Common Information
| Type | Value |
|---|---|
| Value |
PowerShell - T1086 |
| Category | Attack-Pattern |
| Type | Mitre-Enterprise-Attack-Attack-Pattern |
| Misp Type | Cluster |
| Description | PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. (Citation: TechNet PowerShell) Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the Start-Process cmdlet which can be used to run an executable and the Invoke-Command cmdlet which runs a command locally or on a remote computer. PowerShell may also be used to download and run executables from the Internet, which can be executed from disk or in memory without touching disk. Administrator permissions are required to use PowerShell to connect to remote systems. A number of PowerShell-based offensive testing tools are available, including Empire, (Citation: Github PowerShell Empire) PowerSploit, (Citation: Powersploit) and PSAttack. (Citation: Github PSAttack) Detection: If proper execution policy is set, adversaries will likely be able to define their own execution policy if they obtain administrator or system access, either through the Registry or at the command line. This change in policy on a system may be a way to detect malicious use of PowerShell. If PowerShell is not used in an environment, then simply looking for PowerShell execution may detect malicious activity. It is also beneficial to turn on PowerShell logging to gain increased fidelity in what occurs during execution. (Citation: Malware Archaeology PowerShell Cheat Sheet) PowerShell 5.0 introduced enhanced logging capabilities, and some of those features have since been added to PowerShell 4.0. Earlier versions of PowerShell do not have many logging features. (Citation: FireEye PowerShell Logging 2016) An organization can gather PowerShell execution details in a data analytic platform to supplement it with other data. Platforms: Windows Data Sources: Windows Registry, File monitoring, Process command-line parameters, Process monitoring Permissions Required: User, Administrator Remote Support: Yes |
| Details | Published | Attributes | CTI | Title | ||
|---|---|---|---|---|---|---|
| Details | Website | 2024-12-14 | 2 | MITRE ATT&CK Framework: Empowering Cyber Defenses đĄïž | ||
| Details | Website | 2024-12-14 | 0 | Reverse Quantum Engineering: Part 2âââThe Universal Framework for Life, Intelligence, and⊠| ||
| Details | Website | 2024-12-13 | 6 | LDAP Enumeration: Unveiling the Double-Edged Sword of Active Directory | ||
| Details | Website | 2024-12-13 | 14 | Blue-Team CTF | ||
| Details | Website | 2024-12-13 | 3 | Windows Ä°Ćletim Sistemi GĂŒvenliÄi | ||
| Details | Website | 2024-12-13 | 1 | 2024 TryHackMe (THM)Advent of Cyber (AoC) Day 8 Walkthrough | THM Writeup | ||
| Details | Website | 2024-12-13 | 18 | HackTheBox Archetype Writeup | ||
| Details | Website | 2024-12-13 | 57 | NodeLoader Exposed: The Node.js Malware Evading Detection | ||
| Details | Website | 2024-12-13 | 15 | SOC Level 1 | MITRE |TryHackMeâââWalkthrough | ||
| Details | Website | 2024-12-13 | 4 | Advent of Cyber 2024-Day 2: Log Analysisâ One Manâs False Positive is Another Manâs Potpourri | ||
| Details | Website | 2024-12-13 | 1 | Cyber Briefing: 2024.12.13 | ||
| Details | Website | 2024-12-13 | 3 | 2024 Sees Sharp Increase in Microsoft Tool Exploits | ||
| Details | Website | 2024-12-13 | 3 | Secret Blizzard Attack Detection: The russia-Linked APT Group Targets Ukraine via Amadey Malware to Deploy the Updated Kazuar Backdoor Version - SOC Prime | ||
| Details | Website | 2024-12-13 | 13 | Time to patch: Multiple critical vulnerabilities under exploitation | ||
| Details | Website | 2024-12-13 | 39 | OilRig Exposed: Unveiling the Tools and Techniques of APT34 | ||
| Details | Website | 2024-12-13 | 1 | Advent of Cyber 2024âââDay 8: Shellcodes of the World, Unite! | ||
| Details | Website | 2024-12-13 | 20 | Remcos RAT IOCs - Part 24 - SEC-1275-1 | ||
| Details | Website | 2024-12-13 | 34 | Vishing via Microsoft Teams Facilitates DarkGate Malware Intrusion | ||
| Details | Website | 2024-12-13 | 140 | Under the SADBRIDGE with GOSAR: QUASAR Gets a Golang Rewrite â Elastic Security Labs | ||
| Details | Website | 2024-12-13 | 51 | NodeLoader Exposed: The Node.js Malware Evading Detection | ||
| Details | Website | 2024-12-13 | 3 | CISA confirms critical Cleo bug exploitation in ransomware attacks | ||
| Details | Website | 2024-12-13 | 33 | CVE-2024-55956: Zero-Day Vulnerability in Cleo Software Could Lead to Data Theft | ||
| Details | Website | 2024-12-13 | 59 | æŻćšé«çș§ćšèæ æ„è§ŁèŻ»(2024.12.13~12.19) | ||
| Details | Website | 2024-12-12 | 6 | TryHackMe WriteupâââAdvent of Cyber 2024 Day 1: Maybe SOC-mas music, he thought, doesnât come from⊠| ||
| Details | Website | 2024-12-12 | 12 | Analyzing Salt Typhoon: Telecom Attacker |