美国康奈尔大学发布PowerShell攻防技术的研究性报告。文中重点介绍通过劫持.NET实现对利用PowerShell发起的攻击进行监测。首先简要介绍.NET和PowerShell，然后从防御者的角度包括指令修改、类和方法注入、编译器分析和基于C的函数钩子对各种攻击技术进行深入了解。

With the rise of attacks using PowerShell in the recent months, there has not been a comprehensive solution for monitoring or prevention. Microsoft recently released the AMSI solution for PowerShell v5, however this can also be bypassed. This paper focuses on repurposing various stealthy runtime .NET hijacking techniques implemented for PowerShell attacks for defensive monitoring of PowerShell. It begins with a brief introduction to .NET and PowerShell, followed by a deeper explanation of various attacker techniques, which is explained from the perspective of the defender, including assembly modification, class and method injection, compiler profiling, and C based function hooking. Of the four attacker techniques that are repurposed for defensive real-time monitoring of PowerShell execution, intermediate language binary modification, JIT hooking, and machine code manipulation provide the best results for stealthy run-time interfaces for PowerShell scripting analysis.[出自:jiwo.org]