Powershell is a CLI made for automating tasks. You can configure systems and automate administrative tasks via cmdlets with powershell. Windows come with powershell and you simply type powershell in the search bar of your windows to access it. You can even run powershell as admin and save the script as well. Powershell is great for forensics and can improve incident response as well for cybersecurity professionals. The best part of powershell is the capability to use external components such as the Windows Management Instrumentation (WMI) and the . NET Framework.
Threat actors use it as well because it exists in all windows and it exposes strong functionality that may be leveraged by attackers to take advantage of. However, we have Microsoft’s Antimalware Scan Interface (AMSI), which allows defending systems to scan all the code passed to scripting engines such as PowerShell prior to its execution. This makes powershell quite safe to use. Also, it comes with logging features, so it records all activities. For example, deep script block logging and module logging.
Powershell remoting allows admins and cybersecurity analysts to execute commands on windows remotely as well using windows remote management. Because powershell requires administrative privilege, firewall rules have to be created as well, resulting in a more secure network that reduces lateral movements.
HansITAcademy 