PowerShell command-line arguments provide unique opportunities for the attackers because of the peculiarities of their implementation. For example, PowerShell understands even truncated arguments and the associated parameters as long as they are not ambiguous. Let's go through some of the most common values that are used when executing the malicious code:
- -NoProfile (often referred to as -NoP): This skips the loading of the PowerShell profile; it is useful as it is not affected by local settings.
- -NonInteractive (often referred to as -NonI): This doesn't present an interactive prompt; it is useful when the purpose is to execute specified commands only.
- -ExecutionPolicy (often referred to as -Exec or -EP): This is often used with the Bypass argument to ignore settings that limit certain PowerShell functionality. It can also be achieved by many other approaches; for example, by modifying PowerShell's ExecutionPolicy registry value.
- -WindowStyle (often referred...