Picus Security Explains MITRE ATT&CK PowerShell Technique

Cybersecurity firm Picus Security has offered an in-depth look at T1059.001 PowerShell, a sub-technique within the MITRE ATT&CK framework. This technique describes how adversaries leverage PowerShell, a built-in Windows command-line shell and scripting environment, to execute malicious code.

PowerShell is a powerful tool included by default in Windows, providing deep access to the system's internals. This makes it attractive for both legitimate administration and malicious abuse. Attackers utilize PowerShell for running commands, launching scripts, gathering system information, downloading and executing payloads, and interacting with remote systems, often without writing files to disk.

As PowerShell is a trusted and widely deployed tool, its adversarial use can easily blend in with normal system activity. This helps attackers achieve objectives such as execution, persistence, lateral movement, and defense evasion. Picus Security’s analysis highlights how attackers often avoid installing third-party programs, preferring native tools to evade detection.

The report outlines examples of adversary procedures, including establishing persistence via Registry Run Keys (T1547.001) and adding exclusions to security tools like Microsoft Defender to conceal malware operations (T1562.001). These examples demonstrate PowerShell's versatility and its critical role in modern cyber threats.