During the 2016 Ukraine Electric Power Attack, Sandworm Team used PowerShell scripts to run a credential harvesting tool in memory to evade defenses.[6]
During the 2022 Ukraine Electric Power Attack, Sandworm Team utilized a PowerShell utility called TANKTRAP to spread and launch a wiper using Windows Group Policy.[7]
AADInternals is written and executed via PowerShell.[8]
Akira will execute PowerShell commands to delete system volume shadow copies.[9][10]
Akira has used PowerShell scripts for credential harvesting and privilege escalation.[11]
AppleSeed has the ability to execute its payload via PowerShell.[12]
APT28 downloads and executes PowerShell scripts and performs PowerShell commands.[14][15][16]
During APT28 Nearest Neighbor Campaign, APT28 used PowerShell cmdlet Get-ChildItem to access credentials, among other PowerShell functions deployed.[17]
APT29 has used encoded PowerShell scripts uploaded to CozyCar installations to download and install SeaDuke.[18][19][20][21]
APT3 has used PowerShell on victim systems to download and run payloads after exploitation.[22]
APT32 has used PowerShell-based tools, PowerShell one-liners, and shellcode loaders for execution.[23][24][25]
APT33 has utilized PowerShell to download files from the C2 server and run various scripts. [26][27]
APT38 has used PowerShell to execute commands and other operational tasks.[28]
APT39 has used PowerShell to execute malicious code.[29][30]
APT41 leveraged PowerShell to deploy malware families in victims’ environments.[31][32]
APT5 has used PowerShell to accomplish tasks within targeted environments.[34]
Aquatic Panda has downloaded additional scripts and executed Base64 encoded commands in PowerShell.[35]
AutoIt backdoor downloads a PowerShell script that decodes to a typical shellcode loader.[36]
BADHATCH can utilize powershell.exe to execute commands on a compromised host.[37][38]
Bandook has used PowerShell loaders as part of execution.[39]
Bazar can execute a PowerShell script received from C2.[40][41]
Black Basta has used PowerShell scripts for discovery and to execute files over the network.[42][43][44]
BlackByte used encoded PowerShell commands during operations.[45] BlackByte has used remote PowerShell commands in victim networks.[46]
BloodHound can use PowerShell to pull Active Directory information from the target environment.[47]
Blue Mockingbird has used PowerShell reverse TCP shells to issue interactive commands over a network connection.[48]
BONDUPDATER is written in PowerShell.[49][50]
BRONZE BUTLER has used PowerShell for execution.[51]
During C0018, the threat actors used encoded PowerShell scripts for execution.[53][54]
During C0021, the threat actors used obfuscated PowerShell to extract an encoded payload from within an .LNK file.[55][56]
During the C0032 campaign, TEMP.Veles used PowerShell to perform timestomping.[57]
CharmPower can use PowerShell for payload execution and C2 communication.[58]
Chimera has used PowerShell scripts to execute malicious payloads and the DSInternals PowerShell module to make use of Active Directory features.[59][60]
CHIMNEYSWEEP can invoke the PowerShell command [Reflection.Assembly]::LoadFile(\"%s\")\n$i=\"\"\n$r=[%s]::%s(\"%s\",[ref] $i)\necho $r,$i\n to execute secondary payloads.[61]
Cinnamon Tempest has used PowerShell to communicate with C2, download files, and execute reconnaissance commands.[62]
The Clambling dropper can use PowerShell to download the malware.[63]
Cobalt Group has used powershell.exe to download and execute scripts.[64][65][66][67][68][69]
Cobalt Strike can execute a payload on a remote host with PowerShell. This technique does not write any data to disk.[70][71] Cobalt Strike can also use PowerSploit and other scripting frameworks to perform execution.[72][73][74][75]
ComRAT has used PowerShell to load itself every time a user logs in to the system. ComRAT can execute PowerShell scripts loaded into memory or from the file system.[76][77]
Confucius has used PowerShell to execute malicious files and payloads.[78]
ConnectWise can be used to execute PowerShell commands on target machines.[79]
CopyKittens has used PowerShell Empire.[80]
Covenant can create PowerShell-based launchers for Grunt installation.[81]
CrackMapExec can execute PowerShell commands via WMI.[82]
CreepyDrive can use Powershell for execution, including the cmdlets Invoke-WebRequest and Invoke-Expression.[83]
CreepySnail can use PowerShell for execution, including the cmdlets Invoke-WebRequst and Invoke-Expression.[83]
Cuba has been dropped onto systems and used for lateral movement via obfuscated PowerShell scripts.[84]
CURIUM has leveraged PowerShell scripts for initial process execution and data gathering in victim environments.[85]
Daggerfly used PowerShell to download and execute remote-hosted files on victim systems.[86]
DarkHydrus leveraged PowerShell to download and execute additional scripts for execution.[88][89]
DarkVishnya used PowerShell to create shellcode loaders.[90]
