During the 2016 Ukraine Electric Power Attack, Sandworm Team used PowerShell scripts to run a credential harvesting tool in memory to evade defenses.[6]
During the 2022 Ukraine Electric Power Attack, Sandworm Team utilized a PowerShell utility called TANKTRAP to spread and launch a wiper using Windows Group Policy.[7]
AADInternals is written and executed via PowerShell.[8]
Akira will execute PowerShell commands to delete system volume shadow copies.[9]
AppleSeed has the ability to execute its payload via PowerShell.[10]
APT28 downloads and executes PowerShell scripts and performs PowerShell commands.[12][13][14]
APT29 has used encoded PowerShell scripts uploaded to CozyCar installations to download and install SeaDuke.[15][16][17][18]
APT3 has used PowerShell on victim systems to download and run payloads after exploitation.[19]
APT32 has used PowerShell-based tools, PowerShell one-liners, and shellcode loaders for execution.[20][21][22]
APT33 has utilized PowerShell to download files from the C2 server and run various scripts. [23][24]
APT38 has used PowerShell to execute commands and other operational tasks.[25]
APT39 has used PowerShell to execute malicious code.[26][27]
APT41 leveraged PowerShell to deploy malware families in victims’ environments.[28][29]
APT5 has used PowerShell to accomplish tasks within targeted environments.[30]
Aquatic Panda has downloaded additional scripts and executed Base64 encoded commands in PowerShell.[31]
AutoIt backdoor downloads a PowerShell script that decodes to a typical shellcode loader.[32]
BADHATCH can utilize powershell.exe to execute commands on a compromised host.[33][34]
Bandook has used PowerShell loaders as part of execution.[35]
Bazar can execute a PowerShell script received from C2.[36][37]
Black Basta has used PowerShell scripts for discovery and to execute files over the network.[38][39][40]
BloodHound can use PowerShell to pull Active Directory information from the target environment.[41]
Blue Mockingbird has used PowerShell reverse TCP shells to issue interactive commands over a network connection.[42]
BONDUPDATER is written in PowerShell.[43][44]
BRONZE BUTLER has used PowerShell for execution.[45]
During C0018, the threat actors used encoded PowerShell scripts for execution.[47][48]
During C0021, the threat actors used obfuscated PowerShell to extract an encoded payload from within an .LNK file.[49][50]
During the C0032 campaign, TEMP.Veles used PowerShell to perform timestomping.[51]
CharmPower can use PowerShell for payload execution and C2 communication.[52]
Chimera has used PowerShell scripts to execute malicious payloads and the DSInternals PowerShell module to make use of Active Directory features.[53][54]
CHIMNEYSWEEP can invoke the PowerShell command [Reflection.Assembly]::LoadFile(\"%s\")\n$i=\"\"\n$r=[%s]::%s(\"%s\",[ref] $i)\necho $r,$i\n to execute secondary payloads.[55]
Cinnamon Tempest has used PowerShell to communicate with C2, download files, and execute reconnaissance commands.[56]
The Clambling dropper can use PowerShell to download the malware.[57]
Cobalt Group has used powershell.exe to download and execute scripts.[58][59][60][61][62][63]
Cobalt Strike can execute a payload on a remote host with PowerShell. This technique does not write any data to disk.[64][65] Cobalt Strike can also use PowerSploit and other scripting frameworks to perform execution.[66][67][68][69]
ComRAT has used PowerShell to load itself every time a user logs in to the system. ComRAT can execute PowerShell scripts loaded into memory or from the file system.[70][71]
Confucius has used PowerShell to execute malicious files and payloads.[72]
ConnectWise can be used to execute PowerShell commands on target machines.[73]
CopyKittens has used PowerShell Empire.[74]
Covenant can create PowerShell-based launchers for Grunt installation.[75]
CrackMapExec can execute PowerShell commands via WMI.[76]
CreepyDrive can use Powershell for execution, including the cmdlets Invoke-WebRequest and Invoke-Expression.[77]
CreepySnail can use PowerShell for execution, including the cmdlets Invoke-WebRequst and Invoke-Expression.[77]
