PowerShell is one of the most powerful tools in the Windows ecosystem. It’s used extensively by administrators and adversaries alike. Threat actors abuse PowerShell to execute commands, evade detection, and maintain persistent access, often without ever dropping a file on disk.
Our PowerShell Webshell threat emulates a common post-exploitation scenario:
An attacker gaining requisite access deploys a webshell via PowerShell for persistence and to carry out further actions.
SCYTHE users can safely emulate this behavior, observe the impact, and test their detection and response capabilities with a downloadable threat package.
Threat Profile
This Empower threat emulates a threat actor gaining administrative access to a Windows system and installing a PowerShell-based webshell. This webshell allows for remote execution of any PowerShell or command-line instructions via the HTTP Subsystem. To ensure communications with the host, a firewall rule is put in place to allow access via a specific port for the webshell. Once accessed, the threat actor can poll tasks and retrieve results remotely.
Key characteristics:
- Performs reconnaissance of the endpoint and the environment
- Uses the Windows HTTP subsystem (HTTP.sys) to accept remote HTTP requests via the webshell.
- Executes any scripts or commands native to PowerShell.
- Implements a 30-second timeout to prevent indefinite command execution.
- Requires administrative privileges to bind to non-localhost interfaces, accurately reflecting real-world attacker constraints.
Once deployed, the webshell provides remote control of the system—allowing adversaries to run reconnaissance, move laterally, deploy additional tools, and exfiltrate data.
Why The Threat Matters
PowerShell-based attacks are widespread and increasingly difficult to detect. According to Red Canary’s 2024 Threat Detection Report, PowerShell remains the most commonly used technique in real-world incidents. Microsoft’s 2023 Digital Defense Report noted that nearly 35% of initial access investigations involved webshells. Just a few reasons adversaries favor PowerShell include:
- It’s built into every Windows system.
- PowerShell usage will blend into environments
- It’s often trusted by EDR and AV tools
- It enables fileless operation and script obfuscation
Combined with a webshell, PowerShell gives attackers stealthy, remote control that blends in with legitimate administrative activity. This makes these threats both dangerous and persistent, especially in Microsoft-heavy enterprise environments.
The Importance of Threat Emulation
Defensive tools and policies are only as good as their performance in real-world conditions. Threat emulation is the process of safely mimicking adversary behavior to test those defenses.
Emulating a threat such as this one allows security teams to:
- Validate whether existing detections fire properly
- Test incident response processes
- Identify blind spots in EDR, SIEM, and logging tools
- Train analysts on how to identify and respond to these behaviors based on telemetry
This turns theoretical readiness into practical confidence and helps organizations understand the real impact of a breach scenario before one happens.
What SCYTHE Users Get
SCYTHE clients receive access to a downloadable threat package, which includes:
- A working PowerShell-based webshell
- The transparent threat campaign tagged to MITRE ATT&CK for automated execution
- The SCYTHE platform to orchestrate operations and modify the threat as needed
- Custom Detections created and curated just for SCYTHE customers
Whether you’re on a Red, Blue, or Purple Team, SCYTHE threats provide you a realistic, controlled way to emulate adversary activity using custom-built tools, modules, and OS native capabilities like PowerShell. We strive to provide you with a way to emulate these techniques safely and proactively before an attacker uses them against you.
If your security strategy relies on assumptions, it’s time to put them to the test. Start emulating threats today.
