ID | Name |
---|---|
T1059.001 | PowerShell |
T1059.002 | AppleScript |
T1059.003 | Windows Command Shell |
T1059.004 | Unix Shell |
T1059.005 | Visual Basic |
T1059.006 | Python |
T1059.007 | JavaScript |
T1059.008 | Network Device CLI |
Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. [1] Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the Start-Process
cmdlet which can be used to run an executable and the Invoke-Command
cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
PowerShell may also be used to download and run executables from the Internet, which can be executed from disk or in memory without touching disk.
A number of PowerShell-based offensive testing tools are available, including Empire, PowerSploit, PoshC2, and PSAttack.[2]
PowerShell commands/scripts can also be executed without directly invoking the powershell.exe
binary through interfaces to PowerShell's underlying System.Management.Automation
assembly DLL exposed through the .NET framework and Windows Common Language Interface (CLI). [3][4][5]
ID | Name | Description |
---|---|---|
S0622 | AppleSeed |
AppleSeed has the ability to execute its payload via PowerShell.[6] |
G0073 | APT19 | |
G0007 | APT28 |
APT28 downloads and executes PowerShell scripts and performs PowerShell commands.[8][9][10] |
G0016 | APT29 |
APT29 has used encoded PowerShell scripts uploaded to CozyCar installations to download and install SeaDuke. APT29 also used PowerShell to create new tasks on remote machines, identify configuration settings, evade defenses, exfiltrate data, and to execute other commands.[11][12][13][14][15] |
G0022 | APT3 |
APT3 has used PowerShell on victim systems to download and run payloads after exploitation.[16] |
G0050 | APT32 |
APT32 has used PowerShell-based tools, PowerShell one-liners, and shellcode loaders for execution.[17][18][19] |
G0064 | APT33 |
APT33 has utilized PowerShell to download files from the C2 server and run various scripts. [20][21] |
G0082 | APT38 |
APT38 has used PowerShell to execute commands and other operational tasks.[22] |
G0087 | APT39 |
APT39 has used PowerShell to execute malicious code.[23][24] |
G0096 | APT41 |
APT41 leveraged PowerShell to deploy malware families in victims’ environments.[25][26] |
S0129 | AutoIt backdoor |
AutoIt backdoor downloads a PowerShell script that decodes to a typical shellcode loader.[27] |
S0234 | Bandook |
Bandook has used PowerShell loaders as part of execution.[28] |
S0534 | Bazar |
Bazar can execute a PowerShell script received from C2.[29][30] |
S0521 | BloodHound |
BloodHound can use PowerShell to pull Active Directory information from the target environment.[31] |
G0108 | Blue Mockingbird |
Blue Mockingbird has used PowerShell reverse TCP shells to issue interactive commands over a network connection.[32] |
S0360 | BONDUPDATER |
BONDUPDATER is written in PowerShell.[33][34] |
G0060 | BRONZE BUTLER |
BRONZE BUTLER has used PowerShell for execution.[35] |
G0114 | Chimera |
Chimera has used PowerShell scripts to execute malicious payloads and the DSInternals PowerShell module to make use of Active Directory features.[36][37] |
G0080 | Cobalt Group |
Cobalt Group has used powershell.exe to download and execute scripts.[38][39][40][41][42][43] |
S0154 | Cobalt Strike |
Cobalt Strike can execute a payload on a remote host with PowerShell. This technique does not write any data to disk.[44][45] Cobalt Strike can also use PowerSploit and other scripting frameworks to perform execution.[46][47][48][49] |
S0126 | ComRAT |
ComRAT has used PowerShell to load itself every time a user logs in to the system. ComRAT can execute PowerShell scripts loaded into memory or from the file system.[50][51] |
S0591 | ConnectWise |
ConnectWise can be used to execute PowerShell commands on target machines.[52] |
G0052 | CopyKittens |
CopyKittens has used PowerShell Empire.[53] |
S0488 | CrackMapExec |
CrackMapExec can execute PowerShell commands via WMI.[54] |
S0625 | Cuba |
