* [Blog](https://www.paloaltonetworks.com/blog)
* [Palo Alto Networks](https://www.paloaltonetworks.com/blog/corporate/)
* Powershell

# Palo Alto Networks

## Powershell

[![Automating Response to Unauthorized User Privilege Escalations Using PowerShell Commands](https://www.paloaltonetworks.com/blog/wp-content/uploads/2025/02/Collaborate-4.jpg)](https://www.paloaltonetworks.com/blog/security-operations/automating-response-to-unauthorized-user-privilege-escalations-using-powershell-commands/)  
[Automating Response to Unauthorized User Privilege Escalations Using PowerShell Commands
\----------------------------------------------------------------------------------------](https://www.paloaltonetworks.com/blog/security-operations/automating-response-to-unauthorized-user-privilege-escalations-using-powershell-commands/)

Automating response to unauthorized privilege escalation activity such as a user being added to local administrator group using a PowerShell command  
[Playbook of the Week](https://www.paloaltonetworks.com/blog/security-operations/category/playbook-of-the-week/?ts=markdown)  
Feb 05, 2025  
By [Omri Itzhak](https://www.paloaltonetworks.com/blog/author/omri-itzhak/?ts=markdown "Posts by Omri Itzhak")

## Palo Alto Networks

*** ** * ** ***

[Announcements](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown)

*** ** * ** ***

[Company \& Culture](https://www.paloaltonetworks.com/blog/category/company-culture/?ts=markdown)

*** ** * ** ***

[Points of View](https://www.paloaltonetworks.com/blog/category/points-of-view/?ts=markdown)

*** ** * ** ***

[Public Sector](https://www.paloaltonetworks.com/blog/category/public-sector/?ts=markdown)

*** ** * ** ***

[Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown)

*** ** * ** ***

[Partners](https://www.paloaltonetworks.com/blog/category/partners/?ts=markdown)

*** ** * ** ***

![Stopping “PowerShell without PowerShell” Attacks](https://www.paloaltonetworks.com/blog/wp-content/uploads/2021/02/Man-using-Computer.jpg)  
[Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown)

## [Stopping "PowerShell without PowerShell" Attacks](https://www.paloaltonetworks.com/blog/security-operations/stopping-powershell-without-powershell/)

The Cortex XDR Security Research Team recently observed "PowerShell without PowerShell" activity involving PowerShell commands and scripts that do not directly invoke the powershell.exe binary.  
Feb 09, 2021  
By [Stav Setty](https://www.paloaltonetworks.com/blog/author/stav-setty/?ts=markdown "Posts by Stav Setty") and [Aviad Meyer](https://www.paloaltonetworks.com/blog/author/aviad-meyer/?ts=markdown "Posts by Aviad Meyer")  
![Inception Attackers Target Europe with Year-old Office Vulnerability](https://www.paloaltonetworks.com/blog/wp-content/uploads/2018/04/unit42-blog-600x300.jpg)  
[Unit 42](https://unit42.paloaltonetworks.com)

## [Inception Attackers Target Europe with Year-old Office Vulnerability](https://www.paloaltonetworks.com/blog/2018/11/unit42-inception-attackers-target-europe-year-old-office-vulnerability/)

Inception targets Europe with year old office vulnerability. Read the full report.  
Nov 05, 2018  
By [Tom Lancaster](https://www.paloaltonetworks.com/blog/author/tom-lancaster/?ts=markdown "Posts by Tom Lancaster")  
![Sofacy Attacks Multiple Government Entities](https://www.paloaltonetworks.com/blog/wp-content/uploads/2016/09/unit42-web-banner-650x300.jpg)  
[Unit 42](https://unit42.paloaltonetworks.com)

## [Sofacy Attacks Multiple Government Entities](https://www.paloaltonetworks.com/blog/2018/02/unit42-sofacy-attacks-multiple-government-entities/)

Unit 42 examines recent Sofacy group activities including multiple attacks to government entities.  
Feb 28, 2018  
By [Bryan Lee](https://www.paloaltonetworks.com/blog/author/bryan-lee/?ts=markdown "Posts by Bryan Lee"), [Mike Harbison](https://www.paloaltonetworks.com/blog/author/mike-harbison/?ts=markdown "Posts by Mike Harbison") and [Robert Falcone](https://www.paloaltonetworks.com/blog/author/robert-falcone/?ts=markdown "Posts by Robert Falcone")  
![PowerStager Analysis](https://www.paloaltonetworks.com/blog/wp-content/uploads/2016/09/unit42-web-banner-650x300.jpg)  
[Unit 42](https://unit42.paloaltonetworks.com)

