T1059.001: PowerShell
| View on MITRE ATT&CK | T1059.001 |
|---|---|
| Tactic(s) | Execution |
Data from MITRE ATT&CK®:
Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.(Citation: TechNet PowerShell) Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the Start-Process cmdlet which can be used to run an executable and the Invoke-Command cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
PowerShell may also be used to download and run executables from the Internet, which can be executed from disk or in memory without touching disk.
A number of PowerShell-based offensive testing tools are available, including Empire, PowerSploit, PoshC2, and PSAttack.(Citation: Github PSAttack)
PowerShell commands/scripts can also be executed without directly invoking the powershell.exe binary through interfaces to PowerShell's underlying System.Management.Automation assembly DLL exposed through the .NET framework and Windows Common Language Interface (CLI).(Citation: Sixdub PowerPick Jan 2016)(Citation: SilentBreak Offensive PS Dec 2015)(Citation: Microsoft PSfromCsharp APR 2014)
© 2024 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.
Cyber Threat Graph Context
Explore how this ATT&CK Technique relates to the wider threat graph
Reporting on this Technique
People's Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection
This advisory from the US National Security Agency, CISA and various other agencies outlines tactics, techniques and procedures used by Volt ...
APT40 Advisory - PRC MSS tradecraft in action
This advisory, authored by the Australian Cyber Security Centre and multiple other international cybersecurity agencies, outlines the threat posed ...
Threat Group FIN7 Targets the U.S. Automotive Industry
In late 2023, BlackBerry analysts discovered a targeted attack by FIN7 on a U.S. automotive manufacturer, exploiting IT employees with higher ...
Fortinet Zero-Day and Custom Malware Used by Suspected Chinese Actor in Espionage Operation
This blog post by threat researchers at Mandiant outlines intrusions activity by the UNC3886 intrusion set which involved the deployment of ...
Connect:fun Detailing an exploitation campaign targeting FortiClient EMS via CVE-2023-48788
This report from Vedere Labs at Forescout Research details an exploitation campaign which they have designated Connect:fun. The attacks exploit ...
Investigating New INC Ransom Group Activity
This blog post from huntress discusses the ransomware group known as 'INC', breaking down the stages of an attack day by day. The Huntress team ...
From OneNote to RansomNote: An Ice Cold Intrusion
This case report from The DFIR Report describes an intrusion which started with a malicious OneNote attachment. Opening the OneNote file led to ...
Earth Krahang Exploits Intergovernmental Trust to Launch Cross-Government Attacks
This article by researchers at Trend Micro discusses an Advanced Persistent Threat (APT) group they name Earth Krahang who have been observed ...
Russian Foreign Intelligence Service (SVR) Exploiting JetBrains TeamCity CVE Globally
This Cybersecurity Advisory by CISA with US and international partners outlines activity which they link to APT29 (also known as The Dukes, Cozy ...
Unveiling Earth Kapre aka RedCurl’s Cyberespionage Tactics With Trend Micro MDR, Threat Intelligence
The blog entry details an investigation by Trend Micro's Managed Extended Detection and Response (MDR) team into a cyberespionage incident ...
StopRansomware: Rhysida Ransomware
This is a joint Cybersecurity Advisory by the Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and ...
REDCURL - The pentest you didn't know about
This report by researchers at Group-IB outlines activity by a group they call RedCurl. The report identifies victimology and motivation (corporate ...
Threat Assessment: Black Basta Ransomware
This threat assessment from Palo Alto's Unit 42 describes the Black Basta 'Ransomware as a Service' operation including TTPs (tactics, techniques ...
PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure
Following an initial advisory issued in May 2023, this advisory from CISA, NSA and partners outlines information on the broader campaign of cyber ...
Buzzing on Christmas Eve: Trigona Ransomware in 3 Hours
This report by the DFIR Report outlines a Trigona Ransomware attack. It describes how the actors went from initial access (by exposed RDP) to data ...
