Common Information
| Type | Value |
|---|---|
| Value |
PowerShell - T1086 |
| Category | Attack-Pattern |
| Type | Mitre-Enterprise-Attack-Attack-Pattern |
| Misp Type | Cluster |
| Description | PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. (Citation: TechNet PowerShell) Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the Start-Process cmdlet which can be used to run an executable and the Invoke-Command cmdlet which runs a command locally or on a remote computer. PowerShell may also be used to download and run executables from the Internet, which can be executed from disk or in memory without touching disk. Administrator permissions are required to use PowerShell to connect to remote systems. A number of PowerShell-based offensive testing tools are available, including Empire, (Citation: Github PowerShell Empire) PowerSploit, (Citation: Powersploit) and PSAttack. (Citation: Github PSAttack) Detection: If proper execution policy is set, adversaries will likely be able to define their own execution policy if they obtain administrator or system access, either through the Registry or at the command line. This change in policy on a system may be a way to detect malicious use of PowerShell. If PowerShell is not used in an environment, then simply looking for PowerShell execution may detect malicious activity. It is also beneficial to turn on PowerShell logging to gain increased fidelity in what occurs during execution. (Citation: Malware Archaeology PowerShell Cheat Sheet) PowerShell 5.0 introduced enhanced logging capabilities, and some of those features have since been added to PowerShell 4.0. Earlier versions of PowerShell do not have many logging features. (Citation: FireEye PowerShell Logging 2016) An organization can gather PowerShell execution details in a data analytic platform to supplement it with other data. Platforms: Windows Data Sources: Windows Registry, File monitoring, Process command-line parameters, Process monitoring Permissions Required: User, Administrator Remote Support: Yes |
| Details | Published | Attributes | CTI | Title | ||
|---|---|---|---|---|---|---|
| Details | Website | 2018-02-09 | 5 | Service tags and augmented security rules in Azure network security groups | ||
| Details | Website | 2018-02-08 | 9 | Malspam delivers GandCrab ransomware 2-7-2017 | ||
| Details | Website | 2018-02-08 | 4 | Unmanaged PowerShell Binaries and Endpoint Protection – Part 2 | ||
| Details | Website | 2018-02-08 | 12 | ShortJSRAT leverages cloud with scriptlets | ||
| Details | Website | 2018-02-08 | 23 | Virus Bulletin :: Behind the scenes of GandCrab’s operation | ||
| Details | Website | 2018-02-08 | 10 | Attack Using Windows Installer Leads to LokiBot | ||
| Details | Website | 2018-02-07 | 0 | Sort Exchange and Office 365 mailboxes by size with PowerShell | ||
| Details | Website | 2018-02-07 | 25 | Targeted Attacks In The Middle East | ||
| Details | Website | 2018-02-07 | 25 | Targeted Attacks In The Middle East | ||
| Details | Website | 2018-02-07 | 1 | 黑客盯上平昌冬奥会,网络攻击进入第二阶段 | ||
| Details | Website | 2018-02-06 | 50 | Zero Day Initiative — One man's patch is another man's treasure: A tale of a failed HPE patch | ||
| Details | Website | 2018-02-06 | 0 | New in Virtual Machine Manager 1711 | ||
| Details | Website | 2018-02-05 | 8 | Reviving DDE: Using OneNote and Excel for Code Execution | ||
| Details | Website | 2018-02-05 | 0 | High availability in Azure | ||
| Details | Website | 2018-02-02 | 55 | Gold Dragon Widens Olympics Malware Attacks, Gains Permanent Presence on Victims' Systems | ||
| Details | Website | 2018-02-02 | 1 | Azure network security groups and application security groups | ||
| Details | Website | 2018-02-01 | 6 | Exploiting Format Strings in Windows | 🔐Blog of Osanda | ||
| Details | Website | 2018-02-01 | 5 | HTTP port and Windows service monitoring with PowerShell | ||
| Details | Website | 2018-02-01 | 0 | [Video] Analyzing a Payload Out of Context | ||
| Details | Website | 2018-01-31 | 23 | Ransom Where? Malicious Cryptocurrency Miners Takeover, Generating Millions | ||
| Details | Website | 2018-01-31 | 22 | Ransom Where? Malicious Cryptocurrency Miners Takeover, Generating Millions | ||
| Details | Website | 2018-01-30 | 2 | Security Alert: Stabilized Exploits Target Legacy Windows-Running Servers and PCs | ||
| Details | Website | 2018-01-30 | 12 | Enumerating remote access policies through GPO | ||
| Details | Website | 2018-01-29 | 0 | For Many, Hyperconverged Is The Next Platform | ||
| Details | Website | 2018-01-26 | 5 | Convert JSON to a PowerShell hash table |