DarkWatchman can execute PowerShell commands and has used PowerShell to execute a keylogger.[91]
Deep Panda has used PowerShell scripts to download and execute programs in memory, without writing to disk.[92]
Donut can generate shellcode outputs that execute via PowerShell.[93]
Dragonfly has used PowerShell scripts for execution.[95][96]
Earth Lusca has used PowerShell to execute commands.[97]
Egregor has used an encoded PowerShell command by a service created by Cobalt Strike for lateral movement.[98]
Ember Bear has used PowerShell commands to gather information from compromised systems, such as email servers.[99]
Emotet has used Powershell to retrieve the malicious payload and download additional resources like Mimikatz. [100][101][102][103][104]
Empire leverages PowerShell for the majority of its client-side agent tasks. Empire also contains the ability to conduct PowerShell remoting with the Invoke-PSRemoting module.[105][106]
FIN10 uses PowerShell for execution as well as PowerShell Empire to establish persistence.[109][105]
FIN13 has used PowerShell commands to obtain DNS data from a compromised network.[110]
FIN6 has used PowerShell to gain access to merchant's networks, and a Metasploit PowerShell module to download and execute shellcode and to set up a local listener.[111][112][113]
FIN7 used a PowerShell script to launch shellcode that retrieved an additional payload.[114][115][116][117][118] Additionally, FIN7 has executed a custom obfuscation of the shellcode invoker in PowerSploit called POWERTRASH.[119]
FIN8's malicious spearphishing payloads are executed as PowerShell. FIN8 has also used PowerShell for lateral movement and credential access.[120][121][122][123]
FlawedAmmyy has used PowerShell to execute commands.[124]
Fox Kitten has used PowerShell scripts to access credential data.[125]
During Frankenstein, the threat actors used PowerShell to run a series of Base64-encoded commands that acted as a stager and enumerated hosts.[126]
GALLIUM used PowerShell for execution to assist in lateral movement as well as for dumping credentials stored on compromised machines.[127]
Gallmaker used PowerShell to download additional payloads and for execution.[128]
Gamaredon Group has used obfuscated PowerShell scripts for staging.[129][130] Additionally, (LinkById : G0047) has used PowerShell based tools later in its attack chain.[131] Additionally, Gamaredon Group has used the PowerShell cmdlet Get-Command to download and execute the next stage payload.[132]
GLASSTOKEN can use PowerShell for command execution.[133]
GOLD SOUTHFIELD has staged and executed PowerShell scripts on compromised hosts.[134]
Gootloader can use an encoded PowerShell stager to write to the Registry for persistence.[135][136]
Gorgon Group malware can use PowerShell commands to download and execute a payload and open a decoy document on the victim’s machine.[137]
GRIFFON has used PowerShell to execute the Meterpreter downloader TinyMet.[138]
HAFNIUM has used the Exchange Power Shell module Set-OabVirtualDirectoryPowerShell to export mailbox data.[139][140]
HAMMERTOSS is known to use PowerShell.[141]
Havoc can facilitate the execution of PowerShell commands.[143]
HEXANE has used PowerShell-based tools and scripts for discovery and collection on compromised hosts.[145][146][147]
During HomeLand Justice, threat actors used PowerShell cmdlets New-MailboxSearch and Get-Recipient for discovery.[148][149]
Inception has used PowerShell to execute malicious commands and payloads.[150][151]
Indrik Spider has used PowerShell Empire for execution of malware.[152][153]
InvisibleFerret has utilized a PowerShell script created in the victim’s home directory named "conf.ps1" that is used to modify configuration files for AnyDesk remote services.[154]
IPsec Helper can run arbitrary PowerShell commands passed to it.[155]
JSS Loader has the ability to download and execute PowerShell scripts.[157]
During Juicy Mix, OilRig used a PowerShell script to steal credentials.[158]
KeyBoy uses PowerShell commands to download and execute payloads.[159]
KGH_SPY can execute PowerShell commands on the victim's machine.[160]
Kimsuky has executed a variety of PowerShell scripts including Invoke-Mimikatz.[161][162][163][164][165] Kimsuky has also utilized PowerShell scripts for execution, persistence, and defense evasion.[166]
KOCTOPUS has used PowerShell commands to download additional files.[167]
KONNI used PowerShell to download and execute a specific 64-bit version of the malware.[168][169]
Lazarus Group has used PowerShell to execute commands and malicious code.[170]
LazyScripter has used PowerShell scripts to execute malicious code.[167]
Leviathan has used PowerShell for execution.[171][172][173][174]
LitePower can use a PowerShell script to execute commands.[108]
LockBit 2.0 can use the PowerShell module InvokeGPUpdate to modify Group Policy.[176][177]
LockBit 3.0 can use PowerShell to apply Group Policy changes.[178]