Threat Actor Groups, Including Black Basta, are Exploiting Recent ScreenConnect Vulnerabilities
This blog post gives a detailed analysis of two critical vulnerabilities (CVE-2024-1708 and CVE-2024-1709) affecting ConnectWise ScreenConnect ...
Mitigations for this technique
MITRE ATT&CK Mitigations
Privileged Account Management
Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.Disable or Remove Feature or Program
Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.Execution Prevention
Block execution of code on a system through application control, and/or script blocking.Code Signing
Enforce binary and application integrity with digital signature verification to prevent untrusted code from executing.Antivirus/Antimalware
Use signatures or heuristics to detect malicious software.How to detect this technique
MITRE ATT&CK Data Components
Script Execution (Script)
The execution of a text file that contains code via the interpreter (e.g. Powershell, WMI, Windows EID 4104, etc.)Module Load (Module)
Attaching a module into the memory of a process/program, typically to access shared resources/features provided by the module (ex: Sysmon EID 7)Process Metadata (Process)
Contextual data about a running process, which may include information such as environment variables, image name, user/owner, etc.Process Creation (Process)
The initial construction of an executable managed by the OS, that may involve one or more tasks or threads. (e.g. Win EID 4688, Sysmon EID 1, cmd.exe > net use, etc.)Command Execution (Command)
The execution of a line of text, potentially with arguments, created from program code (e.g. a cmdlet executed via powershell.exe, interactive commands like >dir, shell executions, etc. )Control Validation Tests for this Technique
Use Atomic Red Team tests to test your defenses against this technique.
ATHPowerShellCommandLineParameter -Command parameter variations with encoded arguments
ATHPowerShellCommandLineParameter -EncodedCommand parameter variations with encoded arguments
Powershell Invoke-DownloadCradle
PowerShell Command Execution
Run Bloodhound from Memory using Download Cradle
Powershell XML requests
Abuse Nslookup with DNS Records
ATHPowerShellCommandLineParameter -EncodedCommand parameter variations
PowerShell Invoke Known Malicious Cmdlets
ATHPowerShellCommandLineParameter -Command parameter variations
Powershell MsXml COM object - with prompt
Invoke-AppPathBypass
Mimikatz
PowerShell Fileless Script Execution
Powershell invoke mshta.exe download
SOAPHound - Dump BloodHound Data
PowerShell Session Creation and Use
SOAPHound - Build Cache
Mimikatz - Cradlecraft PsSendKeys
NTFS Alternate Data Stream Access
PowerUp Invoke-AllChecks
Run BloodHound from local disk
Sigma Detections for this Technique
Cmd.EXE Missing Space Characters Execution Anomaly
PSAsyncShell - Asynchronous TCP Reverse Shell
Invoke-Obfuscation Via Use Rundll32 - System
Powershell MsXml COM Object
PowerShell Downgrade Attack - PowerShell
HackTool - Default PowerSploit/Empire Scheduled Task Creation
Invoke-Obfuscation COMPRESS OBFUSCATION - Security
PowerShell Create Local User
Nslookup PowerShell Download Cradle
Remote Thread Creation Via PowerShell In Uncommon Target
Exchange PowerShell Snap-Ins Usage
PowerShell Core DLL Loaded By Non PowerShell Process
AWS EC2 Startup Shell Script Change
PowerShell Remote Session Creation
Invoke-Obfuscation CLIP+ Launcher
Bad Opsec Powershell Code Artifacts
Invoke-Obfuscation VAR+ Launcher - PowerShell Module
Potential PowerShell Command Line Obfuscation
Malicious ShellIntel PowerShell Commandlets
