Technique on mitre.org

T1059.001: PowerShell

Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the Start-Process cmdlet which can be used to run an executable and the Invoke-Command cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).

PowerShell may also be used to download and run executables from the Internet, which can be executed from disk or in memory without touching disk.

A number of PowerShell-based offensive testing tools are available, including Empire, PowerSploit, PoshC2, and PSAttack.

PowerShell commands/scripts can also be executed without directly invoking the powershell.exe binary through interfaces to PowerShell's underlying System.Management.Automation assembly DLL exposed through the .NET framework and Windows Common Language Interface (CLI).

Positive Technologies products that cover the technique

MaxPatrol SIEM knowledge base

mitre_attck_collection: PT-CR-1932: Copying_Files: Copying files and folders using xcopy and robocopy utilities, copy command, Copy-Item cmdlet mitre_attck_collection: PT-CR-500: Documents_Access_Via_Console: A user interacts with Office documents using cmd.exe or PowerShell mitre_attck_collection: PT-CR-491: Clipboard_Access: Detection of attempts to make a shadow copy of information copied to the clipboard mitre_attck_collection: PT-CR-492: Clipboard_Access_Powershell: Detection of attempts to make a shadow copy of information copied to the clipboard via PowerShell mitre_attck_impact: PT-CR-501: Stop_Important_Service: Attempt to stop an important service mitre_attck_impact: PT-CR-497: Shadow_Copies_Deletion_With_Builtin_Tools: Detection of attempts to delete the shadow copies of data that is needed to restore Windows mitre_attck_cred_access: PT-CR-298: Access_System_Credential_Files_Via_Cmdline: An attempt to retrieve OS user credentials is detected mitre_attck_cred_access: PT-CR-299: LAPS_Enumeration: Search for users, groups, and computers with access to Microsoft LAPS (Local Administrator Password Solution). LAPS automatically manages the local administrator account password and backs up this password on devices connected to Active Directory services. mysql_database: PT-CR-617: MySQL_Code_Execution: Running a process under a database account may indicate an attempt of an attacker who gained the ability to execute queries to the database to escalate privileges mitre_attck_lateral_movement: PT-CR-961: Output_Remote_PowerShell_Via_WinRM: Remote use of PowerShell cmdlets on an attacking host via the WinRM protocol is detected mitre_attck_lateral_movement: PT-CR-220: Client_Side_Execution_Via_DCOM: Detected using DCOM for remote code execution mitre_attck_lateral_movement: PT-CR-957: Input_Remote_PowerShell_Via_WinRM: Remote use of PowerShell cmdlets via the WinRM protocol is detected on an attacked host mitre_attck_lateral_movement: PT-CR-959: Lateral_Movement_Via_WinRM: Remote use of PowerShell cmdlets via the WinRM protocol is detected hacking_tools: PT-CR-369: Mimikatz_Command: Possible use of the Mimikatz software is detected hacking_tools: PT-CR-586: Metasploit_Payload: Possible use of a Metasploit payload is detected hacking_tools: PT-CR-2799: Rubeus_Non_Cmdline_Usage: Usage of the Rubeus tool for attacks on the Kerberos protocol hacking_tools: PT-CR-2636: Invoke_Rubeus_Usage: The AS-REP Roasting or Kerberoasting technique was used by injecting a payload into a PowerShell process memory. This may indicate the use of the Invoke-Rubeus malware (an obfuscated version of Rubeus that uses a payload encoded in Base64). hacking_tools: PT-CR-588: Windows_Hacktool_Usage: Possible use of security analysis tools for Windows systems is detected hacking_tools: PT-CR-1947: Powermad_Usage: Powermad is used to exploit AD account attributes hacking_tools: PT-CR-1727: Havoc_Powershell_Command_Execution: Command line artifacts indicate that a suspicious process executed a PowerShell command hacking_tools: PT-CR-2688: Covenant_Launcher_Start: A Covenant launcher was started using InstallUtil or PowerShell, followed by a suspicious TCP connection to another host hacking_tools: PT-CR-370: NetCat_Usage: Possible use of the NetCat, Socat, and Powercat software is detected hacking_tools: PT-CR-750: Cobalt_Strike_Powershell_Payload_Delivery: A user downloaded a payload using an encoded PowerShell command hacking_tools: PT-CR-584: Empire_Stager: A PS script with an Empire stager substring is run hacking_tools: PT-CR-2891: Stracciatella_Usage: Possible use of the Stracciatella utility. Attackers use this utility to bypass