Common Information
| Type | Value |
|---|---|
| Value |
PowerShell - T1086 |
| Category | Attack-Pattern |
| Type | Mitre-Enterprise-Attack-Attack-Pattern |
| Misp Type | Cluster |
| Description | PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. (Citation: TechNet PowerShell) Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the Start-Process cmdlet which can be used to run an executable and the Invoke-Command cmdlet which runs a command locally or on a remote computer. PowerShell may also be used to download and run executables from the Internet, which can be executed from disk or in memory without touching disk. Administrator permissions are required to use PowerShell to connect to remote systems. A number of PowerShell-based offensive testing tools are available, including Empire, (Citation: Github PowerShell Empire) PowerSploit, (Citation: Powersploit) and PSAttack. (Citation: Github PSAttack) Detection: If proper execution policy is set, adversaries will likely be able to define their own execution policy if they obtain administrator or system access, either through the Registry or at the command line. This change in policy on a system may be a way to detect malicious use of PowerShell. If PowerShell is not used in an environment, then simply looking for PowerShell execution may detect malicious activity. It is also beneficial to turn on PowerShell logging to gain increased fidelity in what occurs during execution. (Citation: Malware Archaeology PowerShell Cheat Sheet) PowerShell 5.0 introduced enhanced logging capabilities, and some of those features have since been added to PowerShell 4.0. Earlier versions of PowerShell do not have many logging features. (Citation: FireEye PowerShell Logging 2016) An organization can gather PowerShell execution details in a data analytic platform to supplement it with other data. Platforms: Windows Data Sources: Windows Registry, File monitoring, Process command-line parameters, Process monitoring Permissions Required: User, Administrator Remote Support: Yes |
| Details | Published | Attributes | CTI | Title | ||
|---|---|---|---|---|---|---|
| Details | Website | 2024-12-16 | 65 | Violation Report” from UAC-0099 (CERT-UA#12463) | ||
| Details | Website | 2024-12-16 | 13 | Cleo File Transfer Vulnerabilities (CVE-2024-50623, CVE-2024-55956) – Cl0P's Latest Attack Vector - SOCRadar® Cyber Intelligence Inc. | ||
| Details | Website | 2024-12-16 | 14 | UAC-0099 Attack Detection: Cyber-Espionage Activity Against Ukrainian State Agencies Using WinRAR Exploit and LONEPAGE Malware - SOC Prime | ||
| Details | Website | 2024-12-16 | 0 | Fake Captcha Campaign Highlights Risks of Malvertising Networks | ||
| Details | Website | 2024-12-16 | 315 | “DeceptionAds” — Fake Captcha Driving Infostealer Infections and a Glimpse to the Dark Side of… | ||
| Details | Website | 2024-12-16 | 23 | Detection Engineer’s Guide to Powershell Remoting | ||
| Details | Website | 2024-12-16 | 14 | Every Step a Stealthy Move: The Malware Weaving Its Web in Silence | ||
| Details | Website | 2024-12-16 | 34 | Analysis of trammy.dll as a part of BBkot attack | ||
| Details | Website | 2024-12-16 | 3 | Detection engineering at scale: one step closer (part one) | ||
| Details | Website | 2024-12-16 | 8 | Thai Officials Targeted in Yokai Backdoor Campaign Using DLL Side-Loading Techniques | ||
| Details | Website | 2024-12-16 | 14 | EventID: 91 — LetsDefend.io | ||
| Details | Website | 2024-12-16 | 0 | 10 Best Ethical Hacking Courses On Udemy (2025) | ||
| Details | Website | 2024-12-16 | 28 | CyberDefenders — PhishStrike Challenge Walkthrough | ||
| Details | Website | 2024-12-16 | 8 | 使用 DLL 侧加载技术的 Yokai 后门活动瞄准泰国官员-安全客 - 安全资讯平台 | ||
| Details | Website | 2024-12-16 | 4 | AI助手Kimi突发大面积崩溃,官方回应;美国比特币ATM运营商遭遇网络攻击,5.8万客户信息或泄露 | 牛览 - 安全牛 | ||
| Details | Website | 2024-12-16 | 37 | Threat Intelligence Report December 10th – December 16th, 2024 | ||
| Details | Website | 2024-12-16 | 28 | 安全热点周报:新的 Cleo 零日 RCE 漏洞被利用于数据盗窃攻击 | ||
| Details | Website | 2024-12-16 | 7 | Malicious ads push Lumma infostealer via fake CAPTCHA pages | ||
| Details | Website | 2024-12-16 | 12 | CARBON SPIDER Embraces Big Game Hunting, Part 1 | CrowdStrike | ||
| Details | Website | 2024-12-15 | 3 | TryHackMe Advent of Cyber 2024 Full Walkthrough Part 2 | ||
| Details | Website | 2024-12-15 | 11 | Day 6 of Advent of Cyber 2024 TryHackMe | ||
| Details | Website | 2024-12-14 | 1 | Threat Hunting With YARA Walkthrough with Answers | TryHackMe Write-Up | ||
| Details | Website | 2024-12-14 | 30 | Top 10 Active Directory Attack Techniques to Gain Domain Admin | ||
| Details | Website | 2024-12-14 | 11 | DNS Tunneling attack | ||
| Details | Website | 2024-12-14 | 15 | TryHackMe: Pyramid Of Pain Walkthrough (SOC Level 1) |