE ATT&CK lookup tool, or browse the full ATT&CK matrix.
Our coverage
- Kali365 PhaaS Kit Bypasses Microsoft 365 MFA via Device Code Phishing — FBI Warning
- LummaC2 Infostealer Targets US Critical Infrastructure: CISA-FBI Advisory AA25-141B and DOJ Domain Seizures
- MacSync Stealer: Hackers Abuse Google Ads and Claude.ai Chats to Push Mac Malware
- Daemon Tools Lite 12.5.1 Trojanized With Quic RAT in Build Pipeline Attack
- Salt Typhoon Compromises 200+ Networks in Global PRC Telecom Espionage Campaign
Source: MITRE ATT&CK Enterprise matrix. View on attack.mitre.org →