惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
B
Blog RSS Feed
宝玉的分享
宝玉的分享
腾讯CDC
博客园_首页
T
Tailwind CSS Blog
月光博客
月光博客
博客园 - 司徒正美
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
M
MIT News - Artificial intelligence
A
About on SuperTechFans
云风的 BLOG
云风的 BLOG
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
有赞技术团队
有赞技术团队
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
大猫的无限游戏
大猫的无限游戏
MongoDB | Blog
MongoDB | Blog
博客园 - 聂微东
V
Visual Studio Blog
H
Hackread – Cybersecurity News, Data Breaches, AI and More
SecWiki News
SecWiki News
美团技术团队
P
Privacy International News Feed
H
Help Net Security
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
Microsoft Security Blog
Microsoft Security Blog
Know Your Adversary
Know Your Adversary
Y
Y Combinator Blog
D
DataBreaches.Net
Project Zero
Project Zero
T
The Blog of Author Tim Ferriss
Cyberwarzone
Cyberwarzone
C
Cybersecurity and Infrastructure Security Agency CISA
C
Cisco Blogs
S
Schneier on Security
G
GRAHAM CLULEY
博客园 - 三生石上(FineUI控件)
Cisco Talos Blog
Cisco Talos Blog
小众软件
小众软件
Forbes - Security
Forbes - Security
D
Docker
T
Tenable Blog
S
Secure Thoughts
雷峰网
雷峰网
S
Security @ Cisco Blogs
T
The Exploit Database - CXSecurity.com
The Cloudflare Blog
博客园 - 【当耐特】
Spread Privacy
Spread Privacy
阮一峰的网络日志
阮一峰的网络日志

