Common Information
| Type | Value |
|---|---|
| Value |
PowerShell - T1086 |
| Category | Attack-Pattern |
| Type | Mitre-Enterprise-Attack-Attack-Pattern |
| Misp Type | Cluster |
| Description | PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. (Citation: TechNet PowerShell) Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the Start-Process cmdlet which can be used to run an executable and the Invoke-Command cmdlet which runs a command locally or on a remote computer. PowerShell may also be used to download and run executables from the Internet, which can be executed from disk or in memory without touching disk. Administrator permissions are required to use PowerShell to connect to remote systems. A number of PowerShell-based offensive testing tools are available, including Empire, (Citation: Github PowerShell Empire) PowerSploit, (Citation: Powersploit) and PSAttack. (Citation: Github PSAttack) Detection: If proper execution policy is set, adversaries will likely be able to define their own execution policy if they obtain administrator or system access, either through the Registry or at the command line. This change in policy on a system may be a way to detect malicious use of PowerShell. If PowerShell is not used in an environment, then simply looking for PowerShell execution may detect malicious activity. It is also beneficial to turn on PowerShell logging to gain increased fidelity in what occurs during execution. (Citation: Malware Archaeology PowerShell Cheat Sheet) PowerShell 5.0 introduced enhanced logging capabilities, and some of those features have since been added to PowerShell 4.0. Earlier versions of PowerShell do not have many logging features. (Citation: FireEye PowerShell Logging 2016) An organization can gather PowerShell execution details in a data analytic platform to supplement it with other data. Platforms: Windows Data Sources: Windows Registry, File monitoring, Process command-line parameters, Process monitoring Permissions Required: User, Administrator Remote Support: Yes |
| Details | Published | Attributes | CTI | Title | ||
|---|---|---|---|---|---|---|
| Details | Website | 2024-12-24 | 6 | 黑客利用 Fortinet EMS 的关键漏洞部署远程访问工具-安全客 - 安全资讯平台 | ||
| Details | Website | 2024-12-24 | 57 | Cloud Atlas APT IOCs - Part 3 - SEC-1275-1 | ||
| Details | Website | 2024-12-23 | 27 | Sysrv cryptomining botnet is still alive (and kicking out the competition) - ThreatDown by Malwarebytes | ||
| Details | Website | 2024-12-23 | 0 | Cybersecurity Roadmap 2025 | From Beginner to Advanced | ||
| Details | Website | 2024-12-23 | 17 | Static and Dynamic Malware Analysis | ||
| Details | Website | 2024-12-23 | 1 | 북한 김수키(Kimsuky)에서 만든 악성코드-1.txt(2024.12.14) | ||
| Details | Website | 2024-12-23 | 2 | Cyber Briefing: 2024.12.23 | ||
| Details | Website | 2024-12-23 | 108 | Злоумышленники активно пользуются уязвимостью в FortiClient EMS | ||
| Details | Website | 2024-12-23 | 19 | Volt Typhoon Explained: Living Off the Land Tactics for Cyber Espionage | ||
| Details | Website | 2024-12-23 | 18 | 5 Major Cyber Attacks in December 2024 | ||
| Details | Website | 2024-12-23 | 13 | 5 Major Cyber Attacks in December 2024 - ANY.RUN's Cybersecurity Blog | ||
| Details | Website | 2024-12-23 | 10 | New Python NodeStealer Attacking Facebook Business To Steal Login Credentials | ||
| Details | Website | 2024-12-23 | 83 | Cloud Atlas seen using a new tool in its attacks | ||
| Details | Website | 2024-12-23 | 83 | Cloud Atlas using a new backdoor, VBCloud, to steal data | ||
| Details | Website | 2024-12-23 | 6 | Top 10 Ransomware Trends Observed in 2024: A Look Ahead to 2025 | ||
| Details | Website | 2024-12-23 | 42 | Extracted | ||
| Details | Website | 2024-12-23 | 9 | Introduction and Installation Guide to Wazuh SIEM | ||
| Details | Website | 2024-12-23 | 275 | RST TI Report Digest: 23 Dec 2024 | ||
| Details | Website | 2024-12-23 | 3 | Злоумышленники используют команды SSH в файлах быстрого доступа (LNK) - SEC-1275-1 | ||
| Details | Website | 2024-12-23 | 25 | Схема социальной инженерии 'Fix It' выдает себя за несколько брендов - SEC-1275-1 | ||
| Details | Website | 2024-12-23 | 75 | Злоумышленники эксплуатируют исправленную уязвимость FortiClient EMS в дикой природе - SEC-1275-1 | ||
| Details | Website | 2024-12-23 | 28 | Sandworm (APT44) APT IOCs - Part 8 - SEC-1275-1 | ||
| Details | Website | 2024-12-22 | 0 | Diving into Cybersecurity: A Comprehensive Beginner’s Guide | ||
| Details | Website | 2024-12-22 | 22 | TryHackMe: MITRE (SOC Level 1) | ||
| Details | Website | 2024-12-22 | 8 | Andariel 그룹의 국내 솔루션 대상 공격 사례 분석 (SmallTiger) - ASEC |