Lokibot has used PowerShell commands embedded inside batch scripts.[179]
Lumma Stealer has used PowerShell for initial user execution and other fuctions.[180][181][182][183]
LunarWeb has the ability to run shell commands via PowerShell.[184]
Mafalda can execute PowerShell commands on a compromised machine.[185]
Magic Hound has used PowerShell for execution and privilege escalation.[186][187][188][189][190]
Medusa Group has leveraged PowerShell for execution and defense evasion.[191][192][193] Medusa Group has also utilized PowerShell to execute a bitsadmin transfer from file hosting site.[194]
Medusa Ransomware has launched PowerShell scripts for execution and defense evasion.[194][195]
menuPass uses PowerSploit to inject shellcode into PowerShell.[196][197]
Meteor can use PowerShell commands to disable the network adapters on a victim machines.[198]
MoustachedBouncer has used plugins to execute PowerShell scripts.[202]
MuddyWater has used PowerShell for execution.[203][204][205][206][207][208][209][210][211][212]
Mustang Panda has used malicious PowerShell scripts to enable execution.[213][214][215]
Netwalker has been written in PowerShell and executed directly in memory, avoiding detection.[216][217]
The NETWIRE binary has been executed via PowerShell script.[218]
njRAT has executed PowerShell commands via auto-run registry key persistence.[219]
Nomadic Octopus has used PowerShell for execution.[220]
OilRig has used PowerShell scripts for execution, including use of a macro to run a PowerShell command to decode file contents.[49][221][222][223]
During Operation Dream Job, Lazarus Group used PowerShell commands to explore the environment of compromised victims.[224]
During Operation Wocao, threat actors used PowerShell on compromised systems.[225]
OSX_OCEANLOTUS.D uses PowerShell scripts.[226]
Patchwork used PowerSploit to download payloads, run a reverse shell, and execute malware on the victim's machine.[227][228]
Pikabot Distribution February 2024 passed execution from obfuscated JavaScript files to PowerShell scripts to download and install Pikabot.[229]
Pillowmint has used a PowerShell script to install a shim database.[230]
Play has used Base64-encoded PowerShell scripts to disable Microsoft Defender.[231]
The Poseidon Group's Information Gathering Tool (IGT) includes PowerShell components.[232]
POSHSPY uses PowerShell to execute various commands, one to execute its payload.[233]
PowerExchange can use PowerShell to execute commands received from C2.[234]
PowerLess is written in and executed via PowerShell without using powershell.exe.[235]
PowerPunch has the ability to execute through PowerShell.[129]
PowerShower is a backdoor written in PowerShell.[150]
POWERSOURCE is a PowerShell backdoor.[236][237]
PowerSploit modules are written in and executed via PowerShell.[238][239]
PowerStallion uses PowerShell loops to iteratively check for available commands in its OneDrive C2 server.[240]
POWERSTATS uses PowerShell for obfuscation and execution.[241][207][242][211]
PowGoop has the ability to use PowerShell scripts to execute commands.[211]
Prestige can use PowerShell for payload execution on targeted systems.[244]
PUNCHBUGGY has used PowerShell scripts.[246]
Pupy has a module for loading and executing PowerShell scripts.[247]
Pysa has used Powershell scripts to deploy its ransomware.[249]
QakBot can use PowerShell to download and execute payloads.[250]
Qilin has been deployed on VMware vCenter and ESXi servers via custom PowerShell script.[251][252]
RansomHub can use PowerShell to delete volume shadow copies.[254]
There is a variant of RATANKBA that uses a PowerShell script instead of the traditional PE form.[255][256]
RedCurl has used PowerShell to execute commands and to download malware.[257][258][259]
Mustang Panda used LNK files to execute PowerShell commands leading to eventual PlugX installation during RedDelta Modified PlugX Infection Chain Operations.[260]
RegDuke can extract and execute PowerShell scripts from C2 communications.[107]
Revenge RAT uses the PowerShell command Reflection.Assembly to load itself into memory to aid in execution.[261]
REvil has used PowerShell to delete volume shadow copies and download files.[262][263][264][265]
RogueRobin uses a command prompt to run a PowerShell script from Excel.[88] To assist in establishing persistence, RogueRobin creates %APPDATA%\OneDrive.bat and saves the following string to it:powershell.exe -WindowStyle Hidden -exec bypass -File "%APPDATA%\OneDrive.ps1".[266][88]
Saint Bear relies extensively on PowerShell execution from malicious attachments and related content to retrieve and execute follow-on payloads.[267]
Sandworm Team has used PowerShell scripts to run a credential harvesting tool in memory to evade defenses.[268][6]
Sardonic has the ability to execute PowerShell commands on a compromised machine.[269]
Scattered Spider has used the PowerShell cmdlet Get-ADUser.[270]
SeaDuke uses a module to execute Mimikatz with PowerShell to perform Pass the Ticket.[18]
