T1059.001: PowerShell
Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the Start-Process
cmdlet which can be used to run an executable and the Invoke-Command
cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
PowerShell may also be used to download and run executables from the Internet, which can be executed from disk or in memory without touching disk.
A number of PowerShell-based offensive testing tools are available, including Empire, PowerSploit, PoshC2, and PSAttack.
PowerShell commands/scripts can also be executed without directly invoking the powershell.exe
binary through interfaces to PowerShell's underlying System.Management.Automation
assembly DLL exposed through the .NET framework and Windows Common Language Interface (CLI).
Positive Technologies products that cover the technique
MaxPatrol SIEM knowledge base
it_bastion: PT-CR-2184: SKDPUNT_Blacklisted_Command: A blacklisted command is executed
mitre_attck_execution: PT-CR-339: Script_Files_Execution: A user attempted to run a script
mitre_attck_execution: PT-CR-342: Schtasks_Commandline: A scheduled task was managed using the command line or PowerShell
mitre_attck_execution: PT-CR-581: Execute_Encoded_Powershell: Starting a PowerShell process or a Base64-encoded command is detected
mitre_attck_execution: PT-CR-644: Powershell_Library_Loaded_into_Process: A process started loading a PowerShell environment to its address space
mitre_attck_execution: PT-CR-646: Run_Malicious_Msbuild_Project: An attempt to load a .NET assembly at the path with the microsoft.build mask is detected
hacking_tools: PT-CR-373: SharpWMI_Usage: Possible use of the SharpWMI software is detected
hacking_tools: PT-CR-374: Sliver_Shell_Usage: Possible use of the Sliver Shell software is detected
mitre_attck_collection: PT-CR-491: Clipboard_Access: Detection of attempts to make a shadow copy of information copied to the clipboard
mitre_attck_collection: PT-CR-492: Clipboard_Access_Powershell: Detection of attempts to make a shadow copy of information copied to the clipboard via PowerShell
mitre_attck_collection: PT-CR-499: Shadow_Screen_saves_PowerShell: Detection of attempts to take multiple hidden screenshots of the screen via PowerShell
mitre_attck_collection: PT-CR-500: Documents_Access_via_Console: A user interacts with Office documents using cmd.exe or PowerShell
hacking_tools: PT-CR-584: Empire_Stager: A PS script with an Empire stager substring is run
hacking_tools: PT-CR-586: Metasploit_Payload: Possible use of a Metasploit payload is detected
hacking_tools: PT-CR-588: Windows_Hacktool_Usage: Possible use of security analysis tools for Windows systems is detected
mitre_attck_execution: PT-CR-1091: Payload_Injection_into_EventLog: An attempt to write payload to Event Log using the Write-EventLog powershell command is detected
mitre_attck_execution: PT-CR-1359: NimPlant_Powershell_Activity: Starting a potentially malicious PowerShell cmdlet with the NimPlant implant is detected
mitre_attck_execution: PT-CR-1756: PowerShdll_Usage: The PowerShdll utility was started
mitre_attck_execution: PT-CR-1087: Dangerous_Command_Usage: An attempt to execute a potentially dangerous command is detected
mitre_attck_impact: PT-CR-497: Shadow_Copies_Deletion_with_Builtin_Tools: Detection of attempts to delete the shadow copies of data that is needed to restore Windows
mitre_attck_impact: PT-CR-501: Stop_Important_Service: Attempt to stop an important service
mitre_attck_lateral_movement: PT-CR-957: Input_Remote_PowerShell_via_WinRM: Remote use of PowerShell cmdlets via the WinRM protocol is detected on an attacked host
mitre_attck_lateral_movement: PT-CR-959: Lateral_Movement_via_WinRM: Remote use of PowerShell cmdlets via the WinRM protocol is detected
mitre_attck_lateral_movement: PT-CR-961: Output_Remote_PowerShell_via_WinRM: Remote use of PowerShell cmdlets on an attacking host via the WinRM protocol is detected
mitre_attck_lateral_movement: PT-CR-220: Client_Side_Execution_via_DCOM: Detected using DCOM for remote code execution
mitre_attck_execution: PT-CR-2300: Windows_Path_Traversal: Attempted Path Traversal attack. This attack on the Windows command line allows the attacker to access arbitrary files and directories stored on the file system.
mitre_attck_execution: PT-CR-2391: Fuegoshell_Remote_Shell: Possible creation of a remote shell using PowerShell functions System.IO.Pipes.NamedPipeServerStream and System.IO.Pipes.NamedPipeClientStream designed to create a server on user's host (bind shell) and to connect to a server on attacker's host (reverse shell). This may indicate the use of Fuegoshell one-liners.