Cuba has been dropped onto systems and used for lateral movement via obfuscated PowerShell scripts.[55] |
G0079 | DarkHydrus |
DarkHydrus leveraged PowerShell to download and execute additional scripts for execution.[56][57] |
G0105 | DarkVishnya |
DarkVishnya used PowerShell to create shellcode loaders.[58] |
G0009 | Deep Panda |
Deep Panda has used PowerShell scripts to download and execute programs in memory, without writing to disk.[59] |
S0354 | Denis | |
S0186 | DownPaper | |
G0074 | Dragonfly 2.0 |
Dragonfly 2.0 used PowerShell scripts for execution.[61][62][63] |
S0554 | Egregor |
Egregor has used an encoded PowerShell command by a service created by Cobalt Strike for lateral movement.[64] |
S0367 | Emotet |
Emotet has used Powershell to retrieve the malicious payload and download additional resources like Mimikatz. [65][66][67][68][69] |
S0363 | Empire |
Empire leverages PowerShell for the majority of its client-side agent tasks. Empire also contains the ability to conduct PowerShell remoting with the |
S0512 | FatDuke | |
G0051 | FIN10 |
FIN10 uses PowerShell for execution as well as PowerShell Empire to establish persistence.[73][70] |
G0037 | FIN6 |
FIN6 has used PowerShell to gain access to merchant's networks, and a Metasploit PowerShell module to download and execute shellcode and to set up a local listener.[74][75][76] |
G0046 | FIN7 |
FIN7 used a PowerShell script to launch shellcode that retrieved an additional payload.[77][78] |
G0061 | FIN8 |
FIN8's malicious spearphishing payloads are executed as PowerShell. FIN8 has also used PowerShell for lateral movement and credential access.[79][80][81] |
G0117 | Fox Kitten |
Fox Kitten has used PowerShell scripts to access credential data.[82] |
G0101 | Frankenstein |
Frankenstein has used PowerShell to run a series of base64-encoded commands, that acted as a stager and enumerated hosts.[83] |
G0093 | GALLIUM |
GALLIUM used PowerShell for execution to assist in lateral movement as well as for dumping credentials stored on compromised machines.[84] |
G0084 | Gallmaker |
Gallmaker used PowerShell to download additional payloads and for execution.[85] |
G0115 | GOLD SOUTHFIELD |
GOLD SOUTHFIELD has staged and executed PowerShell scripts on compromised hosts.[86] |
G0078 | Gorgon Group |
Gorgon Group malware can use PowerShell commands to download and execute a payload and open a decoy document on the victim’s machine.[87] |
S0417 | GRIFFON |
GRIFFON has used PowerShell to execute the Meterpreter downloader TinyMet.[88] |
G0125 | HAFNIUM |
HAFNIUM has used the Exchange Power Shell module |
S0151 | HALFBAKED | |
S0037 | HAMMERTOSS |
HAMMERTOSS is known to use PowerShell.[91] |
S0499 | Hancitor | |
S0170 | Helminth | |
G0100 | Inception |
Inception has used PowerShell to execute malicious commands and payloads.[94][95] |
G0119 | Indrik Spider |
Indrik Spider has used PowerShell Empire for execution of malware.[96][97] |
S0389 | JCry | |
S0648 | JSS Loader |
JSS Loader has the ability to download and execute PowerShell scripts.[99] |
S0387 | KeyBoy |
KeyBoy uses PowerShell commands to download and execute payloads.[100] |
S0526 | KGH_SPY |
KGH_SPY can execute PowerShell commands on the victim's machine.[101] |
G0094 | Kimsuky |
Kimsuky has executed a variety of PowerShell scripts.[102][103] |
S0356 | KONNI |
KONNI used PowerShell to download and execute a specific 64-bit version of the malware.[104] |
G0065 | Leviathan |
Leviathan has used PowerShell for execution.[105][106][107][108] |
S0447 | Lokibot |
Lokibot has used PowerShell commands embedded inside batch scripts.[109] |
G0059 | Magic Hound |
Magic Hound has used PowerShell for execution and privilege escalation.[110][111] |
G0045 | menuPass |
menuPass uses PowerSploit to inject shellcode into PowerShell.[112][113] |
S0553 | MoleNet | |
G0021 | Molerats | |
S0256 | Mosquito | |
G0069 | MuddyWater |
MuddyWater has used PowerShell for execution.[117][118][119][120][121][122][123][124] |
G0129 | Mustang Panda |
Mustang Panda has used malicious PowerShell scripts to enable execution.[125][126] |
