Common Information
| Type | Value |
|---|---|
| Value |
PowerShell - T1086 |
| Category | Attack-Pattern |
| Type | Mitre-Enterprise-Attack-Attack-Pattern |
| Misp Type | Cluster |
| Description | PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. (Citation: TechNet PowerShell) Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the Start-Process cmdlet which can be used to run an executable and the Invoke-Command cmdlet which runs a command locally or on a remote computer. PowerShell may also be used to download and run executables from the Internet, which can be executed from disk or in memory without touching disk. Administrator permissions are required to use PowerShell to connect to remote systems. A number of PowerShell-based offensive testing tools are available, including Empire, (Citation: Github PowerShell Empire) PowerSploit, (Citation: Powersploit) and PSAttack. (Citation: Github PSAttack) Detection: If proper execution policy is set, adversaries will likely be able to define their own execution policy if they obtain administrator or system access, either through the Registry or at the command line. This change in policy on a system may be a way to detect malicious use of PowerShell. If PowerShell is not used in an environment, then simply looking for PowerShell execution may detect malicious activity. It is also beneficial to turn on PowerShell logging to gain increased fidelity in what occurs during execution. (Citation: Malware Archaeology PowerShell Cheat Sheet) PowerShell 5.0 introduced enhanced logging capabilities, and some of those features have since been added to PowerShell 4.0. Earlier versions of PowerShell do not have many logging features. (Citation: FireEye PowerShell Logging 2016) An organization can gather PowerShell execution details in a data analytic platform to supplement it with other data. Platforms: Windows Data Sources: Windows Registry, File monitoring, Process command-line parameters, Process monitoring Permissions Required: User, Administrator Remote Support: Yes |
| Details | Published | Attributes | CTI | Title | ||
|---|---|---|---|---|---|---|
| Details | Website | 2030-03-02 | 20 | APT QUARTERLY HIGHLIGHTS - Q3 : 2023 - CYFIRMA | ||
| Details | Website | 2024-12-26 | 0 | Cybersecurity Roadmap- Career Path, Essential Skills, and Certifications | ||
| Details | Website | 2024-12-26 | 19 | TryHackMe: Advent of Cyber 2024 [Day 5 to 24 Solutions Guide] | ||
| Details | Website | 2024-12-26 | 23 | Kimsuky(김수키)에서 만든 자유 아시아 방송으로 위장 해서 특정 북한 인권운동가 노린 악성코드-log_processlist.ps1(2024.12.02) | ||
| Details | Website | 2024-12-26 | 2 | CVE-2024-30088 遭到攻击: OilRig 瞄准 Windows 内核漏洞-安全客 - 安全资讯平台 | ||
| Details | Website | 2024-12-25 | 3 | BellaCPP, Charming Kitten's BellaCiao variant written in C++ | ||
| Details | Website | 2024-12-25 | 12 | Content Delivery Networks (CDN) Exploits(1): Cloud Infrastructures are the New Realm of Operation… | ||
| Details | Website | 2024-12-25 | 13 | DarkVision RAT: A Persistent Threat Delivered via PureCrypter - SOCRadar® Cyber Intelligence Inc. | ||
| Details | Website | 2024-12-25 | 21 | Weekly Detection Rule (YARA and Snort) Information - Week 4, December 2024 - ASEC | ||
| Details | Website | 2024-12-25 | 21 | 주간 탐지 룰(YARA, Snort) 정보 - 2024년 12월 4주차 - ASEC | ||
| Details | Website | 2024-12-25 | 0 | Certified Red Team Professional (CRTP) Review and Preparation Tips | ||
| Details | Website | 2024-12-25 | 0 | PowerShell for Pentesters Part-1: Basics of PowerShell | ||
| Details | Website | 2024-12-25 | 15 | Maldev : [Evasion] Shellcode Injection and Fileless Execution | ||
| Details | Website | 2024-12-25 | 0 | Active Directory’de Gizli Tehdit: Password Not Required Özniteliği, Güvenliğinizi Tehlikeye Atmayın! | ||
| Details | Website | 2024-12-25 | 17 | BTLO: Hashish | ||
| Details | Website | 2024-12-25 | 9 | Sailing the MalSpam Ocean: A Journey Through Threat Hunting and Uncovering Malware Activity | ||
| Details | Website | 2024-12-24 | 6 | Advent of Cyber 2024| Day1| Learn how to investigate malicious link files | ||
| Details | Website | 2024-12-24 | 21 | Dark Web Profile: Bashe (APT73) - SOCRadar® Cyber Intelligence Inc. | ||
| Details | Website | 2024-12-24 | 4 | Security Operations Center (SOC) Analyst Salary in India | ||
| Details | Website | 2024-12-24 | 5 | Clearing Tracks: How Hackers Remove Evidence After System Breaches | ||
| Details | Website | 2024-12-24 | 1 | HackTheBox — Cicada | ||
| Details | Website | 2024-12-24 | 6 | This can be useful : CyberSecurity loose tools for pentesting | ||
| Details | Website | 2024-12-24 | 24 | Bumblebee Malware Unveiled: Techniques, Threats, and Defense Strategies | ||
| Details | Website | 2024-12-24 | 1 | Hack The Box Starting Point #1: Meow | ||
| Details | Website | 2024-12-24 | 16 | 북한 김수키(Kimsuky)에서 만든 악성코드-1.txt(2024.12.14) |