## [PowerStager Analysis](https://www.paloaltonetworks.com/blog/2018/01/unit42-powerstager-analysis/)

Unit 42's analyzes PowerStager and the unique obfuscation technique it was employing for its PowerShell segments  
Jan 12, 2018  
By [Jeff White](https://www.paloaltonetworks.com/blog/author/jeff-white/?ts=markdown "Posts by Jeff White")  
![The Curious Case of Notepad and Chthonic: Exposing a Malicious Infrastructure](https://www.paloaltonetworks.com/blog/wp-content/uploads/2016/09/unit42-web-banner-650x300.jpg)  
[Unit 42](https://unit42.paloaltonetworks.com)

## [The Curious Case of Notepad and Chthonic: Exposing a Malicious Infrastructu...](https://www.paloaltonetworks.com/blog/2017/08/unit42-the-curious-case-of-notepad-and-chthonic-exposing-a-malicious-infrastructure/)

New research from Palo Alto Networks Unit 42: the curious case of Notepad and Chthonic: exposing a malicious infrastructure.  
Aug 15, 2017  
By [Jeff White](https://www.paloaltonetworks.com/blog/author/jeff-white/?ts=markdown "Posts by Jeff White")  
![Palo Alto Networks News of the Week – March 11, 2017](https://www.paloaltonetworks.com/blog/wp-content/uploads/2016/11/blog-generic-banner-1.jpg)  
[News of the Week](https://www.paloaltonetworks.com/blog/category/news-of-the-week/?ts=markdown)

## [Palo Alto Networks News of the Week -- March 11, 2017](https://www.paloaltonetworks.com/blog/2017/03/palo-alto-networks-news-week-march-11-2017/)

Sit back, relax and enjoy the top Palo Alto Networks news of the week.  
Mar 11, 2017  
By [Justin Hall](https://www.paloaltonetworks.com/blog/author/justin-hall/?ts=markdown "Posts by Justin Hall")  
![Pulling Back the Curtains on EncodedCommand PowerShell Attacks](https://www.paloaltonetworks.com/blog/wp-content/uploads/2016/09/unit42-web-banner-650x300.jpg)  
[Unit 42](https://unit42.paloaltonetworks.com)

## [Pulling Back the Curtains on EncodedCommand PowerShell Attacks](https://www.paloaltonetworks.com/blog/2017/03/unit42-pulling-back-the-curtains-on-encodedcommand-powershell-attacks/)

A note to readers: The code samples included within this blog post may trigger alerts from your security software. Please note that this does not indicate an infection or an attack...  
Mar 10, 2017  
By [Jeff White](https://www.paloaltonetworks.com/blog/author/jeff-white/?ts=markdown "Posts by Jeff White")  
[](https://www.paloaltonetworks.com/blog/2016/07/unit42-powerware-ransomware-spoofing-locky-malware-family/)  
[Malware](https://www.paloaltonetworks.com/blog/category/malware-2/?ts=markdown), [Threat Prevention](https://www.paloaltonetworks.com/blog/category/threat-prevention-2/?ts=markdown), [Unit 42](https://unit42.paloaltonetworks.com)

## [PowerWare Ransomware Spoofing Locky Malware Family](https://www.paloaltonetworks.com/blog/2016/07/unit42-powerware-ransomware-spoofing-locky-malware-family/)

Unit 42 has recently discovered a new variant of PowerWare, also known as PoshCoder, imitating the popular Locky ransomware family. PoshCoder has been encrypting files with PowerShell since 2014, and the new va...  
Jul 21, 2016  
By [Tyler Halfpop](https://www.paloaltonetworks.com/blog/author/tyler-halfpop/?ts=markdown "Posts by Tyler Halfpop") and [Jacob Soo](https://www.paloaltonetworks.com/blog/author/jacob-soo/?ts=markdown "Posts by Jacob Soo")  
[](https://www.paloaltonetworks.com/blog/2016/05/the-oilrig-campaign-attacks-on-saudi-arabian-organizations-deliver-helminth-backdoor/)  
[Financial Services](https://www.paloaltonetworks.com/blog/category/financial-services/?ts=markdown), [Malware](https://www.paloaltonetworks.com/blog/category/malware-2/?ts=markdown), [Threat Prevention](https://www.paloaltonetworks.com/blog/category/threat-prevention-2/?ts=markdown), [Unit 42](https://unit42.paloaltonetworks.com)