Cuba has been dropped onto systems and used for lateral movement via obfuscated PowerShell scripts.[78]
CURIUM has leveraged PowerShell scripts for initial process execution and data gathering in victim environments.[79]
Daggerfly used PowerShell to download and execute remote-hosted files on victim systems.[80]
DarkHydrus leveraged PowerShell to download and execute additional scripts for execution.[81][82]
DarkVishnya used PowerShell to create shellcode loaders.[83]
DarkWatchman can execute PowerShell commands and has used PowerShell to execute a keylogger.[84]
Deep Panda has used PowerShell scripts to download and execute programs in memory, without writing to disk.[85]
Donut can generate shellcode outputs that execute via PowerShell.[86]
Dragonfly has used PowerShell scripts for execution.[88][89]
Earth Lusca has used PowerShell to execute commands.[90]
Egregor has used an encoded PowerShell command by a service created by Cobalt Strike for lateral movement.[91]
Ember Bear has used PowerShell commands to gather information from compromised systems, such as email servers.[92]
Emotet has used Powershell to retrieve the malicious payload and download additional resources like Mimikatz. [93][94][95][96][97]
Empire leverages PowerShell for the majority of its client-side agent tasks. Empire also contains the ability to conduct PowerShell remoting with the Invoke-PSRemoting module.[98][99]
FIN10 uses PowerShell for execution as well as PowerShell Empire to establish persistence.[102][98]
FIN13 has used PowerShell commands to obtain DNS data from a compromised network.[103]
FIN6 has used PowerShell to gain access to merchant's networks, and a Metasploit PowerShell module to download and execute shellcode and to set up a local listener.[104][105][106]
FIN7 used a PowerShell script to launch shellcode that retrieved an additional payload.[107][108][109][110]
FIN8's malicious spearphishing payloads are executed as PowerShell. FIN8 has also used PowerShell for lateral movement and credential access.[111][112][113][114]
FlawedAmmyy has used PowerShell to execute commands.[115]
Fox Kitten has used PowerShell scripts to access credential data.[116]
During Frankenstein, the threat actors used PowerShell to run a series of Base64-encoded commands that acted as a stager and enumerated hosts.[117]
GALLIUM used PowerShell for execution to assist in lateral movement as well as for dumping credentials stored on compromised machines.[118]
Gallmaker used PowerShell to download additional payloads and for execution.[119]
Gamaredon Group has used obfuscated PowerShell scripts for staging.[120]
GLASSTOKEN can use PowerShell for command execution.[121]
GOLD SOUTHFIELD has staged and executed PowerShell scripts on compromised hosts.[122]
Gootloader can use an encoded PowerShell stager to write to the Registry for persistence.[123][124]
Gorgon Group malware can use PowerShell commands to download and execute a payload and open a decoy document on the victim’s machine.[125]
GRIFFON has used PowerShell to execute the Meterpreter downloader TinyMet.[126]
HAFNIUM has used the Exchange Power Shell module Set-OabVirtualDirectoryPowerShell to export mailbox data.[127][128]
HAMMERTOSS is known to use PowerShell.[129]
HEXANE has used PowerShell-based tools and scripts for discovery and collection on compromised hosts.[132][133][134]
During HomeLand Justice, threat actors used PowerShell cmdlets New-MailboxSearch and Get-Recipient for discovery.[135][136]
Inception has used PowerShell to execute malicious commands and payloads.[137][138]
Indrik Spider has used PowerShell Empire for execution of malware.[139][140]
IPsec Helper can run arbitrary PowerShell commands passed to it.[141]
JSS Loader has the ability to download and execute PowerShell scripts.[143]
KeyBoy uses PowerShell commands to download and execute payloads.[144]
KGH_SPY can execute PowerShell commands on the victim's machine.[145]
Kimsuky has executed a variety of PowerShell scripts including Invoke-Mimikatz.[146][147][148][149][150]
KOCTOPUS has used PowerShell commands to download additional files.[151]
