Exposes hidden commands to detect and respond to lateral movement

ExtraHop^®, a leader in modern network detection and response (NDR), today announced powerful new capabilities to detect the malicious use of PowerShell. These enhancements deliver the critical visibility needed to dismantle the attack kill chain, providing essential insight to stop lateral movement in its tracks.

Remote management tools like PowerShell have become a notable weapon for attackers, like the Qilin Ransomware-as-a-Service (RaaS) operation, which has hit many high-value organizations globally including several UK hospitals. Threat actors often use PowerShell for living-off-the-land to go under the radar as they map the network, identify targets, and navigate around to escalate their user privileges in a quest to gain control of the network. By using remote management tools and encrypting their commands, it allows attackers to obfuscate their actions and go undetected by traditional tools.

To overcome these challenges, ExtraHop has added several new detections and capabilities that add context to those detections. Detections using PowerShell commands and other lateral movement techniques like Invoke Sharefinder Enumeration attempt and Group Policy Preferences Password Enumeration enable enterprises to spot attempts to access other devices for sensitive information or credentials. ExtraHop decrypts and uncovers the content hidden within these malicious commands – even when they are encrypted inside protocols like MS-RPC and WSMAN – allowing analysts to follow a threat’s path across the attack kill chain.

With ExtraHop, enterprises benefit from the ability to:

• Uncover hidden threats with critical context: ExtraHop decrypts encrypted traffic at 100 Gbps and decodes 90+ network protocols to uncover malicious activity at rapid speed.
• Detect lateral movement before threats escalate: Reveal PowerShell commands to see an attacker's actions and movement across the network to different devices.
• Stop living-off-the-land attacks: Detect when PowerShell is being utilized for nefarious activities like privilege escalation, credential dumping, or disabling EDR or firewall controls.

“Without the ability to decrypt and decode commands that would otherwise be hidden, enterprises will fall victim to PowerShell attacks,” said Anthony James, VP, Product Marketing, ExtraHop. “ExtraHop has developed an incredibly robust way to make this a reality for our customers, leveraging our native decryption and protocol fluency to fully capture malicious PowerShell commands that other tools miss. With this level of visibility, enterprises can expose lateral movement and stop an attack before threats turn into impactful breaches.”

In The Forrester Wave™: Network Analysis and Visibility Solutions, Q4 2025, in which ExtraHop was a Leader, ExtraHop was the only vendor to earn the highest possible score in the Encrypted Traffic Analysis criterion. The report also states, “ExtraHop’s ability to natively decrypt by extending beyond standard TLS or SSL protocols, such as Microsoft protocol decryption, is a differentiator for deeper traffic analysis and comprehensive detection of lateral movement.”

Additional Resources:

• Demo the ExtraHop NDR platform today.
• Read a complimentary copy of The Forrester Wave™: Network Analysis And Visibility Solutions, Q4 2025.
• Learn how ExtraHop detects lateral movement.

Forrester does not endorse any company, product, brand, or service included in its research publications and does not advise any person to select the products or services of any company or brand based on the ratings included in such publications. Information is based on the best available resources. Opinions reflect judgment at the time and are subject to change. For more information, read about Forrester’s objectivity here.

About ExtraHop^®

ExtraHop empowers enterprises to stay ahead of evolving threats with the most comprehensive approach to network detection and response (NDR).

Since 2007, the company has helped organizations across the globe extract real-time insights from their hybrid networks with the most in-depth network telemetry. ExtraHop uniquely combines NDR, network performance management (NPM), intrusion detection (IDS), and packet forensics in a single, integrated console for complete network visibility and unparalleled context that supports data-driven security decisions. With a powerful all-in-one sensor and cloud-scale machine learning, the ExtraHop RevealX™ platform enhances SOC productivity, reduces overhead, and elevates security postures.

Unlock the full power of network detection and response with ExtraHop. To learn more, visit www.extrahop.com or follow us on LinkedIn.

© 2025 ExtraHop Networks, Inc., RevealX, RevealX 360, RevealX Enterprise, and ExtraHop are registered trademarks or trademarks of ExtraHop Networks, Inc.

View source version on businesswire.com: https://www.businesswire.com/news/home/20251104430705/en/