logging, antivirus protection, EDR security systems, and restrictions configured in PowerShell. hacking_tools: PT-CR-374: Sliver_Shell_Usage: Possible use of the Sliver Shell software is detected hacking_tools: PT-CR-840: SharpKatz_Usage: The signs of SharpKatz software usage are detected hacking_tools: PT-CR-1726: Havoc_Powerpick: A suspicious process infiltrated process werfault.exe, which may indicate the use of the Havoc software that allows to covertly execute PowerShell commands hacking_tools: PT-CR-2563: Cobalt_Strike_Powershell_Stager: Cobalt Strike payload was downloaded and executed using PowerShell hacking_tools: PT-CR-2339: PsMapExec_First_Usage: The PsMapExec tool created for PowerShell was used for the first time. PsMapExec is used for post-exploitation, reconnaissance, gaining access, remote command execution on hosts, and compromising Active Directory accounts. hacking_tools: PT-CR-373: SharpWMI_Usage: Possible use of the SharpWMI software is detected hacking_tools: PT-CR-2637: Subrule_Invoke_Rubeus_Usage: Possible use of PowerShell functions to inject payload into process memory. This may indicate the use of the Invoke-Rubeus malware (an obfuscated version of Rubeus that uses a payload encoded in Base64). hacking_tools: PT-CR-371: Rubeus_Usage: Possible use of the Rubeus software is detected hacking_tools: PT-CR-839: SharPersist_Usage: Possible usage of the SharPersist utility is detected hacking_tools: PT-CR-372: SharpSploit_Usage: Possible use of the SharpSploit software is detected hacking_tools: PT-CR-2134: SharpToken_Usage: SharpToken was used. This tool can find leaked tokens from all processes in the system and exploit them. If attackers accessed a low-privileged account, they can use this tool to upgrade to "NT AUTHORITY\SYSTEM" privileges. SharpToken can also be used to capture interactive user sessions. mitre_attck_defense_evasion: PT-CR-2654: Suspicious_XSLT_XML_PowerShell_Execution: Suspicious XSL transformation via PowerShell to bypass security tools mitre_attck_defense_evasion: PT-CR-936: Obfuscated_Powershell: The usage of known obfuscation techniques in PowerShell scripts mitre_attck_defense_evasion: PT-CR-1861: Firewall_Modify: Attempt to change the Windows firewall configuration mitre_attck_defense_evasion: PT-CR-942: Subrule_CSC_Start_And_File_Create: Starting a csc.exe process with a parent powershell.exe process and creating a library by a process is detected mitre_attck_defense_evasion: PT-CR-2060: Powershell_Execution_From_Image: The Invoke-PSImage utility was used to run a PowerShell script embedded in an image mitre_attck_defense_evasion: PT-CR-930: AMSI_Bypass_Via_Powershell: AMSI bypass method use is detected mitre_attck_defense_evasion: PT-CR-1859: Disable_UAC_Remote_Restrictions: Attackers can disable UAC as part of remote connection control. This allows high-privilege users to connect to a remote host using an account from the local administrators group on this host. mitre_attck_defense_evasion: PT-CR-208: XSL_Script_WMIC_Execution: An attempt to run XSL scripts using "wmic" is detected mitre_attck_defense_evasion: PT-CR-203: BitsJob_Download_And_Run: An attempt to download or start an application using Microsoft Windows "bitsadmin" is detected mitre_attck_defense_evasion: PT-CR-938: PowerShell_CLM_Bypass: An attempt to bypass PowerShell Constrained Language microsoft_mecm: PT-CR-1860: MECM_SharpSCCM: Using SharpSCCM to search for sensitive information about MECM clients it_bastion: PT-CR-2184: SKDPUNT_Blacklisted_Command: A blacklisted command is executed it_bastion: PT-CR-2171: SKDPUNT_Suspicious_Command: A user executed a potentially dangerous command it_bastion: PT-CR-2177: SKDPUNT_Potentially_Dangerous_Command: Potentially dangerous commands are used mitre_attck_execution: PT-CR-944: Subrule_PowerShell_CLM_Bypass_4103: An attempt to bypass PowerShell Constrained Language was detected based on PowerShell module logging events mitre_attck_execution: PT-CR-945: Subrule_PowerShell_CLM_Bypass_4104: An attempt to bypass PowerShell Constrained Language was detected based on PowerShell script block logging events mitre_attck_execution: PT-CR-339: Subrule_Script_Files_Execution: A user started a script mitre_attck_execution: PT-CR-1359: NimPlant_Powershell_Activity: Starting a potentially malicious PowerShell cmdlet with the NimPlant implant is detected mitre_attck_execution: PT-CR-1962: Remote_Registry_Enable: Possible start of the Remote Registry service to remotely change the values of Windows registry keys, which can