ServHelper has the ability to execute a PowerShell script to get information from the infected host.[271]
During SharePoint ToolShell Exploitation, threat actors used PowerShell to execute attacker-controlled encoded commands.[272][273][274][275]
SharpStage can execute arbitrary commands with PowerShell.[199][276]
SHARPSTATS has the ability to employ a custom PowerShell script.[242]
ShrinkLocker uses PowerShell to disable protectors used to secure the BitLocker encryption key on victim machines and then delete the key from the system.[277]
Sidewinder has used PowerShell to drop and execute malware loaders.[278]
Silence has used PowerShell to download and execute payloads.[279][280]
SILENTTRINITY can use PowerShell to execute commands.[281]
Sliver has built-in functionality to launch a Powershell command prompt.[282]
SMOKEDHAM can execute Powershell commands sent from its C2 server.[283]
Snip3 can use a PowerShell script for second-stage execution.[284][285]
During the SolarWinds Compromise, APT29 used PowerShell to create new tasks on remote machines, identify configuration settings, exfiltrate data, and execute other commands.[286][287][288]
Spica can use an obfuscated PowerShell command to create a scheduled task for persistence.[289]
SQLRat has used PowerShell to create a Meterpreter session.[290]
Squirrelwaffle has used PowerShell to execute its payload.[291][292]
Stealth Falcon malware uses PowerShell commands to perform various functions, including gathering system information via WMI and executing commands from its C2 server.[293]
Storm-0501 has leveraged PowerShell to execute commands and scripts.[294][295]
Storm-1811 has used PowerShell for multiple purposes, such as using PowerShell scripts executing in an infinite loop to create an SSH connection to a command and control server.[296]
StrelaStealer variants have used PowerShell scripts to download or drop payloads, including obfuscated variants to connect to a WebDAV server to download and executed an encrypted DLL for installation.[297]
StrongPity can use PowerShell to add files to the Windows Defender exclusions list.[298]
TA2541 has used PowerShell to download files and to inject into various Windows processes.[299]
TA505 has used PowerShell to download and execute malware and reconnaissance scripts.[301][302][303][304]
TAMECAT has used PowerShell to download and run additional content.[305]
TeamTNT has executed PowerShell commands in batch scripts.[306]
Threat Group-3390 has used PowerShell for execution.[307][63]
Thrip leveraged PowerShell to run commands to download payloads, traverse the compromised networks, and carry out reconnaissance.[308]
ToddyCat has used Powershell scripts to perform post exploit collection.[309]
Tonto Team has used PowerShell to download additional payloads.[310]
TRANSLATEXT has used PowerShell to collect system information and to upload the collected data to a Github repository.[311]
TrickBot has been known to use PowerShell to download new payloads, open documents, and upload data to command and control servers.
[312]
In the Triton Safety Instrumented System Attack, TEMP.Veles used a publicly available PowerShell-based tool, WMImplant.[313]
Troll Stealer creates and executes a PowerShell script to delete itself.[314]
Turla has used PowerShell to execute commands/scripts, in some cases via a custom executable or code from Empire's PSInject.[315][240][316] Turla has also used PowerShell scripts to load and execute malware in memory.
UNC3886 has used a PowerShell script to search memory dumps for credentials.[317]
Ursnif droppers have used PowerShell in download cradles to download and execute the malware's full executable payload.[318]
Valak has used PowerShell to download additional modules.[319]
Volt Typhoon has used PowerShell including for remote system discovery.[320][321][322]
WarzoneRAT can use PowerShell to download files and execute commands.[323][324]
WellMess can execute PowerShell scripts received from C2.[325][326]
WhisperGate can use PowerShell to support multiple actions including execution and defense evasion.[327][328][329]
Winter Vivern passed execution from document macros to PowerShell scripts during initial access operations.[330] Winter Vivern used batch scripts that called PowerShell commands as part of initial access and installation operations.[331]
Wizard Spider has used macros to execute PowerShell scripts to download malware on victim's machines.[333] It has also used PowerShell to execute commands and move laterally through a victim network.[334][335][336][337]
Woody RAT can execute PowerShell commands and scripts with the use of .NET DLL, WoodyPowerSession.[338]
Xbash can use scripts to invoke PowerShell to download a malicious PE executable or PE DLL for execution.[339]
ZeroCleare can use a malicious PowerShell script to bypass Windows controls.[340]
Zeus Panda uses PowerShell to download and execute the payload.[341]