mitre_attck_execution: PT-CR-2392: Fuegoshell_Oneliners_Execution: PowerShell functions System.IO.Pipes.NamedPipeServerStream and System.IO.Pipes.NamedPipeClientStream were used to create a server that awaits a bind or reverse shell. This may indicate the use of Fuegoshell one-liners and creation of a remote shell to execute malicious commands via PowerShell.
mitre_attck_execution: PT-CR-316: LOLBin_Copying: An attempt to copy a system application is detected
mitre_attck_execution: PT-CR-340: Execute_Malicious_Command: An attempt to execute a potentially dangerous command is detected
mitre_attck_execution: PT-CR-58: Execute_Malicious_Powershell_Cmdlet: Starting a potentially malicious PowerShell cmdlet is detected
mitre_attck_execution: PT-CR-944: Subrule_PowerShell_CLM_Bypass_4103: An attempt to bypass PowerShell Constrained Language was detected based on PowerShell module logging events
mitre_attck_execution: PT-CR-945: Subrule_PowerShell_CLM_Bypass_4104: An attempt to bypass PowerShell Constrained Language was detected based on PowerShell script block logging events
mitre_attck_collection: PT-CR-1932: Copying_Files: Copying files and folders using xcopy and robocopy utilities, copy command, Copy-Item cmdlet
mitre_attck_defense_evasion: PT-CR-1859: Disable_UAC_Remote_Restrictions: Attackers can disable UAC as part of remote connection control. This allows high-privilege users to connect to a remote host using an account from the local administrators group on this host.
microsoft_mecm: PT-CR-1860: MECM_SharpSCCM: Using SharpSCCM to search for sensitive information about MECM clients
mitre_attck_defense_evasion: PT-CR-1861: Firewall_Modify: Attempt to change the Windows firewall configuration
mitre_attck_execution: PT-CR-1962: Remote_Registry_Enable: Possible start of the Remote Registry service to remotely change the values of Windows registry keys, which can be used for lateral movement
mitre_attck_execution: PT-CR-207: Suspicious_Wmic_Command: An attempt to use "wmic" for suspicious activity is detected
mitre_attck_execution: PT-CR-2116: Reverse_Shell_via_Powershell: A reverse-shell connection established via PowerShell
it_bastion: PT-CR-2171: SKDPUNT_Suspicious_Command: A user executed a potentially dangerous command
it_bastion: PT-CR-2177: SKDPUNT_Potentially_Dangerous_Command: Potentially dangerous commands are used
hacking_tools: PT-CR-839: SharPersist_Usage: Possible usage of the SharPersist utility is detected
hacking_tools: PT-CR-840: SharpKatz_Usage: The signs of SharpKatz software usage are detected
hacking_tools: PT-CR-1726: Havoc_Powerpick: A suspicious process infiltrated process werfault.exe, which may indicate the use of the Havoc software that allows to covertly execute PowerShell commands
hacking_tools: PT-CR-1727: Havoc_Powershell_Command_Execution: Command line artifacts indicate that a suspicious process executed a PowerShell command
hacking_tools: PT-CR-1947: Powermad_Usage: Powermad is used to exploit AD account attributes
mitre_attck_execution: PT-CR-782: WinAPI_Access_from_Powershell: A Windows API call from PowerShell is detected
mitre_attck_defense_evasion: PT-CR-930: AMSI_Bypass_via_Powershell: AMSI bypass method use is detected
mitre_attck_defense_evasion: PT-CR-936: Obfuscated_Powershell: The usage of known obfuscation techniques in PowerShell scripts
mitre_attck_defense_evasion: PT-CR-938: PowerShell_CLM_Bypass: An attempt to bypass PowerShell Constrained Language
mitre_attck_defense_evasion: PT-CR-942: Subrule_CSC_Start_and_File_Create: Starting a csc.exe process with a parent powershell.exe process and creating a library by a process is detected
hacking_tools: PT-CR-2134: SharpToken_Usage: SharpToken was used. This tool can find leaked tokens from all processes in the system and exploit them. If attackers accessed a low-privileged account, they can use this tool to upgrade to "NT AUTHORITY\SYSTEM" privileges. SharpToken can also be used to capture interactive user sessions.
hacking_tools: PT-CR-2339: PsMapExec_First_Usage: The PsMapExec tool created for PowerShell was used for the first time. PsMapExec is used for post-exploitation, reconnaissance, gaining access, remote command execution on hosts, and compromising Active Directory accounts.