KONNI used PowerShell to download and execute a specific 64-bit version of the malware.[152][153]
Lazarus Group has used PowerShell to execute commands and malicious code.[154]
LazyScripter has used PowerShell scripts to execute malicious code.[151]
Leviathan has used PowerShell for execution.[155][156][157][158]
LitePower can use a PowerShell script to execute commands.[101]
Lokibot has used PowerShell commands embedded inside batch scripts.[160]
LunarWeb has the ability to run shell commands via PowerShell.[161]
Mafalda can execute PowerShell commands on a compromised machine.[162]
Magic Hound has used PowerShell for execution and privilege escalation.[163][164][165][166][167]
menuPass uses PowerSploit to inject shellcode into PowerShell.[168][169]
Meteor can use PowerShell commands to disable the network adapters on a victim machines.[170]
MoustachedBouncer has used plugins to execute PowerShell scripts.[174]
MuddyWater has used PowerShell for execution.[175][176][177][178][179][180][181][182][183][184]
Mustang Panda has used malicious PowerShell scripts to enable execution.[185][186]
Netwalker has been written in PowerShell and executed directly in memory, avoiding detection.[187][188]
The NETWIRE binary has been executed via PowerShell script.[189]
njRAT has executed PowerShell commands via auto-run registry key persistence.[190]
Nomadic Octopus has used PowerShell for execution.[191]
OilRig has used PowerShell scripts for execution, including use of a macro to run a PowerShell command to decode file contents.[43][192][193]
During Operation Dream Job, Lazarus Group used PowerShell commands to explore the environment of compromised victims.[194]
During Operation Wocao, threat actors used PowerShell on compromised systems.[195]
OSX_OCEANLOTUS.D uses PowerShell scripts.[196]
Patchwork used PowerSploit to download payloads, run a reverse shell, and execute malware on the victim's machine.[197][198]
Pikabot Distribution February 2024 passed execution from obfuscated JavaScript files to PowerShell scripts to download and install Pikabot.[199]
Pillowmint has used a PowerShell script to install a shim database.[200]
Play has used Base64-encoded PowerShell scripts to disable Microsoft Defender.[201]
The Poseidon Group's Information Gathering Tool (IGT) includes PowerShell components.[202]
POSHSPY uses PowerShell to execute various commands, one to execute its payload.[203]
PowerLess is written in and executed via PowerShell without using powershell.exe.[204]
PowerPunch has the ability to execute through PowerShell.[120]
PowerShower is a backdoor written in PowerShell.[137]
POWERSOURCE is a PowerShell backdoor.[205][206]
PowerSploit modules are written in and executed via PowerShell.[207][208]
PowerStallion uses PowerShell loops to iteratively check for available commands in its OneDrive C2 server.[209]
POWERSTATS uses PowerShell for obfuscation and execution.[210][179][211][183]
PowGoop has the ability to use PowerShell scripts to execute commands.[183]
Prestige can use PowerShell for payload execution on targeted systems.[213]
PUNCHBUGGY has used PowerShell scripts.[215]
Pupy has a module for loading and executing PowerShell scripts.[216]
Pysa has used Powershell scripts to deploy its ransomware.[218]
QakBot can use PowerShell to download and execute payloads.[219]
There is a variant of RATANKBA that uses a PowerShell script instead of the traditional PE form.[221][222]
RedCurl has used PowerShell to execute commands and to download malware.[223][224][225]
RegDuke can extract and execute PowerShell scripts from C2 communications.[100]
Revenge RAT uses the PowerShell command Reflection.Assembly to load itself into memory to aid in execution.[226]
REvil has used PowerShell to delete volume shadow copies and download files.[227][228][229][230]
RogueRobin uses a command prompt to run a PowerShell script from Excel.[81] To assist in establishing persistence, RogueRobin creates %APPDATA%\OneDrive.bat and saves the following string to it:powershell.exe -WindowStyle Hidden -exec bypass -File "%APPDATA%\OneDrive.ps1".[231][81]