Arctic Wolf

Home-Field Disadvantage: AiTM, QR-Code Phishing, and Infostealers at the 2026 FIFA World Cup arcticwolf.com arcticwolf.com Celebrating Arctic Wolf’s 2026 Partner of the Year Winners at Global Partner Kickoff Celebrating Arctic Wolf’s 2026 Partner of the Year Winners at Global Partner Kickoff Die Auswahl Einer Vulnerability Management-Lösung The Hidden Economics of the Agentic SOC The Hidden Economics of the Agentic SOC | Arctic Wolf Security Operations in Maschinen-Geschwindigkeit Aurora Mobile Threat Defense — Addressing Your Highest‑Trusted, Least Protected Endpoints - Arctic Wolf Aurora Mobile Threat Defense — Addressing Your Highest‑Trusted, Least Protected Endpoints - Arctic Wolf How Aurora Managed Endpoint Defense Combines Experts and Technology to Simplify Security Aurora Endpoint Sicherheitsportfolioa | Arctic Wolf From Token Bingo to MAX Takeover: Kali365 Operator Expands Operation Across Microsoft Outlook, Okta, Xerox DocuShare, and Other Services From Token Bingo to MAX Takeover: Kali365 Operator Expands Operation Across Microsoft Outlook, Okta, Xerox DocuShare, and Other Services arcticwolf.com arcticwolf.com Arctic Wolf Product Updates: May 2026 arcticwolf.com Arctic Wolf Product Updates: May 2026 FortiClient EMS Exploited via CVE-2026-35616 to Deliver EKZ Infostealer Disguised as a Fortinet Patch - Arctic Wolf FortiClient EMS Exploited via CVE-2026-35616 to Deliver EKZ Infostealer Disguised as a Fortinet Patch What’s New What’s Next with Arctic Wolf: May 2026 Update Cybersecurity Trends in the Age of AI arcticwolf.com Arctic Wolf、AI搭載のモバイル脅威防御ソリューションを発表、 増加するモバイル端末を標的としたサイバー攻撃から組織を保護 How Arctic Wolf Aurora Mobile Threat Defense Protects the Mobile Attack Surface How AI Is Transforming Detection Engineering 「Aurora Mobile Threat Defense」の提供が開始されました Accelerating Cloud Security Outcomes Together: Why Arctic Wolf and Wiz are Redefining What’s Possible - Arctic Wolf InfoSecurity Europe 2026 OpenAI Daybreak and the Future of Secure Software Development - Arctic Wolf OpenAI Daybreak and the Future of Secure Software Development Turning Security Telemetry Into Actionable Insights | Arctic Wolf Detecting Identity Attacks at Scale with Herd Immunity Detecting Identity Attacks at Scale with Herd Immunity | Arctic Wolf arcticwolf.com arcticwolf.com How to Gain Visibility and Reduce Exposure with Aurora Attack Surface Management arcticwolf.com Mini Shai-Hulud: Supply Chain Malware Attack arcticwolf.com arcticwolf.com arcticwolf.com arcticwolf.com arcticwolf.com arcticwolf.com arcticwolf.com arcticwolf.com arcticwolf.com Arctic Wolf Introduces the Next Era of Exposure Management to Help Organizations Outpace AI-Accelerated Vulnerability Discovery Arctic Wolf Launches AI-Powered Mobile Threat Defense to Protect Organizations Against Growing Mobile-based Cyber Threats Aurora Mobile Threat Defense is Now Available Turning Visibility Into Action: Introducing Aurora Exposure Management Protecting Against IOT Security Risks | Arctic Wolf CVE-2026-0300 — Critical Buffer Overflow in PAN-OS User-ID Authentication Portal IoT Security Risks | Arctic Wolf arcticwolf.com Should Your Organization Rely on XDR? | Arctic Wolf 止まらないランサムウェア被害 - Qilinの事案から読み解く、検知、対応と経営判断 arcticwolf.com Why Cybersecurity Still Matters Even If AI Improves Secure Development | Arctic Wolf Aurora® Attack Surface Management For Healthcare arcticwolf.com arcticwolf.com arcticwolf.com arcticwolf.com arcticwolf.com CVE-2026-41940: Critical Exploited Authentication Bypass Vulnerability in cPanel & WHM Why Vulnerability Prioritization Requires More Than a Score | Arctic Wolf Token Bingo: Don’t Let Your Code be the Winner EFM Philadelphia IT Symposium MN Bankers Operations and Technology Conference SecureMiami 2025 Cyber Identity Summit – Ottawa MISA Exec Summit – Victoria Arkansas IT Symposium – efmEvents Cybersecurity Summit – Boston Houston Technology Summit – elevateIT Nevada Public Sector Cybersecurity Summit SecureWorld Philadelphia Nick Schneider of Arctic Wolf named Entrepreneur Of The Year® 2026 Heartland finalist by EY US arcticwolf.com arcticwolf.com Introducing Decipio: A Community Tool to Catch Credential Theft in the Act with Defense First AI Arctic Wolf Introduces Decipio, a Community Tool to Catch Credential Theft with Defense‑First AI Proxy Server Endpoint Endpoint Detection and Response AIマルウェアの急増:その挙動、攻撃主体の特定、防御体制の備え arcticwolf.com arcticwolf.com Project Glasswing Marks a Turning Point for Cybersecurity Frontier AI Models Mark a Turning Point for Cybersecurity arcticwolf.com arcticwolf.com Building Cyber Resilience with Arctic Wolf: A Practical Approach for Security Leaders Arctic Wolf、東映デジタルラボ株式会社を Aurora Managed Endpoint Defenseで保護 Arctic Wolf Named a 2026 Gartner® Peer Insights™ Customers’ Choice for Managed Detection and Response arcticwolf.com
PowerShell Security | Arctic Wolf
Arctic Wolf · 2026-05-14 · via Arctic Wolf

PowerShell is one of the most important, versatile software tools used in IT automation. Unfortunately, it has also become a powerful instrument for cybercriminals, and a major threat to endpoint security.

In recent years, PowerShell has been used to successfully execute intrusion campaigns around the world. If left unchecked, PowerShell represents a significant threat to enterprises of all sizes. But with some knowledge and understanding of PowerShell security best practices, the risk can be significantly reduced.

What is PowerShell?

PowerShell is a software program built into the Microsoft Windows operating system, though it can also be optionally installed on Mac and Linux systems. It is used by IT professionals to conduct many types of system administration tasks on computer systems in business environments.

Think of PowerShell like an adjustable wrench — it can help turn the crank on any number of software and configuration tasks on enterprise endpoints. It can help with system and activity monitoring; software updates and reboots; user, identity, and access management; system configurations, including security policy and enforcement; and data collection for troubleshooting, reporting, and compliance.

Many of the above tasks can be complex, require a very specific level of detail, or must be executed remotely or on an ongoing basis. With support for custom scripting and automation, PowerShell can be adapted to execute a wide variety of IT systems management use cases, with relative ease.

Why is PowerShell a Security Threat?

PowerShell’s ubiquitous position on Windows-based endpoints and its wide-ranging capabilities make it a powerful tool for IT and security administrators alike. Unfortunately, it can be an equally powerful tool in the hands of an attacker.

