Common Information
Type | Value |
---|---|
Value |
PowerShell - T1086 |
Category | Attack-Pattern |
Type | Mitre-Enterprise-Attack-Attack-Pattern |
Misp Type | Cluster |
Description | PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. (Citation: TechNet PowerShell) Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the Start-Process cmdlet which can be used to run an executable and the Invoke-Command cmdlet which runs a command locally or on a remote computer. PowerShell may also be used to download and run executables from the Internet, which can be executed from disk or in memory without touching disk. Administrator permissions are required to use PowerShell to connect to remote systems. A number of PowerShell-based offensive testing tools are available, including Empire, (Citation: Github PowerShell Empire) PowerSploit, (Citation: Powersploit) and PSAttack. (Citation: Github PSAttack) Detection: If proper execution policy is set, adversaries will likely be able to define their own execution policy if they obtain administrator or system access, either through the Registry or at the command line. This change in policy on a system may be a way to detect malicious use of PowerShell. If PowerShell is not used in an environment, then simply looking for PowerShell execution may detect malicious activity. It is also beneficial to turn on PowerShell logging to gain increased fidelity in what occurs during execution. (Citation: Malware Archaeology PowerShell Cheat Sheet) PowerShell 5.0 introduced enhanced logging capabilities, and some of those features have since been added to PowerShell 4.0. Earlier versions of PowerShell do not have many logging features. (Citation: FireEye PowerShell Logging 2016) An organization can gather PowerShell execution details in a data analytic platform to supplement it with other data. Platforms: Windows Data Sources: Windows Registry, File monitoring, Process command-line parameters, Process monitoring Permissions Required: User, Administrator Remote Support: Yes |
Details | Published | Attributes | CTI | Title | ||
---|---|---|---|---|---|---|
Details | Website | 2024-12-11 | 5 | Osquery essentials | ||
Details | Website | 2024-12-11 | 25 | Active Directory Enumeration and Explotation | ||
Details | Website | 2024-12-11 | 11 | データ窃盗攻撃に悪用される新たなCleoゼロデイRCEの欠陥 - PRSOL:CC | ||
Details | Website | 2024-12-11 | 6 | Head Mare Targets Russian Orgs with Hidden LNK Files, Ransomware | ||
Details | Website | 2024-12-11 | 174 | UAC-0185 (UNC4221) APT IOCs - SEC-1275-1 | ||
Details | Website | 2024-12-11 | 30 | Head Mare APT IOCs - SEC-1275-1 | ||
Details | Website | 2024-12-11 | 3 | 攻击者主动利用 Cleo 文件传输软件(CVE-2024-50623)中的漏洞-安全客 - 安全资讯平台 | ||
Details | Website | 2024-12-10 | 4 | Cleo MFT Mass Exploitation Payload Analysis | Binary Defense | ||
Details | Website | 2024-12-10 | 11 | TryHackMe, Windows Fundamentals (Part II) | ||
Details | Website | 2024-12-10 | 6 | 2024 Holiday Season Cyber Threats: Gift Card Fraud & Phishing Schemes on the Rise | ||
Details | Website | 2024-12-10 | 14 | Steganographic Malware | ||
Details | Website | 2024-12-10 | 73 | Microsoft Patch Tuesday, December 2024, Patch for 16 Critical Security Flaws | ||
Details | Website | 2024-12-10 | 1 | Living Off the Land - Secure Boot Style | ||
Details | Website | 2024-12-10 | 19 | SPA is for Single-Page Abuse! - Using Single-Page Application Tokens to Enumerate Azure | ||
Details | Website | 2024-12-10 | 18 | SPA is for Single-Page Abuse! - Using Single-Page Application Tokens to Enumerate Azure | ||
Details | Website | 2024-12-10 | 3 | Widespread exploitation of Cleo file transfer software (CVE-2024-50623) | Rapid7 Blog | ||
Details | Website | 2024-12-10 | 48 | Head Mare Group Intensifies Attacks on Russia with PhantomCore Backdoor | ||
Details | Website | 2024-12-10 | 48 | Head Mare Group Intensifies Attacks on Russia with PhantomCore RAT | ||
Details | Website | 2024-12-10 | 6 | Manufacturing Companies Targeted with New Lumma and Amadey Campaign | ||
Details | Website | 2024-12-10 | 3 | Manufacturing Companies Targeted with New Lumma Campaign | ||
Details | Website | 2024-12-10 | 26 | SPA is for Single-Page Abuse! - Using Single-Page Application Tokens to Enumerate Azure | ||
Details | Website | 2024-12-10 | 8 | Quickly Check if a Sample is Malicious with ANY.RUN’s Process Tree | ||
Details | Website | 2024-12-10 | 181 | Stealers December 2024 Threat Intel | ||
Details | Website | 2024-12-10 | 3 | Mauri Ransomware Exploiting Apache ActiveMQ Vulnerability To Deploy CoinMiners | ||
Details | Website | 2024-12-10 | 4 | APT-C-53 Weaponizing LNK Files To Deploy Malware Into Target Systems |