be used for lateral movement mitre_attck_execution: PT-CR-2392: Fuegoshell_Oneliners_Execution: PowerShell functions System.IO.Pipes.NamedPipeServerStream and System.IO.Pipes.NamedPipeClientStream were used to create a server that awaits a bind or reverse shell. This may indicate the use of Fuegoshell one-liners and creation of a remote shell to execute malicious commands via PowerShell. mitre_attck_execution: PT-CR-646: Run_Malicious_Msbuild_Project: An attempt to load a .NET assembly at the path with the microsoft.build mask is detected mitre_attck_execution: PT-CR-207: Suspicious_Wmic_Command: An attempt to use "wmic" for suspicious activity is detected mitre_attck_execution: PT-CR-2391: Fuegoshell_Remote_Shell: Possible creation of a remote shell using PowerShell functions System.IO.Pipes.NamedPipeServerStream and System.IO.Pipes.NamedPipeClientStream designed to create a server on user's host (bind shell) and to connect to a server on attacker's host (reverse shell). This may indicate the use of Fuegoshell one-liners. mitre_attck_execution: PT-CR-2300: Windows_Path_Traversal: Attempted Path Traversal attack. This attack on the Windows command line allows the attacker to access arbitrary files and directories stored on the file system. mitre_attck_execution: PT-CR-782: WinAPI_Access_From_Powershell: A Windows API call from PowerShell is detected mitre_attck_execution: PT-CR-1087: Dangerous_Command_Usage: An attempt to execute a potentially dangerous command is detected mitre_attck_execution: PT-CR-58: Execute_Malicious_Powershell_Cmdlet: Starting a potentially malicious PowerShell cmdlet is detected mitre_attck_execution: PT-CR-2655: SCT_Scripts_Hidden_Execution: Running commands for the hidden execution of SCT scripts, which may indicate malicious purposes mitre_attck_execution: PT-CR-2459: Dump_Bitlocker_Keys_From_Host: The manage-bde utility or Get-BitLockerVolume cmdlet is used to gain information about the volumes encrypted using BitLocker as well as the recovery keys. An attacker can use this information to decrypt the protected data. mitre_attck_execution: PT-CR-644: Powershell_Library_Loaded_Into_Process: A process started loading a PowerShell environment to its address space mitre_attck_execution: PT-CR-340: Execute_Malicious_Command: An attempt to execute a potentially dangerous command is detected mitre_attck_execution: PT-CR-1756: PowerShdll_Usage: The PowerShdll utility was started mitre_attck_execution: PT-CR-2707: Execute_File_From_Sysvol_Share: A process or script was started from one of the following subdirectories of the Sysvol network share: Startup, Shutdown, Logon, Logoff, or Scripts. These subdirectories are used for storing executables and script files required for managing group policies and other settings in Active Directory. This could be an attacker's attempt to gain persistence in the system. mitre_attck_execution: PT-CR-581: Execute_Encoded_Powershell: Starting a PowerShell process or a Base64-encoded command is detected mitre_attck_execution: PT-CR-1091: Payload_Injection_Into_EventLog: An attempt to write payload to Event Log using the Write-EventLog powershell command is detected mitre_attck_execution: PT-CR-316: LOLBin_Copying: An attempt to copy a system application is detected mitre_attck_execution: PT-CR-2116: Reverse_Shell_Via_Powershell: A reverse-shell connection established via PowerShell mitre_attck_execution: PT-CR-2810: Script_Files_Execution: A user started a script using a process that accessed an external address, started a child process, changed a registry key to gain persistence in the infrastructure, gained access to another process, or created a remote thread in another process mitre_attck_execution: PT-CR-342: Schtasks_Commandline: A scheduled task was managed using the command line or PowerShell mitre_attck_persistence: PT-CR-271: Service_Created_Or_Modified: An attempt to perform operations on Microsoft Windows services using the command line or PowerShell is detected mitre_attck_persistence: PT-CR-568: IIS_Module_Filter_Installation: An extension module or filter was installed in Internet Information Services. An attacker can listen, modify, or redirect network traffic, as well as gain persistence in the system or execute malicious code on other hosts. mitre_attck_persistence: PT-CR-264: Add_New_User_In_Commandline: An attempt to create an account using the command line or PowerShell is detected pt_application_firewall: PT-CR-1915: PTAF_Hacktool_Detected: PT AF detected signs of a hacking tool being used

