MITRE ATT&CK Technique
Description
PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. (Citation: TechNet PowerShell) Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the Start-Process cmdlet which can be used to run an executable and the Invoke-Command cmdlet which runs a command locally or on a remote computer. PowerShell may also be used to download and run executables from the Internet, which can be executed from disk or in memory without touching disk. Administrator permissions are required to use PowerShell to connect to remote systems. A number of PowerShell-based offensive testing tools are available, including [Empire](https://attack.mitre.org/software/S0363), PowerSploit, (Citation: Powersploit) and PSAttack. (Citation: Github PSAttack) PowerShell commands/scripts can also be executed without directly invoking the powershell.exe binary through interfaces to PowerShell's underlying System.Management.Automation assembly exposed through the .NET framework and Windows Common Language Interface (CLI). (Citation: Sixdub PowerPick Jan 2016)(Citation: SilentBreak Offensive PS Dec 2015) (Citation: Microsoft PSfromCsharp APR 2014)
Supported Platforms
Created
April 29, 2026
Last Updated
April 29, 2026
STIX Data
{'created': '2017-05-31T21:31:06.512Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'description': 'PowerShell is a powerful interactive command-line interface '
'and scripting environment included in the Windows operating '
'system. (Citation: TechNet PowerShell) Adversaries can use '
'PowerShell to perform a number of actions, including '
'discovery of information and execution of code. Examples '
'include the Start-Process cmdlet which can be used to run an '
'executable and the Invoke-Command cmdlet which runs a command '
'locally or on a remote computer. \n'
'\n'
'PowerShell may also be used to download and run executables '
'from the Internet, which can be executed from disk or in '
'memory without touching disk.\n'
'\n'
'Administrator permissions are required to use PowerShell to '
'connect to remote systems.\n'
'\n'
'A number of PowerShell-based offensive testing tools are '
'available, including '
'[Empire](https://attack.mitre.org/software/S0363), '
'PowerSploit, (Citation: Powersploit) and PSAttack. (Citation: '
'Github PSAttack)\n'
'\n'
'PowerShell commands/scripts can also be executed without '
'directly invoking the powershell.exe binary through '
"interfaces to PowerShell's underlying "
'System.Management.Automation assembly exposed through the '
'.NET framework and Windows Common Language Interface (CLI). '
'(Citation: Sixdub PowerPick Jan 2016)(Citation: SilentBreak '
'Offensive PS Dec 2015) (Citation: Microsoft PSfromCsharp APR '
'2014)',
'external_references': [{'external_id': 'T1086',
'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/techniques/T1086'},
{'description': 'Microsoft. (n.d.). Windows '
'PowerShell Scripting. Retrieved '
'April 28, 2016.',
'source_name': 'TechNet PowerShell',
'url': 'https://technet.microsoft.com/en-us/scriptcenter/dd742419.aspx'},
{'description': 'PowerSploit. (n.d.). Retrieved '
'December 4, 2014.',
'source_name': 'Powersploit',
'url': 'https://github.com/mattifestation/PowerSploit'},
{'description': 'Haight, J. (2016, April 21). '
'PS>Attack. Retrieved June 1, 2016.',
'source_name': 'Github PSAttack',
'url': 'https://github.com/jaredhaight/PSAttack'},
{'description': 'Warner, J.. (2015, January 6). '
'Inexorable PowerShell – A Red '
'Teamer’s Tale of Overcoming Simple '
'AppLocker Policies. Retrieved '
'December 8, 2018.',
'source_name': 'Sixdub PowerPick Jan 2016',
'url': 'http://www.sixdub.net/?p=367'},
{'description': 'Christensen, L.. (2015, December '
'28). The Evolution of Offensive '
'PowerShell Invocation. Retrieved '
'December 8, 2018.',
'source_name': 'SilentBreak Offensive PS Dec 2015',
'url': 'https://silentbreaksecurity.com/powershell-jobs-without-powershell-exe/'},
{'description': 'Babinec, K. (2014, April 28). '
'Executing PowerShell scripts from '
'C#. Retrieved April 22, 2019.',
'source_name': 'Microsoft PSfromCsharp APR 2014',
'url': 'https://blogs.msdn.microsoft.com/kebab/2014/04/28/executing-powershell-scripts-from-c/'},
{'description': 'Malware Archaeology. (2016, June). '
'WINDOWS POWERSHELL LOGGING CHEAT '
'SHEET - Win 7/Win 2008 or later. '
'Retrieved June 24, 2016.',
'source_name': 'Malware Archaeology PowerShell Cheat '
'Sheet',
'url': 'http://www.malwarearchaeology.com/s/Windows-PowerShell-Logging-Cheat-Sheet-ver-June-2016-v2.pdf'},
{'description': 'Dunwoody, M. (2016, February 11). '
'GREATER VISIBILITY THROUGH '
'POWERSHELL LOGGING. Retrieved '
'February 16, 2016.',
'source_name': 'FireEye PowerShell Logging 2016',
'url': 'https://www.fireeye.com/blog/threat-research/2016/02/greater_visibilityt.html'}],
'id': 'attack-pattern--f4882e23-8aa7-4b12-b28a-b349c12ee9e0',
'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
'phase_name': 'execution'}],
'modified': '2025-10-24T17:49:36.765Z',
'name': 'PowerShell',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'revoked': True,
'spec_version': '2.1',
'type': 'attack-pattern',
'x_mitre_attack_spec_version': '3.2.0',
'x_mitre_contributors': ['Praetorian'],
'x_mitre_deprecated': False,
'x_mitre_detection': '',
'x_mitre_domains': ['enterprise-attack'],
'x_mitre_is_subtechnique': False,
'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'x_mitre_platforms': ['Windows'],
'x_mitre_version': '1.2'}