BCY-ADV-2026-010
TECHNIQUE
PowerShell Living-Off-the-Land Scripting
MITRE T1059.001 · Built-In Abuse · Constrained Language Mode Mitigation
MITRE T1059.001PowerShellLOTLCLMScriptingWindowsNo CVE
Prepared by Warren Barr · Barr Cyber LLC · barr-cyber.com · May 2026
What This Is
PowerShell is the most commonly abused tool in modern Windows intrusions. Because it is built into every Windows installation, trusted by security software, capable of nearly anything, and leaves a configurable logging footprint, attackers use it to download payloads, enumerate systems, move laterally, escalate privileges, and maintain persistence — all using tools already present on the machine. This is called Living-Off-the-Land (LOTL) — using the system against itself.
Technique Details
MITRE ATT&CK: T1059.001 — Command and Scripting Interpreter: PowerShell
No CVE: Abuse of legitimate built-in functionality
Mitigation: PowerShell Constrained Language Mode (CLM) — restricts to safe subset
Logging: PowerShell Script Block Logging (Event ID 4104) captures all scripts
How It Works
Attackers use PowerShell to download and execute malware (IEX (New-Object Net.WebClient).DownloadString()), enumerate domain objects via LDAP, dump credentials, bypass AppLocker, disable security tools, and maintain persistence via scheduled tasks or registry run keys — all using native Windows components. PowerShell Constrained Language Mode (CLM) restricts PS to a safe subset, blocking .NET type access, COM objects, and most advanced scripting — significantly raising the cost of LOTL attacks without removing legitimate admin functionality.
Detection
Verify CLM is active (PowerShell):
$ExecutionContext.SessionState.LanguageMode
# Safe result:
ConstrainedLanguage
Check CLM registry key:
Get-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" `
-Name __PSLockdownPolicy -ErrorAction SilentlyContinue
# Safe result (4 = CLM enforced):
__PSLockdownPolicy : 4
Enable PowerShell Script Block Logging (captures all PS commands):
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" /v EnableScriptBlockLogging /t REG_DWORD /d 1 /f
Review Script Block Logging for suspicious commands:
# Event ID 4104 — Script Block Logging
Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-PowerShell/Operational';Id=4104} |
Where-Object {$_.Message -match "IEX|Invoke-Expression|DownloadString|WebClient|EncodedCommand"} |
Select-Object TimeCreated, Message | Format-List
IOCs
Command powershell.exe -EncodedCommand [base64]
Command IEX (New-Object Net.WebClient).DownloadString('http://...')
Command Invoke-Expression, Invoke-Mimikatz, Invoke-BloodHound
Event ID 4103 Module logging — PS module activity
Event ID 4104 Script Block Logging — full script content captured
Event ID 4688 Process creation — powershell.exe with suspicious args
Process powershell.exe spawned by Office apps, cmd.exe, or scripts
Network Outbound HTTP from powershell.exe to unexpected hosts
Mitigation — PowerShell Commands
Sources
BCY-ADV-2026-010 · Published May 2026 · Barr Cyber LLC · Kalispell, MT
Barr Cyber — Endpoint Hardening & System Configuration
PowerShell Constrained Language Mode is applied and documented in every Barr Cyber endpoint hardening engagement, alongside Script Block Logging to capture all PS execution for forensic review.
Get in Touch →