S0457 | Netwalker |
Netwalker has been written in PowerShell and executed directly in memory, avoiding detection.[127][128] |
S0198 | NETWIRE |
The NETWIRE binary has been executed via PowerShell script.[129] |
S0385 | njRAT |
njRAT has executed PowerShell commands via auto-run registry key persistence.[130] |
G0133 | Nomadic Octopus |
Nomadic Octopus has used PowerShell for execution.[131] |
G0049 | OilRig |
OilRig has used PowerShell scripts for execution, including use of a macro to run a PowerShell command to decode file contents.[33][132][133] |
G0116 | Operation Wocao |
Operation Wocao has used PowerShell on compromised systems.[134] |
S0352 | OSX_OCEANLOTUS.D |
OSX_OCEANLOTUS.D uses PowerShell scripts.[135] |
G0040 | Patchwork |
Patchwork used PowerSploit to download payloads, run a reverse shell, and execute malware on the victim's machine.[136][137] |
S0517 | Pillowmint |
Pillowmint has used a PowerShell script to install a shim database.[138] |
G0033 | Poseidon Group |
The Poseidon Group's Information Gathering Tool (IGT) includes PowerShell components.[139] |
S0150 | POSHSPY |
POSHSPY uses PowerShell to execute various commands, one to execute its payload.[140] |
S0441 | PowerShower |
PowerShower is a backdoor written in PowerShell.[94] |
S0145 | POWERSOURCE |
POWERSOURCE is a PowerShell backdoor.[141][142] |
S0194 | PowerSploit |
PowerSploit modules are written in and executed via PowerShell.[143][144] |
S0393 | PowerStallion |
PowerStallion uses PowerShell loops to iteratively check for available commands in its OneDrive C2 server.[145] |
S0223 | POWERSTATS |
POWERSTATS uses PowerShell for obfuscation and execution.[146][121][147] |
S0371 | POWERTON | |
S0184 | POWRUNER | |
S0613 | PS1 | |
S0196 | PUNCHBUGGY |
PUNCHBUGGY has used PowerShell scripts.[150] |
S0192 | Pupy |
Pupy has a module for loading and executing PowerShell scripts.[151] |
S0583 | Pysa |
Pysa has used Powershell scripts to deploy its ransomware.[152] |
S0650 | QakBot |
QakBot can use PowerShell to download and execute payloads.[153] |
S0269 | QUADAGENT | |
S0241 | RATANKBA |
There is a variant of RATANKBA that uses a PowerShell script instead of the traditional PE form.[155][156] |
S0511 | RegDuke |
RegDuke can extract and execute PowerShell scripts from C2 communications.[72] |
S0379 | Revenge RAT |
Revenge RAT uses the PowerShell command |
S0496 | REvil |
REvil has used PowerShell to delete volume shadow copies and download files.[158][159][160][161] |
S0270 | RogueRobin |
RogueRobin uses a command prompt to run a PowerShell script from Excel.[56] To assist in establishing persistence, RogueRobin creates |
G0034 | Sandworm Team |
Sandworm Team has used PowerShell scripts to run a credential harvesting tool in memory to evade defenses.[163][164] |
S0053 | SeaDuke |
SeaDuke uses a module to execute Mimikatz with PowerShell to perform Pass the Ticket.[13] |
S0382 | ServHelper |
ServHelper has the ability to execute a PowerShell script to get information from the infected host.[165] |
S0546 | SharpStage |
SharpStage can execute arbitrary commands with PowerShell.[114][166] |
S0450 | SHARPSTATS |
SHARPSTATS has the ability to employ a custom PowerShell script.[147] |
G0121 | Sidewinder |
Sidewinder has used PowerShell to drop and execute malware loaders.[167] |
G0091 | Silence |
Silence has used PowerShell to download and execute payloads.[168][169] |
S0649 | SMOKEDHAM |
SMOKEDHAM can execute Powershell commands sent from its C2 server.[170] |
S0273 | Socksbot | |
S0390 | SQLRat |
SQLRat has used PowerShell to create a Meterpreter session.[171] |
G0038 | Stealth Falcon |
Stealth Falcon malware uses PowerShell commands to perform various functions, including gathering system information via WMI and executing commands from its C2 server.[172] |
S0491 | StrongPity |
StrongPity can use PowerShell to add files to the Windows Defender exclusions list.[173] |
G0062 | TA459 | |
G0092 | TA505 |
TA505 has used PowerShell to download and execute malware and reconnaissance scripts.[175][176][177][178] |
