PowerShell is rapidly becoming a weapon of choice for post-breach (infiltration) steps, used in many recent high profile breaches. PowerShell, according to Dave Kennedy, is "BASH for Windows" – it's a scripting language and framework that in Windows is used for automation and control.
Previous versions (a new 4.0 release includes the logging) provide "little evidence of attacker activity." AMSI (anti-malware scan interface) is also enabled by default, and doing previous tricks (downgrading to PS v2 or using NotPowerShell no longer work.
PowerShell 5, with enhanced logging and suspicious script block logging (default) detects some activities.