ioc[.]one - OSINT Cyber Threat Intelligence Database

Windows PowerShell Remoting: Host Based Investigation and Containment Techniques

Tags

attack-pattern:

Domains - T1583.001 Domains - T1584.001 Ip Addresses - T1590.005 Malware - T1587.001 Malware - T1588.001 Powershell - T1059.001 Server - T1583.004 Server - T1584.004 Software - T1592.002 Tool - T1588.002 Powershell - T1086 Query Registry - T1012

Show in Graph

Common Information

Type	Value
UUID	929dae1f-d00d-460f-ad75-b1fc956b1dcc
Fingerprint	24a9dc51a021fb80
Analysis status	DONE
Considered CTI value	0
Text language
Published	Nov. 13, 2018, 4:34 p.m.
Added to db	Jan. 18, 2023, 8:08 p.m.
Last updated	Nov. 18, 2024, 1:38 a.m.
Headline	B2dfir
Title	Windows PowerShell Remoting: Host Based Investigation and Containment Techniques
Detected Hints/Tags/Attributes	42/1/14

Source URLs

	Redirection	Url
Details	Source	https://b2dfir.blogspot.com/2018/11/windows-powershell-remoting-host-based.html

URL Provider

Details	Provider	Source level domain
Details	blogspot.com	b2dfir.blogspot.com

Attributes

Details	Type	#Events	CTI	Value
Details	Domain	2		boot.to
Details	Domain	291		raw.githubusercontent.com
Details	Domain	2		bad.com
Details	File	1		file.ps1
Details	File	1		c:\users\bob\downloads\maliciousdoc.docx
Details	File	1		raw-socket-sniffer.ps1
Details	File	1209		powershell.exe
Details	File	1		blockdomains.ps1
Details	Github username	1		nospaceships
Details	IPv4	81		192.168.1.100
Details	IPv4	1441		127.0.0.1
Details	IPv4	1		173.182.192.43
Details	Url	1		https://raw.githubusercontent.com/nospaceships/raw-socket-sniffer/master/raw-socket-sniffer.ps1
Details	Windows Registry Key	48		HKLM\Software\Microsoft\Windows\CurrentVersion\Run