Over the past two years, we've seen targeted attackers increasingly make use of PowerShell to conduct command-and-control in compromised Windows environments. This has created a whole new playground of attack techniques for intruders that have already popped a few admin accounts (or an entire domain). Even if you're not using PowerShell to administer your systems, you need to be aware of how attackers can enable and abuse its features. This presentation will focus on common attack patterns performed through PowerShell and the sources of evidence they leave behind. I'll demonstrate how to collect and interpret these forensic artifacts, both on individual hosts and at scale across the enterprise. Examples from real-world incidents and recommendations on how to limit exposure to these attacks will be included.