G0139 | TeamTNT |
TeamTNT has executed PowerShell commands in batch scripts.[179] |
G0088 | TEMP.Veles |
TEMP.Veles has used a publicly-available PowerShell-based tool, WMImplant.[180] The group has also used PowerShell to perform Timestomping.[181] |
G0027 | Threat Group-3390 |
Threat Group-3390 has used PowerShell for execution.[182] |
G0076 | Thrip |
Thrip leveraged PowerShell to run commands to download payloads, traverse the compromised networks, and carry out reconnaissance.[183] |
G0131 | Tonto Team |
Tonto Team has used PowerShell to download additional payloads.[184] |
S0266 | TrickBot |
TrickBot has been known to use PowerShell to download new payloads, open documents, and upload data to command and control servers. [185] |
G0010 | Turla |
Turla has used PowerShell to execute commands/scripts, in some cases via a custom executable or code from Empire's PSInject.[186][145][187] Turla has also used PowerShell scripts to load and execute malware in memory. |
S0386 | Ursnif |
Ursnif droppers have used PowerShell in download cradles to download and execute the malware's full executable payload.[188] |
S0476 | Valak |
Valak has used PowerShell to download additional modules.[189] |
S0514 | WellMess |
WellMess can execute PowerShell scripts received from C2.[190][191] |
G0090 | WIRTE | |
G0102 | Wizard Spider |
Wizard Spider has used macros to execute PowerShell scripts to download malware on victim's machines.[193] It has also used PowerShell to execute commands and move laterally through a victim network.[194][195][196] |
S0341 | Xbash |
Xbash can use scripts to invoke PowerShell to download a malicious PE executable or PE DLL for execution.[197] |
S0330 | Zeus Panda |
Zeus Panda uses PowerShell to download and execute the payload.[198] |
ID | Mitigation | Description |
---|---|---|
M1049 | Antivirus/Antimalware |
Anti-virus can be used to automatically quarantine suspicious files. |
M1045 | Code Signing |
Set PowerShell execution policy to execute only signed scripts. |
M1042 | Disable or Remove Feature or Program |
It may be possible to remove PowerShell from systems when not needed, but a review should be performed to assess the impact to an environment, since it could be in use for many legitimate purposes and administrative functions. Disable/restrict the WinRM Service to help prevent uses of PowerShell for remote execution. |
M1038 | Execution Prevention |
Use application control where appropriate. |
M1026 | Privileged Account Management |
When PowerShell is necessary, restrict PowerShell execution policy to administrators. Be aware that there are methods of bypassing the PowerShell execution policy, depending on environment configuration.[199] |
ID | Data Source | Data Component |
---|---|---|
DS0017 | Command | Command Execution |
DS0011 | Module | Module Load |
DS0009 | Process | Process Creation |
DS0012 | Script | Script Execution |
If proper execution policy is set, adversaries will likely be able to define their own execution policy if they obtain administrator or system access, either through the Registry or at the command line. This change in policy on a system may be a way to detect malicious use of PowerShell. If PowerShell is not used in an environment, then simply looking for PowerShell execution may detect malicious activity.
Monitor for loading and/or execution of artifacts associated with PowerShell specific assemblies, such as System.Management.Automation.dll (especially to unusual process names/locations).[3][4]
It is also beneficial to turn on PowerShell logging to gain increased fidelity in what occurs during execution (which is applied to .NET invocations). [200] PowerShell 5.0 introduced enhanced logging capabilities, and some of those features have since been added to PowerShell 4.0. Earlier versions of PowerShell do not have many logging features.[201] An organization can gather PowerShell execution details in a data analytic platform to supplement it with other data.