Common Information
| Type | Value |
|---|---|
| Value |
PowerShell - T1086 |
| Category | Attack-Pattern |
| Type | Mitre-Enterprise-Attack-Attack-Pattern |
| Misp Type | Cluster |
| Description | PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. (Citation: TechNet PowerShell) Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the Start-Process cmdlet which can be used to run an executable and the Invoke-Command cmdlet which runs a command locally or on a remote computer. PowerShell may also be used to download and run executables from the Internet, which can be executed from disk or in memory without touching disk. Administrator permissions are required to use PowerShell to connect to remote systems. A number of PowerShell-based offensive testing tools are available, including Empire, (Citation: Github PowerShell Empire) PowerSploit, (Citation: Powersploit) and PSAttack. (Citation: Github PSAttack) Detection: If proper execution policy is set, adversaries will likely be able to define their own execution policy if they obtain administrator or system access, either through the Registry or at the command line. This change in policy on a system may be a way to detect malicious use of PowerShell. If PowerShell is not used in an environment, then simply looking for PowerShell execution may detect malicious activity. It is also beneficial to turn on PowerShell logging to gain increased fidelity in what occurs during execution. (Citation: Malware Archaeology PowerShell Cheat Sheet) PowerShell 5.0 introduced enhanced logging capabilities, and some of those features have since been added to PowerShell 4.0. Earlier versions of PowerShell do not have many logging features. (Citation: FireEye PowerShell Logging 2016) An organization can gather PowerShell execution details in a data analytic platform to supplement it with other data. Platforms: Windows Data Sources: Windows Registry, File monitoring, Process command-line parameters, Process monitoring Permissions Required: User, Administrator Remote Support: Yes |
| Details | Published | Attributes | CTI | Title | ||
|---|---|---|---|---|---|---|
| Details | Website | 2024-12-17 | 23 | Hidden in Plain Sight: TA397’s New Attack Chain Delivers Espionage RATs | Proofpoint US | ||
| Details | Website | 2024-12-17 | 7 | [VulnHub] The Planets: Earth — Full Walkthrough and Key Insights | ||
| Details | Website | 2024-12-17 | 4 | Cleo File Transfer Vulnerabilities Exploited by Cl0p Ransomware – Gridinsoft Blogs | ||
| Details | Website | 2024-12-17 | 8 | 주간 탐지 룰(YARA, Snort) 정보 - 2024년 12월 3주차 - ASEC | ||
| Details | Website | 2024-12-17 | 8 | Weekly Detection Rule (YARA and Snort) Information - Week 3, December 2024 - ASEC | ||
| Details | Website | 2024-12-17 | 3 | Dragos Industrial Ransomware Analysis: Q3 2024 | Dragos | ||
| Details | Website | 2024-12-17 | 2 | Day 8 of Advent of Cyber 2024 TryHackMe | ||
| Details | Website | 2024-12-17 | 4 | Manufacturing Companies Targeted with New Lumma and Amadey Campaign | ||
| Details | Website | 2024-12-17 | 1 | Beware of Malicious Ads on Captcha Pages that Deliver Password Stealers | ||
| Details | Website | 2024-12-17 | 3 | Exploiting WriteOwner Misconfigurations in Active Directory: A Privilege Escalation Technique | ||
| Details | Website | 2024-12-17 | 0 | What You Dont Know About Fileless Malware | ||
| Details | Website | 2024-12-17 | 7 | Web Scraping Cyber Threat Intelligence Using Octoparse: Full Guide | ||
| Details | Website | 2024-12-17 | 14 | Tackling Tech Projects: Build your own Travel Router with a Raspberry Pi4 | ||
| Details | Website | 2024-12-17 | 16 | 북한 해킹 단체 김수키(Kimsuky)에서 만든 스피어 피싱으로 제작된 악성코드-열차9월10일원고(화)_4.bat(2024.12.02) | ||
| Details | Website | 2024-12-17 | 23 | Using CAPTCHA for Compromise: Hackers Flip the Script - ReliaQuest | ||
| Details | Website | 2024-12-17 | 53 | UAC-0099 APT IOCs - SEC-1275-1 | ||
| Details | Website | 2024-12-17 | 0 | DeceptionAds 通过 3,000 个网站和虚假验证码页面提供超过 100 万的日点击量-安全客 - 安全资讯平台 | ||
| Details | Website | 2024-12-17 | 17 | I2PRAT Malware IOCs - SEC-1275-1 | ||
| Details | Website | 2024-12-17 | 26 | Secret Blizzard APT IOCs - Part 2 - SEC-1275-1 | ||
| Details | Website | 2024-12-17 | 1 | Top 5 Symantec Cybersecurity Predictions for 2025 | ||
| Details | Website | 2024-12-17 | 5 | 'Bitter' cyberspies target defense orgs with new MiyaRAT malware | ||
| Details | Website | 2024-12-16 | 1 | The Breach Report — My Top Picks from Dec 9 — Dec 15 | ||
| Details | Website | 2024-12-16 | 48 | HTB University CTF 2024: Binary Badlands Forensics Challenges | ||
| Details | Website | 2024-12-16 | 1452 | US-CERT Vulnerability Summary for the Week of December 9, 2024 - RedPacket Security | ||
| Details | Website | 2024-12-16 | 65 | Violation Report from UAC-0099 (CERT-UA#12463) |