* [Blog](https://origin-researchcenter.paloaltonetworks.com/blog) * [Security Operations](https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/) * [Must-Read Articles](https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/category/must-read-articles/) * Stopping "PowerShell with... # Stopping "PowerShell without PowerShell" Attacks [](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Forigin-researchcenter.paloaltonetworks.com%2Fblog%2Fsecurity-operations%2Fstopping-powershell-without-powershell%2F) [](https://twitter.com/share?text=Stopping+%E2%80%9CPowerShell+without+PowerShell%E2%80%9D+Attacks&url=https%3A%2F%2Forigin-researchcenter.paloaltonetworks.com%2Fblog%2Fsecurity-operations%2Fstopping-powershell-without-powershell%2F) [](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Forigin-researchcenter.paloaltonetworks.com%2Fblog%2Fsecurity-operations%2Fstopping-powershell-without-powershell%2F&title=Stopping+%E2%80%9CPowerShell+without+PowerShell%E2%80%9D+Attacks&summary=&source=) [](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/stopping-powershell-without-powershell/&ts=markdown) \[\](mailto:?subject=Stopping “PowerShell without PowerShell” Attacks) Link copied By [Stav Setty](https://www.paloaltonetworks.com/blog/author/stav-setty/?ts=markdown "Posts by Stav Setty") and [Aviad Meyer](https://www.paloaltonetworks.com/blog/author/aviad-meyer/?ts=markdown "Posts by Aviad Meyer") Feb 09, 2021 5 minutes [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown) [Attack](https://www.paloaltonetworks.com/blog/tag/attack/?ts=markdown) [Cortex XDR](https://www.paloaltonetworks.com/blog/tag/cortex-xdr/?ts=markdown) [Defend](https://www.paloaltonetworks.com/blog/tag/defend/?ts=markdown) [Detect](https://www.paloaltonetworks.com/blog/tag/detect/?ts=markdown) [Powershell](https://www.paloaltonetworks.com/blog/tag/powershell/?ts=markdown) ## Executive Summary The Cortex XDR Security Research Team recently observed "PowerShell without PowerShell" activity involving PowerShell commands and scripts that do not directly invoke the powershell.exe binary. PowerShell commands and scripts can be executed by loading the underlying System.Management.Automation namespace, exposed through the .NET framework and Windows Common Language Interface (CLI). As a result, this eliminates the need to spawn powershell.exe. These attacks can compromise endpoints even if PowerShell is disabled. Palo Alto Networks Cortex XDR protects customers from these attacks with behavioral detection. ## Why PowerShell without PowerShell? PowerShell is a favored attack tool for multiple reasons, but most notably, attackers often encounter environments where powershell.exe execution isn't possible. In order to overcome this, they can use "PowerShell without PowerShell" tools to bypass application whitelisting and environmental restrictions. This provides the ability to execute any PowerShell script or command in an environment that does not allow for PowerShell execution. Ultimately, blocking powershell.exe does not stop attackers from executing PowerShell. Furthermore, evasion is another major benefit. Some "PowerShell without PowerShell" tools will enable attackers to execute PowerShell without the security features. ## Techniques The "PowerShell without PowerShell" tools employ a variety of techniques. Some tools enable running PowerShell with DLLs. For instance, we have seen "PowerShdll" and "NoPowerShell" in the wild. These tools rely on LOLBINs (living-off-the-land binaries) like rundll32.exe, installutil.exe, regsvcs.exe, regasm.exe, and regsvr32.exe to invoke the DLL. These LOLBINs are signed by Microsoft and often whitelisted. However, they are often known for proxy execution of malicious code. ![PowerShell Execution](https://www.paloaltonetworks.com/blog/wp-content/uploads/2021/02/word-image-23.png) *Figure 1. PowerShell Execution* ![NoPowerShell Execution](https://www.paloaltonetworks.com/blog/wp-content/uploads/2021/02/word-image-24.png) *Figure 2. NoPowerShell Execution* As we can see in Figure 1 and Figure 2, after invoking the DLL with rundll32, a new window appears with a PowerShell console, and the powershell.exe binary is not invoked. Other "PowerShell without PowerShell" tools are binary executables. For example, with "NotPowerShell (nps.exe)", we can run single and multiple encoded and non-encoded commands (Figure 3). ![NotPowerShell (nps.exe) Execution](https://www.paloaltonetworks.com/blog/wp-content/uploads/2021/02/word-image-25.png) *Figure 3. NotPowerShell (nps.exe) Execution* The last section of "PowerShell without PowerShell" tools we have encountered rely on the Microsoft Build Engine (MSBuild) to execute PowerShell scripts and commands. They do this by converting PowerShell scripts and commands to csproj files. "PowerLessShell" is a popular example that we've seen in the wild that features process masquerading with MSBuild disguised as a random executable. ![](https://www.paloaltonetworks.com/blog/wp-content/uploads/2021/02/word-image-26.png) ![Figure 4. PowerLessShell Execution](https://www.paloaltonetworks.com/blog/wp-content/uploads/2021/02/word-image-27.png) *Figure 4. PowerLessShell Execution* ## Behavioral Activity Observed Using the Cortex XDR platform, we observed the behavioral activity of these "PowerShell without PowerShell" tools. **DLL Attack Behavior** When diving into the DLL tools, we recognized some unique behavioral traits. 