For many crooks, malware is out and PowerShell attacks are in, IBM says https://www.cyberscoop.com/powershell-attacks-cybercrime-ibm-xforce-report/
IBM missed a couple of additional SysInternals tools that are often used maliciously. In addition to PsExec, PsLoggedOn and ProcDump can also be used for remote execution, interactive logon enumeration, and dumping of credentials within lsass.exe address space respectively.
Also of note is how Powershell scripts can be run without using PowerShell: https://safe-cyberdefense.com/malware-can-use-powershell-without-powershell-exe/ . One of these uses Win LOL methods which was used in a recent Edge bypass: https://www.bleepingcomputer.com/ne...for-microsoft-edge-remote-code-execution-bug/
Hackers Are Loving PowerShell, Study Finds March 27, 2019 https://www.securityweek.com/hackers-are-loving-powershell-study-finds