SQL Client Tools PowerShell Session Detection
Invoke-Obfuscation STDIN+ Launcher - System
Invoke-Obfuscation COMPRESS OBFUSCATION - PowerShell
Invoke-Obfuscation Via Use Clip - PowerShell Module
Potential Data Exfiltration Activity Via CommandLine Tools
Usage Of Web Request Commands And Cmdlets
Potential WinAPI Calls Via PowerShell Scripts
Invoke-Obfuscation Via Stdin - Powershell
ConvertTo-SecureString Cmdlet Usage Via CommandLine
Malicious PowerShell Keywords
Invoke-Obfuscation Via Use MSHTA
PowerShell Base64 Encoded Reflective Assembly Load
Hidden Powershell in Link File Pattern
PowerShell Script Run in AppData
Invoke-Obfuscation Via Use Clip - Powershell
Powershell XML Execute Command
PowerShell Download Pattern
Invoke-Obfuscation Via Use MSHTA - Security
Invoke-Obfuscation RUNDLL LAUNCHER - Security
Invoke-Obfuscation Obfuscated IEX Invocation
Remote PowerShell Session (PS Module)
Suspicious Execution of Powershell with Base64
Invoke-Obfuscation Via Use Rundll32 - PowerShell Module
Base64 Encoded PowerShell Command Detected
Invoke-Obfuscation COMPRESS OBFUSCATION - PowerShell Module
Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - PowerShell Module
Malicious PowerShell Commandlets - ProcessCreation
Execute Code with Pester.bat
Suspicious WSMAN Provider Image Loads
Invoke-Obfuscation CLIP+ Launcher - PowerShell Module
PowerShell DownloadFile
Powershell Inline Execution From A File
Malicious PowerShell Commandlets - ScriptBlock
Silence.EDA Detection
Potential Encoded PowerShell Patterns In CommandLine
Potential PowerShell Obfuscation Via Reversed Commands
HackTool - Bloodhound/Sharphound Execution
Potential PowerShell Obfuscation Via WCHAR
Suspicious PowerShell Invocations - Generic
Invoke-Obfuscation Obfuscated IEX Invocation - PowerShell
Invoke-Obfuscation Via Use Clip - System
Suspicious XOR Encoded PowerShell Command
Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - PowerShell
File Was Not Allowed To Run
PowerShell PSAttack
Potential WMI Lateral Movement WmiPrvSE Spawned PowerShell
Potentially Suspicious WebDAV LNK Execution
PowerShell ShellCode
Suspicious Non PowerShell WSMAN COM Provider
Suspicious Encoded And Obfuscated Reflection Assembly Load Function Call
Invoke-Obfuscation STDIN+ Launcher - PowerShell Module
Suspicious Encoded PowerShell Command Line
Invoke-Obfuscation VAR+ Launcher - System
Suspicious PowerShell Download - PoshModule
Suspicious PowerShell Download - Powershell Script
Invoke-Obfuscation Via Use Rundll32 - PowerShell
Invoke-Obfuscation Via Stdin - PowerShell Module
Invoke-Obfuscation Via Stdin
PowerShell Web Download
Scheduled Task Executing Encoded Payload from Registry
Change PowerShell Policies to an Insecure Level - PowerShell
WMImplant Hack Tool
Usage Of Web Request Commands And Cmdlets - ScriptBlock
Invoke-Obfuscation CLIP+ Launcher - Security
Execution of Powershell Script in Public Folder
Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION
Execute Code with Pester.bat as Parent
Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - Security
Suspicious PowerShell IEX Execution Patterns
Remote PowerShell Session Host Process (WinRM)
Invoke-Obfuscation COMPRESS OBFUSCATION
Remote LSASS Process Access Through Windows Remote Management
Certificate Exported Via PowerShell
Invoke-Obfuscation Via Use MSHTA - System
Invoke-Obfuscation STDIN+ Launcher - Security
Suspicious PowerShell Parameter Substring
New PowerShell Instance Created
PowerShell Base64 Encoded Invoke Keyword
Invoke-Obfuscation Via Use Clip
Suspicious PowerShell Encoded Command Patterns
Invoke-Obfuscation Via Use Rundll32 - Security
