Applied Cybernetics Group
T1059.001 — PowerShell
- Technique
T1059.001- Tactics
- Execution
- MISP citations
- 0
- KEV CVEs mapped
- 1
- Community rules
- 219
- thrunt rules
- 0
- Upstream
- https://attack.mitre.org/techniques/T1059/001
MITRE description
Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.(Citation: TechNet PowerShell) Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the <code>Start-Process</code> cmdlet which can be used to run an executable and the <code>Invoke-Command</code> cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems). PowerShell may also be used to download and run executables from the Internet, which can be executed from disk or in memory without touching disk. A number of PowerShell-based offensive testing tools are available, including [Empire](https://attack.mitre.org/software/S0363), [PowerSploit](https://attack.mitre.org/software/S0194), [PoshC2](https://attack.mitre.org/software/S0378), and PSAttack.(Citation: Github PSAttack) PowerShell commands/scripts can also be executed without directly invoking the <code>powershell.exe</code> binary through interfaces to PowerShell's underlying <code>System.Management.Automation</code> assembly DLL exposed through the .NET framework and Windows Common Language Interface (CLI).(Citation: Sixdub PowerPick Jan 2016)(Citation: SilentBreak Offensive PS Dec 2015)(Citation: Microsoft PSfromCsharp APR 2014)
KEV CVEs mapped to this technique
Per MITRE CTID's hand-curated KEV→ATT&CK mappings — these are the actively-exploited vulnerabilities behind this technique's KEV signal.
Detection coverage
SigmaHQ community rules
- Turla Group Commands May 2020 (emerging-threats)
- TropicTrooper Campaign November 2018 (emerging-threats)
- Potential Baby Shark Malware Activity (emerging-threats)
- Potential Emotet Activity (emerging-threats)
- Operation Wocao Activity (emerging-threats)
- Operation Wocao Activity - Security (emerging-threats)
- Exploited CVE-2020-10189 Zoho ManageEngine (emerging-threats)
- Suspicious PrinterPorts Creation (CVE-2020-1048) (emerging-threats)
- Greenbug Espionage Group Indicators (emerging-threats)
- UNC2452 Process Creation Patterns (emerging-threats)
- UNC2452 PowerShell Pattern (emerging-threats)
- Potential BlackByte Ransomware Activity (emerging-threats)
- CVE-2022-24527 Microsoft Connected Cache LPE (emerging-threats)
- Potential Bumblebee Remote Thread Creation (emerging-threats)
- ChromeLoader Malware Execution (emerging-threats)
- Raspberry Robin Subsequent Execution of Commands (emerging-threats)
- Raspberry Robin Initial Execution From External Drive (emerging-threats)
- FakeUpdates/SocGholish Activity (emerging-threats)
- MERCURY APT Activity (emerging-threats)
- Rorschach Ransomware Execution Activity (emerging-threats)
- Potential APT FIN7 POWERHOLD Execution (emerging-threats)
- Potential POWERTRASH Script Execution (emerging-threats)
- Lace Tempest PowerShell Evidence Eraser (emerging-threats)
- Lace Tempest PowerShell Launcher (emerging-threats)
- Potential APT FIN7 Exploitation Activity (emerging-threats)
Showing 25 of 219 community rules —
the full set is tagged attack.t1059.001 in
SigmaHQ.