Detection

ID	DS0012	Data source and component	Script: Script Execution	Description	Monitor for any attempts to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent. Analytic 1 - Script Block Logging Events `(source=WinEventLog:"Microsoft-Windows-PowerShell/Operational" EventID="4104” AND Image="powershell.exe" AND (CommandLine="-enc*" OR CommandLine="-ep bypass" OR CommandLine="-noni")`

ID	DS0017	Data source and component	Command: Command Execution	Description	If proper execution policy is set, adversaries will likely be able to define their own execution policy if they obtain administrator or system access, either through the Registry or at the command line. This change in policy on a system may be a way to detect malicious use of PowerShell. If PowerShell is not used in an environment, then simply looking for PowerShell execution may detect malicious activity. It is also beneficial to turn on PowerShell logging to gain increased fidelity in what occurs during execution (which is applied to .NET invocations). PowerShell 5.0 introduced enhanced logging capabilities, and some of those features have since been added to PowerShell 4.0. Earlier versions of PowerShell do not have many logging features. An organization can gather PowerShell execution details in a data analytic platform to supplement it with other data. PowerShell can be used over WinRM to remotely run commands on a host. When a remote PowerShell session starts, svchost.exe executes wsmprovhost.exe For this to work, certain registry keys must be set, and the WinRM service must be enabled. The PowerShell command Enter-PSSession -ComputerName <RemoteHost> creates a remote PowerShell session.

ID	DS0011	Data source and component	Module: Module Load	Description	Monitor for loading and/or execution of artifacts associated with PowerShell specific assemblies, such as System.Management.Automation.dll (especially to unusual process names/locations). Analytic 1 - Processes loading PowerShell assemblies `source="*WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="7" \| where ModulePath LIKE "%system.management.automation%" OR FileDescription LIKE "%system.management.automation%"`

ID	DS0009	Data source and component	Process: Process Metadata	Description	Consider monitoring for Windows event ID (EID) 400, which shows the version of PowerShell executing in the `EngineVersion` field (which may also be relevant to detecting a potential Downgrade Attack) as well as if PowerShell is running locally or remotely in the `HostName` field. Furthermore, EID 400 may indicate the start time and EID 403 indicates the end time of a PowerShell session.

ID	DS0009	Data source and component	Process: Process Creation	Description	Monitor for newly executed processes that may abuse PowerShell commands and scripts for execution. PowerShell is a scripting environment included with Windows that is used by both attackers and administrators. Execution of PowerShell scripts in most Windows versions is opaque and not typically secured by antivirus which makes using PowerShell an easy way to circumvent security measures. This analytic detects execution of PowerShell scripts. Powershell can be used to hide monitored command line execution such as: net use sc start Note: The logic for Analytic 1 is based around detecting on non-interactive Powershell sessions (i.e., those not launched by a user through explorer.exe). This may lead to false positives when used in a production environment, so we recommend tuning any such analytics by including additional logic (e.g., looking for suspicious parent processes) that helps filter such events. The logic for Analytic 2 is based around detecting on remote Powershell sessions. PowerShell can be used over WinRM to remotely run commands on a host. When a remote PowerShell session starts, svchost.exe executes wsmprovhost.exe. Analytic 1 - Non-interactive Powershell Sessions `(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") Image="powershell.exe" AND ParentImage!="explorer.exe"` Analytic 2 - Remote Powershell Sessions `(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") Image="wsmprovhost.exe" AND ParentImage="svchost.exe"` Analytic 3 - Powershell Execution `(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") Image="C:\Windows\\powershell.exe" ParentImage!="C:\Windows\explorer.exe"\|stats values(CommandLine) as "Command Lines" values(ParentImage) as "Parent Images" by ComputerName`