1. The tools we examined call rundll32 with 'main' as EntryPoint 1. *rundll32 PowerShdll.dll, main* 2. *rundll32 NoPowerShell.dll,main* 2. LOLBINs create PowerShell script files ![Rundll32 Creates .ps1 and .psm1 Files](https://www.paloaltonetworks.com/blog/wp-content/uploads/2021/02/word-image-28.png) *Figure 5. Rundll32 Creates .ps1 and .psm1 Files* 3. rundll32.exe spawns conhost.exe. This is an unusual parent-child process relationship and may indicate that an attacker has abused rundll32.exe to run a console-based application. ![Cortex XDR Causality Chain](https://www.paloaltonetworks.com/blog/wp-content/uploads/2021/02/word-image-29.png) *Figure 6. Cortex XDR Causality Chain* 4. Unusual module load of *amsi.dll by a LOLBIN (rundll32.exe in this case)* ![Cortex XDR Module Loading](https://www.paloaltonetworks.com/blog/wp-content/uploads/2021/02/word-image-30.png) *Figure 7. Cortex XDR Module Loading* ### **MSBuild Attack Behavior** After investigating the MSBuild attacks with Cortex XDR, we noticed the following unusual activity: 1. Process masquerading. MSBuild disguised as a random executable 2. Creation of an executable in the .NET directory ![Module Loading PowerShell DLLs with Cortex XDR](https://www.paloaltonetworks.com/blog/wp-content/uploads/2021/02/word-image-31.png) *Figure 8. Module Loading PowerShell DLLs with Cortex XDR* 3. Executable spawns the C# compiler (csc.exe). ![Process Execution Chain with Cortex XDR](https://www.paloaltonetworks.com/blog/wp-content/uploads/2021/02/word-image-32.png) *Figure 9. Process Execution Chain with Cortex XDR* 4. Executable loads MSBuild DLLs ![Module Loading with Cortex XDR](https://www.paloaltonetworks.com/blog/wp-content/uploads/2021/02/word-image-33.png) *Figure 10. Module Loading with Cortex XDR* Additionally, in almost all of the aforementioned attacks, we noticed the loading of the *System.Management.Automation.dll* . The idea behind this is that powershell.exe is just a process that hosts the *System.Management.Automation.dll*. ![Module Loading PowerShell DLLs with Cortex XDR](https://www.paloaltonetworks.com/blog/wp-content/uploads/2021/02/word-image-34.png) *Figure 11. Module Loading PowerShell DLLs with Cortex XDR* ## Cortex XDR Alerts Following our look into behavioral activity with Cortex XDR, we created the following Behavioral Indicators of Compromise (BIOCs) to detect "PowerShell without PowerShell" tools. Cortex XDR BIOCs can also be configured as prevention rules for greater protection. In addition, the Cortex XDR Agent features Behavioral Threat Protection modules leveraging the Anti-Malware Scan Interface (AMSI) to block PowerShell scripts. |------------------|-------------------------------------------------------------| | **Source** | **Description** | | XDR BIOC | Unsigned process loads a known PowerShell DLL | | XDR BIOC | Non-PowerShell process accessed the PowerShell history file | | XDR BIOC | LOLBIN created a PowerShell script file | | XDR BIOC | Rundll32.exe with 'main' as entry point | | XDR BIOC | Suspicious .NET process spawns csc.exe | | XDR BIOC | Suspicious .NET process loads an MSBuild DLL | | XDR BIOC | Suspicious executable created in .NET directory | | XDR BIOC | Rundll32.exe spawns conhost.exe | | XDR BIOC | Office process loads a known PowerShell DLL | | XDR BIOC | Suspicious AMSI DLL load | | Cortex XDR Agent | Behavioral Threat Detected | | Cortex XDR Agent | WildFire Malware | *Table 1. List of PowerShell without PowerShell Alerts* *![](https://www.paloaltonetworks.com/blog/wp-content/uploads/2021/02/word-image-35.png)* ![Figure 12. Alerts in the Cortex XDR UI](https://www.paloaltonetworks.com/blog/wp-content/uploads/2021/02/word-image-36.png) *Figure 12. Alerts in the Cortex XDR UI* ## Conclusion Overall, disabling and monitoring powershell.exe is not enough to mitigate PowerShell threats. PowerShell is more than just powershell.exe and these "PowerShell without PowerShell" tools are widely used and hard to detect. Cortex XDR™ can overcome this by leveraging behavioral activity to detect and block this attack at several stages of the attack chain. ## ATT\&CK The following tactics and techniques are relevant to the threat discussed. Further information can be found in the [MITRE ATT\&CK framework](https://attack.mitre.org/matrices/enterprise/). |-------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------| | **ID** | **Description** | **Tactic** | | [T1059.001](https://attack.mitre.org/techniques/T1059/001/) | **Command and Scripting Interpreter: PowerShell** \* Adversaries may abuse PowerShell commands and scripts for execution | Execution | | [T1218.011](https://attack.mitre.org/techniques/T1218/011/) | **Signed Binary Proxy Execution: Rundll32** \* Adversaries may abuse rundll32.exe to proxy execution of malicious code | Defense Evasion | | [T1127.001](https://attack.mitre.org/techniques/T1127/001/) | **Trusted Developer Utilities Proxy Execution: MSBuild** \* Adversaries may use MSBuild to proxy execution of code through a trusted Windows utility. | Defense Evasion | | [T1036](https://attack.mitre.org/techniques/T1036/) | **Masquerading** \* Renaming abusable system utilities to evade security monitoring | Defense Evasion | *Table 2. Relevant ATT\&CK Techniques* *** ** * ** *** ## Related Blogs ### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown) [#### Introducing Cortex XDR 5.0: The New Standard for Endpoint Security](https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/introducing-cortex-xdr-5-0-the-new-standard-for-endpoint-security/) ### [AI and Cybersecurity](https://www.paloaltonetworks.com/blog/security-operations/category/ai-and-cybersecurity/?ts=markdown), [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown), [Uncategorized](https://www.paloaltonetworks.com/blog/category/uncategorized/?ts=markdown) [#### Ransomware Attacks: Why Your Endpoint Protection Can't Keep Up](https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/ransomware-attacks-why-your-endpoint-protection-cant-keep-up/) ### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown) [#### Intercepting the ToolShell Zero-Day Before the Headlines](https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/intercepting-the-toolshell-zero-day-before-the-headlines/) ### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown) [#### The Detection Nightmare: Years Pass Without a Move](https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/the-detection-nightmare-years-pass-without-a-move/) ### [AI and Cybersecurity](https://www.paloaltonetworks.com/blog/security-operations/category/ai-and-cybersecurity/?ts=markdown), [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown) [#### The 3CX Supply Chain Attack: When Trusted Software Turns Malicious](https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/the-3cx-supply-chain-attack-when-trusted-software-turns-malicious/) ### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown), [Uncategorized](https://www.paloaltonetworks.com/blog/category/uncategorized/?ts=markdown) [#### From ILOVEYOU to AI Defenders -- 25 Years of Email Evolution](https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/from-iloveyou-to-ai-defenders-25-years-of-email-evolution/) ### Subscribe to Security Operations Blogs! Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more. ![spinner](https://origin-researchcenter.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up Please enter a valid email. By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder. This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply. {#footer} {#footer} ## Products and Services * [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown) * [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown) * [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown) * [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown) * [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown) * [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown) * [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown) * [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown) * [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown) * [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown) * [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown) * [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown) * [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown) * [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown) * [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown) * [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown) * [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown) * [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown) * [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown) * [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown) * [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown) * [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown) * [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown) * [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown) * [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown) * [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown) * [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown) * [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown) * [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown) * [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown) * [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown) * [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown) * [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown) * [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown) * [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown) * [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown) * [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown) * [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown) * [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown) * [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown) * [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown) * [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown) * [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown) * [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown) * [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown) * [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown) * [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown) * [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown) * [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown) * [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown) ## Company * [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown) * [Careers](https://jobs.paloaltonetworks.com/en/) * [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown) * [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown) * [Customers](https://www.paloaltonetworks.com/customers?ts=markdown) * [Investor Relations](https://investors.paloaltonetworks.com/) * [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown) * [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown) ## Popular Links * [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown) * [Communities](https://www.paloaltonetworks.com/communities?ts=markdown) * [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown) * [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown) * [Event Center](https://events.paloaltonetworks.com/) * [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center) * [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown) * [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown) * [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown) * [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown) * [Tech Docs](https://docs.paloaltonetworks.com/) * [Unit 42](https://unit42.paloaltonetworks.com/) * [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd) ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg) * [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown) * [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown) * [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) * [Documents](https://www.paloaltonetworks.com/legal?ts=markdown) Copyright © 2026 Palo Alto Networks. All Rights Reserved * [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks) * [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown) * [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/) * [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks) * [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks) * EN Select your language