NTFS Alternate Data Stream
PowerShell ADRecon Execution
Invoke-Obfuscation Obfuscated IEX Invocation - PowerShell Module
Potential Persistence Via Powershell Search Order Hijacking - Task
Potential PowerShell Obfuscation Using Alias Cmdlets
Alternate PowerShell Hosts - PowerShell Module
Suspicious PowerShell Invocations - Specific - PowerShell Module
Suspicious HH.EXE Execution
Invoke-Obfuscation CLIP+ Launcher - System
Non Interactive PowerShell Process Spawned
HackTool - Covenant PowerShell Launcher
Potentially Suspicious PowerShell Child Processes
Potential PowerShell Obfuscation Using Character Join
Detection of PowerShell Execution via Sqlps.exe
Potential Suspicious PowerShell Keywords
HackTool - CrackMapExec Execution
Suspicious Interactive PowerShell as SYSTEM
Net WebClient Casing Anomalies
Remote PowerShell Session (PS Classic)
HTML Help HH.EXE Suspicious Child Process
PowerView PowerShell Cmdlets - ScriptBlock
BloodHound Collection Files
Change PowerShell Policies to an Insecure Level
Invoke-Obfuscation RUNDLL LAUNCHER - System
PowerShell Called from an Executable Version Mismatch
Invoke-Obfuscation VAR+ Launcher
PowerShell Credential Prompt
Suspicious PowerShell Invocation From Script Engines
Renamed Powershell Under Powershell Channel
Import PowerShell Modules From Suspicious Directories - ProcCreation
Import PowerShell Modules From Suspicious Directories
HackTool - Empire PowerShell Launch Parameters
Invoke-Obfuscation VAR+ Launcher - Security
Scheduled Task Executing Payload from Registry
PowerShell Base64 Encoded IEX Cmdlet
PowerShell Base64 Encoded FromBase64String Cmdlet
Invoke-Obfuscation Via Stdin - System
Windows Shell/Scripting Processes Spawning Suspicious Programs
Invoke-Obfuscation VAR+ Launcher - PowerShell
HackTool - CrackMapExec PowerShell Obfuscation
Invoke-Obfuscation Via Stdin - Security
HackTool - CrackMapExec Execution Patterns
Command Line Execution with Suspicious URL and AppData Strings
Suspicious PowerShell Parent Process
Alternate PowerShell Hosts Pipe
Malicious Base64 Encoded PowerShell Keywords in Command Lines
Suspicious PowerShell Download and Execute Pattern
Invoke-Obfuscation RUNDLL LAUNCHER - PowerShell
Malicious Nishang PowerShell Commandlets
Invoke-Obfuscation STDIN+ Launcher - Powershell
Potential Remote PowerShell Session Initiated
Invoke-Obfuscation RUNDLL LAUNCHER - PowerShell Module
Potential PowerShell Downgrade Attack
Invoke-Obfuscation STDIN+ Launcher
Potential DLL File Download Via PowerShell Invoke-WebRequest
Invoke-Obfuscation Via Use Clip - Security
Invoke-Obfuscation CLIP+ Launcher - PowerShell
Malicious PowerShell Scripts - FileCreation
PowerShell Base64 Encoded WMI Classes
Malicious PowerShell Scripts - PoshModule
Suspicious XOR Encoded PowerShell Command Line - PowerShell
Malicious PowerShell Commandlets - PoshModule
Potential Powershell ReverseShell Connection
Suspicious Schtasks Execution AppData Folder
Suspicious File Execution From Internet Hosted WebDav Share
Invoke-Obfuscation Via Use MSHTA - PowerShell
Suspicious PowerShell Invocations - Specific
Remote PowerShell Sessions Network Connections (WinRM)
Suspicious PowerShell Download
Invoke-Obfuscation Via Use MSHTA - PowerShell Module
Invoke-Obfuscation COMPRESS OBFUSCATION - System
Suspicious PowerShell Invocations - Generic - PowerShell Module
Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - System
SP800-53 Controls
See which controls can help protect against this MITRE ATT&CK technique. This is based on mappings to associated SP800-53 controls produced by the MITRE Engenuity Center for Threat-Informed Defense.