Saint Bear relies extensively on PowerShell execution from malicious attachments and related content to retrieve and execute follow-on payloads.[232]
Sandworm Team has used PowerShell scripts to run a credential harvesting tool in memory to evade defenses.[233][6]
Sardonic has the ability to execute PowerShell commands on a compromised machine.[234]
SeaDuke uses a module to execute Mimikatz with PowerShell to perform Pass the Ticket.[15]
ServHelper has the ability to execute a PowerShell script to get information from the infected host.[235]
SharpStage can execute arbitrary commands with PowerShell.[171][236]
SHARPSTATS has the ability to employ a custom PowerShell script.[211]
Sidewinder has used PowerShell to drop and execute malware loaders.[237]
Silence has used PowerShell to download and execute payloads.[238][239]
SILENTTRINITY can use PowerShell to execute commands.[240]
SMOKEDHAM can execute Powershell commands sent from its C2 server.[241]
Snip3 can use a PowerShell script for second-stage execution.[242][243]
During the SolarWinds Compromise, APT29 used PowerShell to create new tasks on remote machines, identify configuration settings, exfiltrate data, and execute other commands.[244][245][246]
Spica can use an obfuscated PowerShell command to create a scheduled task for persistence.[247]
SQLRat has used PowerShell to create a Meterpreter session.[248]
Squirrelwaffle has used PowerShell to execute its payload.[249][250]
Stealth Falcon malware uses PowerShell commands to perform various functions, including gathering system information via WMI and executing commands from its C2 server.[251]
StrongPity can use PowerShell to add files to the Windows Defender exclusions list.[252]
TA2541 has used PowerShell to download files and to inject into various Windows processes.[253]
TA505 has used PowerShell to download and execute malware and reconnaissance scripts.[255][256][257][258]
TeamTNT has executed PowerShell commands in batch scripts.[259]
Threat Group-3390 has used PowerShell for execution.[260][57]
Thrip leveraged PowerShell to run commands to download payloads, traverse the compromised networks, and carry out reconnaissance.[261]
ToddyCat has used Powershell scripts to perform post exploit collection.[262]
Tonto Team has used PowerShell to download additional payloads.[263]
TrickBot has been known to use PowerShell to download new payloads, open documents, and upload data to command and control servers. [264]
In the Triton Safety Instrumented System Attack, TEMP.Veles used a publicly available PowerShell-based tool, WMImplant.[265]
Turla has used PowerShell to execute commands/scripts, in some cases via a custom executable or code from Empire's PSInject.[266][209][267] Turla has also used PowerShell scripts to load and execute malware in memory.
Ursnif droppers have used PowerShell in download cradles to download and execute the malware's full executable payload.[268]
Valak has used PowerShell to download additional modules.[269]
Volt Typhoon has used PowerShell including for remote system discovery.[270][271][272]
WarzoneRAT can use PowerShell to download files and execute commands.[273][274]
WellMess can execute PowerShell scripts received from C2.[275][276]
WhisperGate can use PowerShell to support multiple actions including execution and defense evasion.[277][278][279]
Winter Vivern passed execution from document macros to PowerShell scripts during initial access operations.[280] Winter Vivern used batch scripts that called PowerShell commands as part of initial access and installation operations.[281]
Wizard Spider has used macros to execute PowerShell scripts to download malware on victim's machines.[283] It has also used PowerShell to execute commands and move laterally through a victim network.[284][285][286][287]
Woody RAT can execute PowerShell commands and scripts with the use of .NET DLL, WoodyPowerSession.[288]
Xbash can use scripts to invoke PowerShell to download a malicious PE executable or PE DLL for execution.[289]
ZeroCleare can use a malicious PowerShell script to bypass Windows controls.[290]
Zeus Panda uses PowerShell to download and execute the payload.[291]