Common Information
| Type | Value |
|---|---|
| Value |
PowerShell - T1086 |
| Category | Attack-Pattern |
| Type | Mitre-Enterprise-Attack-Attack-Pattern |
| Misp Type | Cluster |
| Description | PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. (Citation: TechNet PowerShell) Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the Start-Process cmdlet which can be used to run an executable and the Invoke-Command cmdlet which runs a command locally or on a remote computer. PowerShell may also be used to download and run executables from the Internet, which can be executed from disk or in memory without touching disk. Administrator permissions are required to use PowerShell to connect to remote systems. A number of PowerShell-based offensive testing tools are available, including Empire, (Citation: Github PowerShell Empire) PowerSploit, (Citation: Powersploit) and PSAttack. (Citation: Github PSAttack) Detection: If proper execution policy is set, adversaries will likely be able to define their own execution policy if they obtain administrator or system access, either through the Registry or at the command line. This change in policy on a system may be a way to detect malicious use of PowerShell. If PowerShell is not used in an environment, then simply looking for PowerShell execution may detect malicious activity. It is also beneficial to turn on PowerShell logging to gain increased fidelity in what occurs during execution. (Citation: Malware Archaeology PowerShell Cheat Sheet) PowerShell 5.0 introduced enhanced logging capabilities, and some of those features have since been added to PowerShell 4.0. Earlier versions of PowerShell do not have many logging features. (Citation: FireEye PowerShell Logging 2016) An organization can gather PowerShell execution details in a data analytic platform to supplement it with other data. Platforms: Windows Data Sources: Windows Registry, File monitoring, Process command-line parameters, Process monitoring Permissions Required: User, Administrator Remote Support: Yes |
| Details | Published | Attributes | CTI | Title | ||
|---|---|---|---|---|---|---|
| Details | Website | 2030-03-02 | 20 | APT QUARTERLY HIGHLIGHTS - Q3 : 2023 - CYFIRMA | ||
| Details | Website | 2025-11-27 | 0 | The Ransomware Threat: Preparing Schools and Libraries for… | ||
| Details | Website | 2025-07-05 | 46 | Obfuscated Malicious Python Scripts with PyArmor - SANS Internet Storm Center | ||
| Details | Website | 2025-07-02 | 0 | Security Operations Analyst (Level 3) | Red Piranha | ||
| Details | Website | 2025-07-02 | 13 | Inside a Malware Campaign: A Nigerian Hacker’s Perspective – CyberArmor | ||
| Details | Website | 2025-05-24 | 7 | Новый вредонос Chihuahua Stealer атакует пользователей через облачные сервисы | ||
| Details | Website | 2025-05-24 | 19 | Видеоролики TikTok обещают пиратские приложения, а вместо них поставляют инфострипперы Vidar и StealC | ||
| Details | Website | 2025-05-23 | 3 | Fake Google Meet Page Tricks Users into Running PowerShell Malware | ||
| Details | Website | 2025-05-23 | 7 | Cyber Heads Up: “BadSuccessor”—A Critical Active Directory Privilege Escalation Vulnerability in Windows Server 2025 | ||
| Details | Website | 2025-05-23 | 1 | 3AM ransomware uses spoofed IT calls, email bombing to breach networks - PRSOL:CC | ||
| Details | Website | 2025-05-23 | 49 | Katz Stealer Threat Analysis - Nextron Systems | ||
| Details | Website | 2025-05-23 | 22 | Emulating the Blazing DragonForce Ransomware | ||
| Details | Website | 2025-05-23 | 21 | AI-Driven IOC Conversion for Palo Alto Cortex XSIAM Queries | SOC Prime | ||
| Details | Website | 2025-05-23 | 27 | Chihuahua Stealer Malware Targets Browser and Wallet Data | ||
| Details | Website | 2025-05-23 | 10 | Winos 4.0 Malware Masquerades as VPN and QQBrowser to Target Users | ||
| Details | Website | 2025-05-23 | 7 | Microsoft Defender for Identity Recommended Actions: GPO assigns unprivileged identities to local groups with elevated privileges | ||
| Details | Website | 2025-05-23 | 20 | Operation Sindoor – Anatomy of a Digital Siege | ||
| Details | Website | 2025-05-23 | 5 | Chinese threat actors exploited Trimble Cityworks Flaw to breach U.S. local government networks | ||
| Details | Website | 2025-05-23 | 2 | CISA Alerts on Threat Actors Targeting Commvault Azure App to Steal Secrets | ||
| Details | Website | 2025-05-23 | 93 | Фейковые CAPTCHA распространяют инфостилеры и трояны через многоэтапные цепочки заражения | ||
| Details | Website | 2025-05-23 | 18 | Scarcity signals: Are rare activities red flags? | ||
| Details | Website | 2025-05-23 | 22 | Как ClickFix использует усталость от проверки для доставки RAT и похитителей информации | ||
| Details | Website | 2025-05-23 | 20 | Operation Sindoor: Anatomy of a High-Stakes Cyber Siege | Seqrite | ||
| Details | Website | 2025-05-23 | 3 | 黑客利用TikTok热门视频发布Vidar和StealC恶意软件-安全KER - 安全资讯平台 | ||
| Details | Website | 2025-05-23 | 5 | TikTok videos now push infostealer malware in ClickFix attacks |