Who has access to PowerShell in your organisation? Do you allow local admin accounts? Maybe it’s time to run a validation tool to check what policies are actually running on your endpoints and servers…:
[…] In total, the analysis of anonymized data from incident response (IR) cases showed that 18 various legitimate tools were abused by attackers for malicious purposes. The most widely used one was PowerShell (25% of cases). This powerful administration tool can be used for many purposes, from gathering information to running malware. PsExec was leveraged in 22% of the attacks. This console application is intended for launching processes on remote endpoints. This was followed by SoftPerfect Network Scanner (14%), which is intended to retrieve information about network environments.