History has shown that an attacker can employ PowerShell as a helpful tool at nearly any point in the lifecycle of a cyber attack. Here are several examples of how PowerShell facilitates threat actors:

Payload Delivery/Initial Access

Most cyber attacks begin with some kind of technical and/or human exploit, often conveyed via a malicious file or link in an email. Once the link is clicked or the file is opened, the attacker must ensure an initial foothold is gained, ideally without the victim user ever realizing it.

That’s where PowerShell comes in. Malicious files or links frequently contain a script — a prewritten set of commands — that is secretly executed using PowerShell. One of the most common tactics is for an attacker to use PowerShell to invoke fileless malware, downloaded and executed without ever saving a malicious file to disk. This approach is not only often missed by traditional security controls but is also unnoticeable to the user.

Privilege Escalation

Many multistage cyber attacks require a perpetrator to elevate user privileges on the initial target system, a critical step that enables follow-on actions. PowerShell is the perfect tool for malicious privilege escalation. Because it is a direct conduit to Windows system components, such as the .NET Framework and Active Directory, an attacker can often use PowerShell to execute numerous privilege escalation techniques, such as identify and abuse misconfigurations, DLL hijacking, and User Account Control bypass, among others.

Lateral Movement

Once an attacker has the necessary access, the next step is to foster connections with other digital locations of value. This is referred to as lateral movement. Once again, PowerShell fits the bill. An attacker can use it to run reconnaissance commands, identify targets, and take action on those targets by transferring hacking tools, executing malware, or even opening PowerShell sessions to spread even further.

Persistence and Evasion

A multistage attack will get shut down fast if the adversary doesn’t stay hidden. PowerShell provides ways for an attacker to cloak malicious activity. PowerShell is almost always used when an attacker wishes to employ hard-to-detect fileless malware; it can download and run files in memory, where they can be quickly disposed of with little evidence after the fact. Malicious PowerShell commands can be automated to run at times when they are less likely to be noticed or bundled within established trusted processes. And, while PowerShell does have logs, savvy adversaries can delete or manipulate those logs to cover their tracks.

Data Exfiltration

When an attacker identifies valuable data and is ready to steal it, PowerShell serves as a one-stop-shop for data exfiltration services. It can identify wanted data based on various attributes, compress and break up data into hard-to-spot fragments, encrypt data so that the contents of outbound network traffic flows can’t be easily examined, and facilitate the actual exfiltration via any number of pathways, including HTTPS, DNS, FTP, cloud storage, or email (SMTP).

Example PowerShell Attacks

The techniques outlined above aren’t new. Unfortunately, attackers have used them successfully for quite some time.

SolarWinds

In late 2020, a software compromise was discovered in the SolarWinds Orion IT systems management product, used by thousands of organizations globally. A flaw in the software enabled attackers to use Orion as a conduit to launch malware and remotely execute a variety of malicious actions against approximately 18,000 SolarWinds’ customers, becoming one of the most high-profile and costly cyberattack campaigns in history.

The attackers employed PowerShell in multiple phases of the attack. After obtaining a list of users and roles, they used PowerShell commands to discover the privileged domain accounts that would enable them to expand their permissions for follow-on actions. Later, they used PowerShell on target customer machines to execute a variety of commands remotely, including data exfiltration.

NotPetya

A series of global attacks beginning in 2017 utilized a type of self-propagating malware, which came to be called NotPetya. While the malware initially appeared to resemble the well-known Petya ransomware, it earned its modified name because its main purpose wasn’t to extort ransoms, but rather to simply destroy data and related IT assets on compromised systems.

PowerShell proved useful in a number of ways. Even though NotPetya spread itself, once it landed on a new target system, it would use PowerShell to gather system information, including credentials, download malware, and execute precursor commands needed to set the stage for data and drive corruption.

Emotet Incidents

Emotet is a remote access trojan (RAT) most commonly used in multistage phishing attacks. It became prominent during a series of malware campaigns that peaked from 2018-2021 but continue to this day. The phishing messages tricked victims into opening a malicious Microsoft Word or Excel document, which in turn downloaded a variety of malicious files enabling follow-on actions, often including ransomware.

Once again, PowerShell played a prominent role. Once the user opened the infected file, it would trigger obfuscated PowerShell scripts. Those scripts would create a remote connection to download and run in-memory malware, often avoiding detection.

Understanding PowerShell Security Challenges

It’s clear that PowerShell represents a considerable cybersecurity risk: it can facilitate many different types of attacks and do so in a way that can be challenging to detect. So, it’s important for organizations to implement PowerShell security controls to gain visibility into how PowerShell is used, prevent malicious PowerShell commands, and detect PowerShell actions that require further review.