ID	Data source and component	Description
DS0012	Script: Script Execution	Monitor for any attempts to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent. Analytic 1 - Script Block Logging Events `(source=WinEventLog:"Microsoft-Windows-PowerShell/Operational" EventID="4104” AND Image="powershell.exe" AND (CommandLine="-enc*" OR CommandLine="-ep bypass" OR CommandLine="-noni")`
DS0017	Command: Command Execution	If proper execution policy is set, adversaries will likely be able to define their own execution policy if they obtain administrator or system access, either through the Registry or at the command line. This change in policy on a system may be a way to detect malicious use of PowerShell. If PowerShell is not used in an environment, then simply looking for PowerShell execution may detect malicious activity. It is also beneficial to turn on PowerShell logging to gain increased fidelity in what occurs during execution (which is applied to .NET invocations). PowerShell 5.0 introduced enhanced logging capabilities, and some of those features have since been added to PowerShell 4.0. Earlier versions of PowerShell do not have many logging features. An organization can gather PowerShell execution details in a data analytic platform to supplement it with other data. PowerShell can be used over WinRM to remotely run commands on a host. When a remote PowerShell session starts, svchost.exe executes wsmprovhost.exe For this to work, certain registry keys must be set, and the WinRM service must be enabled. The PowerShell command Enter-PSSession -ComputerName <RemoteHost> creates a remote PowerShell session.
DS0011	Module: Module Load	Monitor for loading and/or execution of artifacts associated with PowerShell specific assemblies, such as System.Management.Automation.dll (especially to unusual process names/locations). Analytic 1 - Processes loading PowerShell assemblies `source="*WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="7" \| where ModulePath LIKE "%system.management.automation%" OR FileDescription LIKE "%system.management.automation%"`
DS0009	Process: Process Metadata	Consider monitoring for Windows event ID (EID) 400, which shows the version of PowerShell executing in the `EngineVersion` field (which may also be relevant to detecting a potential Downgrade Attack) as well as if PowerShell is running locally or remotely in the `HostName` field. Furthermore, EID 400 may indicate the start time and EID 403 indicates the end time of a PowerShell session.
DS0009	Process: Process Creation	Monitor for newly executed processes that may abuse PowerShell commands and scripts for execution. PowerShell is a scripting environment included with Windows that is used by both attackers and administrators. Execution of PowerShell scripts in most Windows versions is opaque and not typically secured by antivirus which makes using PowerShell an easy way to circumvent security measures. This analytic detects execution of PowerShell scripts. Powershell can be used to hide monitored command line execution such as: net use sc start Note: The logic for Analytic 1 is based around detecting on non-interactive Powershell sessions (i.e., those not launched by a user through explorer.exe). This may lead to false positives when used in a production environment, so we recommend tuning any such analytics by including additional logic (e.g., looking for suspicious parent processes) that helps filter such events. The logic for Analytic 2 is based around detecting on remote Powershell sessions. PowerShell can be used over WinRM to remotely run commands on a host. When a remote PowerShell session starts, svchost.exe executes wsmprovhost.exe. Analytic 1 - Non-interactive Powershell Sessions `(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") Image="powershell.exe" AND ParentImage!="explorer.exe"` Analytic 2 - Remote Powershell Sessions `(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") Image="wsmprovhost.exe" AND ParentImage="svchost.exe"` Analytic 3 - Powershell Execution `(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") Image="C:\Windows\\powershell.exe" ParentImage!="C:\Windows\explorer.exe"\|stats values(CommandLine) as "Command Lines" values(ParentImage) as "Parent Images" by ComputerName`

Mitigation

ID	M1026	Name	Privileged Account Management	Description	When PowerShell is necessary, consider restricting PowerShell execution policy to administrators. Be aware that there are methods of bypassing the PowerShell execution policy, depending on environment configuration. PowerShell JEA (Just Enough Administration) may also be used to sandbox administration and limit what commands admins/users can execute through remote PowerShell sessions.

ID	M1038	Name	Execution Prevention	Description	Use application control where appropriate. PowerShell Constrained Language mode can be used to restrict access to sensitive or otherwise dangerous language elements such as those used to execute arbitrary Windows APIs or files (e.g., `Add-Type`).

ID	M1042	Name	Disable or Remove Feature or Program	Description	It may be possible to remove PowerShell from systems when not needed, but a review should be performed to assess the impact to an environment, since it could be in use for many legitimate purposes and administrative functions. Disable/restrict the WinRM Service to help prevent uses of PowerShell for remote execution.

ID	M1045	Name	Code Signing	Description	Set PowerShell execution policy to execute only signed scripts.

ID	M1049	Name	Antivirus/Antimalware	Description	Anti-virus can be used to automatically quarantine suspicious files.

ID	Name	Description
M1026	Privileged Account Management	When PowerShell is necessary, consider restricting PowerShell execution policy to administrators. Be aware that there are methods of bypassing the PowerShell execution policy, depending on environment configuration. PowerShell JEA (Just Enough Administration) may also be used to sandbox administration and limit what commands admins/users can execute through remote PowerShell sessions.
M1038	Execution Prevention	Use application control where appropriate. PowerShell Constrained Language mode can be used to restrict access to sensitive or otherwise dangerous language elements such as those used to execute arbitrary Windows APIs or files (e.g., `Add-Type`).
M1042	Disable or Remove Feature or Program	It may be possible to remove PowerShell from systems when not needed, but a review should be performed to assess the impact to an environment, since it could be in use for many legitimate purposes and administrative functions. Disable/restrict the WinRM Service to help prevent uses of PowerShell for remote execution.
M1045	Code Signing	Set PowerShell execution policy to execute only signed scripts.
M1049	Antivirus/Antimalware	Anti-virus can be used to automatically quarantine suspicious files.