Common Information
| Type | Value |
|---|---|
| Value |
PowerShell - T1086 |
| Category | Attack-Pattern |
| Type | Mitre-Enterprise-Attack-Attack-Pattern |
| Misp Type | Cluster |
| Description | PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. (Citation: TechNet PowerShell) Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the Start-Process cmdlet which can be used to run an executable and the Invoke-Command cmdlet which runs a command locally or on a remote computer. PowerShell may also be used to download and run executables from the Internet, which can be executed from disk or in memory without touching disk. Administrator permissions are required to use PowerShell to connect to remote systems. A number of PowerShell-based offensive testing tools are available, including Empire, (Citation: Github PowerShell Empire) PowerSploit, (Citation: Powersploit) and PSAttack. (Citation: Github PSAttack) Detection: If proper execution policy is set, adversaries will likely be able to define their own execution policy if they obtain administrator or system access, either through the Registry or at the command line. This change in policy on a system may be a way to detect malicious use of PowerShell. If PowerShell is not used in an environment, then simply looking for PowerShell execution may detect malicious activity. It is also beneficial to turn on PowerShell logging to gain increased fidelity in what occurs during execution. (Citation: Malware Archaeology PowerShell Cheat Sheet) PowerShell 5.0 introduced enhanced logging capabilities, and some of those features have since been added to PowerShell 4.0. Earlier versions of PowerShell do not have many logging features. (Citation: FireEye PowerShell Logging 2016) An organization can gather PowerShell execution details in a data analytic platform to supplement it with other data. Platforms: Windows Data Sources: Windows Registry, File monitoring, Process command-line parameters, Process monitoring Permissions Required: User, Administrator Remote Support: Yes |
| Details | Published | Attributes | CTI | Title | ||
|---|---|---|---|---|---|---|
| Details | Website | 2024-12-20 | 10 | Hack The Box | Netmon | ||
| Details | Website | 2024-12-20 | 0 | Day 5: Elastic Agents and Fleet Servers | ||
| Details | Website | 2024-12-20 | 5 | Technique and Procedures associated with the MITRE ATT&CK “T1098 — Account Manipulation” | ||
| Details | Website | 2024-12-20 | 1 | 悪意のあるマイクロソフトのVSCode拡張機能、開発者や暗号コミュニティを標的に - PRSOL:CC | ||
| Details | Website | 2024-12-20 | 22 | TokenSmith - Bypassing Intune Compliant Device Conditional Access | JUMPSEC LABS | ||
| Details | Website | 2024-12-20 | 28 | 북한 해킹단체 김수키(Kimsuky)에서 만든 금융거래확인서로 위장한 악성코드-confirmation.chm(2024.12.10) | ||
| Details | Website | 2024-12-20 | 6 | NodeStealer Malware IOcs - SEC-1275-1 | ||
| Details | Website | 2024-12-20 | 3 | UAC-0125 滥用 Cloudflare 工作者分发伪装成 Army+ 应用程序的恶意软件-安全客 - 安全资讯平台 | ||
| Details | Website | 2024-12-20 | 1 | The Good, the Bad and the Ugly in Cybersecurity - Week 51 | ||
| Details | Website | 2024-12-19 | 27 | ‘Fix It’ social-engineering scheme impersonates several brands | ||
| Details | Website | 2024-12-19 | 27 | 'Fix It' social-engineering scheme impersonates several brands | ||
| Details | Website | 2024-12-19 | 2 | December 2024 Uptick in Social Engineering Campaign Deploying Black Basta Ransomware - Arctic Wolf | ||
| Details | Website | 2024-12-19 | 2 | Uptick in Social Engineering Campaign Deploying Black Basta Ransomware | Arctic Wolf | ||
| Details | Website | 2024-12-19 | 3 | 🚨 Russian Hackers Exploit RDP Proxies for MiTM Attacks: Protect Your Data Now! 🚨 | ||
| Details | Website | 2024-12-19 | 83 | Группа Cloud Atlas использует новый бэкдор VBCloud для кражи данных | ||
| Details | Website | 2024-12-19 | 4 | Hackers Weaponizing LNK Files To Create Scheduled Task And Deliver Malware Payload | ||
| Details | Website | 2024-12-19 | 2 | CRIL Investigates: LNK Files, SSH Commands, and the Evolution of Cyberattack Techniques | ||
| Details | Website | 2024-12-19 | 112 | Attackers exploiting a patched FortiClient EMS vulnerability in the wild | ||
| Details | Website | 2024-12-19 | 108 | Attackers exploiting a FortiClient EMS vulnerability in the wild | ||
| Details | Website | 2024-12-19 | 7 | CERT-UA: Russia-linked UAC-0125 abuses Cloudflare Workers to target Ukrainian army | ||
| Details | Website | 2024-12-19 | 14 | LNK Files and SSH Commands: A Stealthy Playbook for Advanced Cyber Attacks | ||
| Details | Website | 2024-12-19 | 2 | Happy YARA Christmas! | ||
| Details | Website | 2024-12-19 | 12 | Stealthy Cyber Attacks: LNK Files & SSH Commands Playbook | ||
| Details | Website | 2024-12-19 | 48 | Эволюция вредоносного ПО для электронной преступности в Латинской Америке в 2024 году - SEC-1275-1 | ||
| Details | Website | 2024-12-19 | 9 | TA397 APT IOCs - SEC-1275-1 |