Common Information
| Type | Value |
|---|---|
| Value |
PowerShell - T1086 |
| Category | Attack-Pattern |
| Type | Mitre-Enterprise-Attack-Attack-Pattern |
| Misp Type | Cluster |
| Description | PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. (Citation: TechNet PowerShell) Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the Start-Process cmdlet which can be used to run an executable and the Invoke-Command cmdlet which runs a command locally or on a remote computer. PowerShell may also be used to download and run executables from the Internet, which can be executed from disk or in memory without touching disk. Administrator permissions are required to use PowerShell to connect to remote systems. A number of PowerShell-based offensive testing tools are available, including Empire, (Citation: Github PowerShell Empire) PowerSploit, (Citation: Powersploit) and PSAttack. (Citation: Github PSAttack) Detection: If proper execution policy is set, adversaries will likely be able to define their own execution policy if they obtain administrator or system access, either through the Registry or at the command line. This change in policy on a system may be a way to detect malicious use of PowerShell. If PowerShell is not used in an environment, then simply looking for PowerShell execution may detect malicious activity. It is also beneficial to turn on PowerShell logging to gain increased fidelity in what occurs during execution. (Citation: Malware Archaeology PowerShell Cheat Sheet) PowerShell 5.0 introduced enhanced logging capabilities, and some of those features have since been added to PowerShell 4.0. Earlier versions of PowerShell do not have many logging features. (Citation: FireEye PowerShell Logging 2016) An organization can gather PowerShell execution details in a data analytic platform to supplement it with other data. Platforms: Windows Data Sources: Windows Registry, File monitoring, Process command-line parameters, Process monitoring Permissions Required: User, Administrator Remote Support: Yes |
| Details | Published | Attributes | CTI | Title | ||
|---|---|---|---|---|---|---|
| Details | Website | 2024-12-19 | 13 | C.A.S (Cyber Anarchy Squad) APT IOCs - SEC-1275-1 | ||
| Details | Website | 2024-12-19 | 17 | Larva-24009 APT IOCs - SEC-1275-1 | ||
| Details | Website | 2024-12-19 | 35 | Python-Based NodeStealer Version Targets Facebook Ads Manager | ||
| Details | Website | 2024-12-18 | 0 | Turkish defense orgs subjected to Bitter cyberespionage intrusions | ||
| Details | Website | 2024-12-18 | 36 | delivr.to’s Top 10 Payloads (Dec ‘24): Pastejacking, Image-less QR codes and Concatenated Zip… | ||
| Details | Website | 2024-12-18 | 3 | PRATICAL COMMAND AND CONTROL SYSTEM (C2) | ||
| Details | Website | 2024-12-18 | 3 | 🚨 Cybersecurity Alert: Bitter Cyberspies Deploy New MiyaRAT to Target Defense Orgs! 🚨 | ||
| Details | Website | 2024-12-18 | 7 | December 18 Advisory: Cleopocalypse: 70% of Cleo File Transfer Exposures may be Vulnerable to Unauthenticated RCE [CVE-2024-55956] | ||
| Details | Website | 2024-12-18 | 30 | Cyberattack UAC-0125 using the “Army+” theme (CERT-UA#12559) | ||
| Details | Website | 2024-12-18 | 19 | UAC-0125 Attack Detection: Hackers Use Fake Websites on Cloudflare Workers to Exploit the "Army+" Application - SOC Prime | ||
| Details | Website | 2024-12-18 | 39 | Хактивисты C.A.S атакуют российские организации при помощи редких RAT | ||
| Details | Website | 2024-12-18 | 9 | Attacker Distributes DarkGate Using MS Teams Vishing Technique | ||
| Details | Website | 2024-12-18 | 2 | New I2PRAT Malware Using encrypted peer-to-peer communication to Evade Detections | ||
| Details | Website | 2024-12-18 | 39 | Analysis of Cyber Anarchy Squad attacks targeting Russian and Belarusian organizations | ||
| Details | Website | 2024-12-18 | 39 | C.A.S hacktivists attack Russian organizations using rare RATs | ||
| Details | Website | 2024-12-18 | 11 | CISA Added Cleo Vulnerabilities to its Known Exploited Vulnerabilities Catalog (CVE-2024-50623 & CVE-2024-55956) – Qualys ThreatPROTECT | ||
| Details | Website | 2024-12-18 | 5 | SOC Analyst Level 1 Queue. Scenario with KQL. Alert — 1 | ||
| Details | Website | 2024-12-18 | 0 | Weekly Detection Rule (YARA and Snort) Information – Week 3, December 2024 | ||
| Details | Website | 2024-12-18 | 315 | Lumma Stealer IOCs - Part 11 - SEC-1275-1 | ||
| Details | Website | 2024-12-18 | 3 | Malicious Microsoft VSCode extensions target devs, crypto community | ||
| Details | Website | 2024-12-18 | 1 | Russian hackers use RDP proxies to steal data in MiTM attacks | ||
| Details | Website | 2024-12-17 | 2 | CVE-2024-55956: Zero-Day Vulnerability in Cleo Software Could Lead to Data Theft | ||
| Details | Website | 2024-12-17 | 1 | Sophisticated TA397 Malware Targets Turkish Defense Sector | ||
| Details | Website | 2024-12-17 | 0 | PowerShell is a cross-platform task automation solution made up of a command line-shell a scripting… | ||
| Details | Website | 2024-12-17 | 2 | Cleo, the next MOVEit and GoAnywhere? |