If only it were that easy. For most organizations, PowerShell security is surprisingly challenging. Here are just a few of the reasons why:

Lack of Awareness

Despite PowerShell’s long-standing role as an enabler of cyber attacks, many organizations are unaware of the critical role it plays. Because the step-by-step details of how specific cyber attacks work can be quite technical, effectively conveying that need for PowerShell security to business leaders can be quite challenging. Even many IT and cybersecurity leaders are often unaware of or underplay its importance.

Ubiquitous Nature of PowerShell

PowerShell is essentially built into Windows and is often an essential system administration tool. It is the vehicle through which administrators can view and make configuration adjustments to areas deep within Windows, including the registry, system processes, and Windows application and file systems. Simply turning it off is almost impossible: there are no viable alternatives for some PowerShell functions.

Insecure Legacy Versions of PowerShell

In 2018, Microsoft released a major revamp of PowerShell, based on the Microsoft .NET Core software development framework. This enabled PowerShell versions 6.0 and later to take advantage of modern security features built into Windows. However, earlier, less secure versions of PowerShell are often installed by default, even on current Windows versions, granting attackers an opportunity to leverage it in attacks.

Zero-Day Vulnerabilities

PowerShell has been the target of black hat researchers who discover “zero-day” or unknown vulnerabilities in PowerShell, exploiting them in ways for which there is little or no way to defend. Similarly, attackers can use PowerShell to exploit zero-day vulnerabilities in Windows itself, which may also be hard to detect or prevent.

Insecure Default Configurations

The standard initial configurations for PowerShell are widely considered to be too permissive. For example, even when execution restriction policies are put in place, attackers can usually bypass them, simply by running a PowerShell command to do so. Also, PowerShell scripts do not require any sort of digital signing for validation, as other Windows functions often do, meaning malicious or unauthorized scripts can be run unless explicit policy controls are in place to prevent it.

Detection and Forensics Challenges

Organizations that monitor PowerShell without implementing specific security controls may not be doing enough. Attackers can utilize PowerShell to not only download in-memory fileless malware that doesn’t leave a trace, but they can also alter or erase PowerShell’s logs, making it difficult to determine if PowerShell was used maliciously after the fact.

PowerShell Security Best Practices

Fortunately, despite the security challenges it presents, PowerShell security measures can be put in place to significantly decrease the risk it presents to organizations. Some of the most common ones are summarized below.

Constrained Language Mode

One of the most comprehensive built-in PowerShell security controls is called constrained language mode. This limits PowerShell to a safe subset of commands, and blocks operations commonly used by attackers. It is often used as a default setting for standard (non-administrator) Windows users.

PowerShell Script Control

PowerShell includes an execution limitation policy option that can provide a control regarding how PowerShell loads configuration files and runs scripts. As noted, one of attackers’ favorite techniques is to create a malicious PowerShell script, and trick users into running it. Administrators can enable this control in Windows Group Policy on a per-user and per-host basis.

Application Control Logging

Newer versions of Windows include application control technologies that can be used to implement system-wide security controls on applications, including PowerShell. It’s considered to be a broadly effective mechanism to prevent arbitrary code execution using PowerShell. In Windows 10, the preferred mechanism is called App Control.

PowerShell Logging

It’s common for organizations to overlook or ignore enabling PowerShell logging. But logging is critical to audit PowerShell activity, particularly should a malicious or anomalous event take place. Organizations can enable different types of PowerShell logging, including module logging and script block (executable script segment) logging, via both Windows and Group Policy settings.

There are a number of other notable PowerShell security best practices that may be appropriate for specific organizations or use cases. Organizations should consult with Microsoft and review Microsoft PowerShell documentation to determine if these additional measures are appropriate.

Protect Against PowerShell Attacks with Arctic Wolf

Organizations need state-of-the-art endpoint security technology that is not only made by experts who understand these challenges, but also deliver proven capabilities to detect and prevent PowerShell attacks.

Arctic Wolf Aurora™ Endpoint Defense, which includes Aurora Protect, delivers market-leading AI-driven prevention, detection, and response, stopping threats before they disrupt your business.

Aurora Endpoint Defense provides a number of built-in PowerShell security capabilities, including PowerShell activity monitoring, control of script execution, and integration with endpoint application controls.

Designed to be easy to use and highly effective, whether on its own or with 24×7 monitoring, Arctic Wolf’s endpoint security offerings provide flexible deployment options so you can strengthen your defenses and ultimately, protect your organization from costly breaches.

See Aurora Endpoint Defense in action, and learn more about Arctic Wolf’s breadth of Managed Endpoint Defense options as well.