## [The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helmint...](https://www.paloaltonetworks.com/blog/2016/05/the-oilrig-campaign-attacks-on-saudi-arabian-organizations-deliver-helminth-backdoor/)

In May 2016, Unit 42 observed targeted attacks primarily focused on financial institutions and technology organizations within Saudi Arabia. Artifacts...  
May 26, 2016  
By [Robert Falcone](https://www.paloaltonetworks.com/blog/author/robert-falcone/?ts=markdown "Posts by Robert Falcone") and [Bryan Lee](https://www.paloaltonetworks.com/blog/author/bryan-lee/?ts=markdown "Posts by Bryan Lee")  
[](https://www.paloaltonetworks.com/blog/2015/08/retefe-banking-trojan-targets-sweden-switzerland-and-japan/)  
[Financial Services](https://www.paloaltonetworks.com/blog/category/financial-services/?ts=markdown), [Malware](https://www.paloaltonetworks.com/blog/category/malware-2/?ts=markdown), [Threat Prevention](https://www.paloaltonetworks.com/blog/category/threat-prevention-2/?ts=markdown), [Unit 42](https://unit42.paloaltonetworks.com)

## [Retefe Banking Trojan Targets Sweden, Switzerland and Japan](https://www.paloaltonetworks.com/blog/2015/08/retefe-banking-trojan-targets-sweden-switzerland-and-japan/)

Retefe is one of the most targeted banking Trojans currently in the wild. While other families such as Zeus and Citadel are widely adopted by attacker...  
Aug 20, 2015  
By [Brandon Levene](https://www.paloaltonetworks.com/blog/author/brandon-levene/?ts=markdown "Posts by Brandon Levene"), [Robert Falcone](https://www.paloaltonetworks.com/blog/author/robert-falcone/?ts=markdown "Posts by Robert Falcone"), [Josh Grunzweig](https://www.paloaltonetworks.com/blog/author/josh-grunzweig/?ts=markdown "Posts by Josh Grunzweig"), [Bryan Lee](https://www.paloaltonetworks.com/blog/author/bryan-lee/?ts=markdown "Posts by Bryan Lee") and [Ryan Olson](https://www.paloaltonetworks.com/blog/author/ryan-olson/?ts=markdown "Posts by Ryan Olson")  
Load more blogs

### Subscribe to the Blog!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.
![spinner](https://www.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up  
Please enter a valid email.  
By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.  
This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply.  
{#footer} {#footer}

## Products and Services

* [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown)

* [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown)

* [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)

* [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)

* [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown)

* [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)

* [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)

* [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown)

* [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)

* [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown)

* [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown)

* [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown)

* [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)

* [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown)

* [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown)

* [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown)

* [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown)

* [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown)

* [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown)

* [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown)

* [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown)

* [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown)

* [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown)

* [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown)

* [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown)

* [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown)

* [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown)

* [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown)

* [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown)

* [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown)

* [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)

* [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)

* [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown)

* [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown)

* [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown)

* [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown)

* [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown)

## Company

* [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown)
* [Careers](https://jobs.paloaltonetworks.com/en/)
* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)
* [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown)
* [Customers](https://www.paloaltonetworks.com/customers?ts=markdown)
* [Investor Relations](https://investors.paloaltonetworks.com/)
* [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown)
* [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown)

## Popular Links

* [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown)
* [Communities](https://www.paloaltonetworks.com/communities?ts=markdown)
* [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown)
* [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)
* [Event Center](https://events.paloaltonetworks.com/)
* [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center)
* [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown)
* [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown)
* [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown)
* [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown)
* [Tech Docs](https://docs.paloaltonetworks.com/)
* [Unit 42](https://unit42.paloaltonetworks.com/)
* [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd)
  ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)
* [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown)
* [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown)
* [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown)
* [Documents](https://www.paloaltonetworks.com/legal?ts=markdown)

Copyright © 2026 Palo Alto Networks. All Rights Reserved

* [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks)
* [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown)
* [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/)
* [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks)
* [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks)
* EN  
  Select your language