mitre_attck_persistence: PT-CR-264: Add_new_user_in_commandline: An attempt to create an account using the command line or PowerShell is detected
mitre_attck_persistence: PT-CR-271: Service_Created_or_Modified: An attempt to perform operations on Microsoft Windows services using the command line or PowerShell is detected
hacking_tools: PT-CR-369: Mimikatz_Command: Possible use of the Mimikatz software is detected
hacking_tools: PT-CR-370: NetCat_Usage: Possible use of the NetCat, Socat, and Powercat software is detected
hacking_tools: PT-CR-371: Rubeus_Usage: Possible use of the Rubeus software is detected
hacking_tools: PT-CR-372: SharpSploit_Usage: Possible use of the SharpSploit software is detected
hacking_tools: PT-CR-750: Cobalt_Strike_Powershell_Payload_Delivery: A payload download using an encoded PowerShell command is detected
mitre_attck_defense_evasion: PT-CR-203: BitsJob_Download_and_Run: An attempt to download or start an application using Microsoft Windows "bitsadmin" is detected
mitre_attck_defense_evasion: PT-CR-2060: Powershell_Execution_from_Image: The Invoke-PSImage utility was used to run a PowerShell script embedded in an image
mitre_attck_defense_evasion: PT-CR-208: XSL_Script_WMIC_Execution: An attempt to run XSL scripts using "wmic" is detected
mitre_attck_cred_access: PT-CR-298: Access_System_Credential_files_via_cmdline: An attempt to retrieve OS user credentials is detected
mitre_attck_cred_access: PT-CR-299: LAPS_Enumeration: Search for users, groups, and computers with access to Microsoft LAPS (Local Administrator Password Solution). LAPS automatically manages the local administrator account password and backs up this password on devices connected to Active Directory services.
pt_application_firewall: PT-CR-1915: PTAF_Hacktool_Detected: PT AF detected signs of a hacking tool being used
Detection
ID | DS0012 | Data source and component | Script: Script Execution | Description | Monitor for any attempts to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent. Analytic 1 - Script Block Logging Events
|
---|
ID | DS0017 | Data source and component | Command: Command Execution | Description | If proper execution policy is set, adversaries will likely be able to define their own execution policy if they obtain administrator or system access, either through the Registry or at the command line. This change in policy on a system may be a way to detect malicious use of PowerShell. If PowerShell is not used in an environment, then simply looking for PowerShell execution may detect malicious activity. It is also beneficial to turn on PowerShell logging to gain increased fidelity in what occurs during execution (which is applied to .NET invocations). PowerShell 5.0 introduced enhanced logging capabilities, and some of those features have since been added to PowerShell 4.0. Earlier versions of PowerShell do not have many logging features. An organization can gather PowerShell execution details in a data analytic platform to supplement it with other data. PowerShell can be used over WinRM to remotely run commands on a host. When a remote PowerShell session starts, svchost.exe executes wsmprovhost.exe For this to work, certain registry keys must be set, and the WinRM service must be enabled. The PowerShell command Enter-PSSession -ComputerName \ |
---|
ID | DS0009 | Data source and component | Process: Process Creation | Description | Monitor for newly executed processes that may abuse PowerShell commands and scripts for execution. PowerShell is a scripting environment included with Windows that is used by both attackers and administrators. Execution of PowerShell scripts in most Windows versions is opaque and not typically secured by antivirus which makes using PowerShell an easy way to circumvent security measures. This analytic detects execution of PowerShell scripts. Powershell can be used to hide monitored command line execution such as: net use sc start Note:
Analytic 1 - Non-interactive Powershell Sessions
Analytic 2 - Remote Powershell Sessions
Analytic 3 - Powershell Execution
|
---|
ID | DS0009 | Data source and component | Process: Process Metadata | Description | Consider monitoring for Windows event ID (EID) 400, which shows the version of PowerShell executing in the |
---|
ID | DS0011 | Data source and component | Module: Module Load | Description | Monitor for loading and/or execution of artifacts associated with PowerShell specific assemblies, such as System.Management.Automation.dll (especially to unusual process names/locations). Analytic 1 - Processes loading PowerShell assemblies
|
---|
Mitigation
ID | M1049 | Name | Antivirus/Antimalware | Description | Anti-virus can be used to automatically quarantine suspicious files. |
---|
ID | M1042 | Name | Disable or Remove Feature or Program | Description | It may be possible to remove PowerShell from systems when not needed, but a review should be performed to assess the impact to an environment, since it could be in use for many legitimate purposes and administrative functions. Disable/restrict the WinRM Service to help prevent uses of PowerShell for remote execution. |
---|
ID | M1045 | Name | Code Signing | Description | Set PowerShell execution policy to execute only signed scripts. |
---|
ID | M1026 | Name | Privileged Account Management | Description | When PowerShell is necessary, consider restricting PowerShell execution policy to administrators. Be aware that there are methods of bypassing the PowerShell execution policy, depending on environment configuration. PowerShell JEA (Just Enough Administration) may also be used to sandbox administration and limit what commands admins/users can execute through remote PowerShell sessions. |
---|
ID | M1038 | Name | Execution Prevention | Description | Use application control where appropriate. PowerShell Constrained Language mode can be used to restrict access to sensitive or otherwise dangerous language elements such as those used to execute arbitrary Windows APIs or files (e.g., |
---|