attack.t1059.001 | Detection.FYI

PowerShell Core DLL Loaded By Non PowerShell Process
Jun 1, 2023 · attack.t1059.001 attack.execution ·
Share on:
Detects loading of essential DLLs used by PowerShell, but not by the process powershell.exe. Detects behaviour similar to meterpreter's "load powershell" extension.

Read More
Potential PowerShell Obfuscation Via Reversed Commands
May 31, 2023 · attack.defense_evasion attack.t1027 attack.execution attack.t1059.001 ·
Share on:
Detects the presence of reversed PowerShell commands in the CommandLine. This is often used as a method of obfuscation by attackers

Read More
Windows Shell/Scripting Processes Spawning Suspicious Programs
May 23, 2023 · attack.execution attack.defense_evasion attack.t1059.005 attack.t1059.001 attack.t1218 ·
Share on:
Detects suspicious child processes of a Windows shell and scripting processes such as wscript, rundll32, powershell, mshta...etc.

Read More
Alternate PowerShell Hosts - PowerShell Module
May 15, 2023 · attack.execution attack.t1059.001 ·
Share on:
Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe

Read More
Bad Opsec Powershell Code Artifacts
May 15, 2023 · attack.execution attack.t1059.001 ·
Share on:
focuses on trivial artifacts observed in variants of prevalent offensive ps1 payloads, including Cobalt Strike Beacon, PoshC2, Powerview, Letmein, Empire, Powersploit, and other attack payloads that often undergo minimal changes by attackers due to bad opsec.

Read More
Invoke-Obfuscation CLIP+ Launcher - PowerShell Module
May 15, 2023 · attack.defense_evasion attack.t1027 attack.execution attack.t1059.001 ·
Share on:
Detects Obfuscated use of Clip.exe to execute PowerShell

Read More
Invoke-Obfuscation COMPRESS OBFUSCATION - PowerShell Module
May 15, 2023 · attack.defense_evasion attack.t1027 attack.execution attack.t1059.001 ·
Share on:
Detects Obfuscated Powershell via COMPRESS OBFUSCATION

Read More
Invoke-Obfuscation Obfuscated IEX Invocation - PowerShell Module
May 15, 2023 · attack.defense_evasion attack.t1027 attack.execution attack.t1059.001 ·
Share on:
Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the code block cited in the reference section below

Read More
Invoke-Obfuscation RUNDLL LAUNCHER - PowerShell Module
May 15, 2023 · attack.defense_evasion attack.t1027 attack.execution attack.t1059.001 ·
Share on:
Detects Obfuscated Powershell via RUNDLL LAUNCHER

Read More
Invoke-Obfuscation STDIN+ Launcher - PowerShell Module
May 15, 2023 · attack.defense_evasion attack.t1027 attack.execution attack.t1059.001 ·
Share on:
Detects Obfuscated use of stdin to execute PowerShell

Read More
Invoke-Obfuscation VAR+ Launcher - PowerShell Module
May 15, 2023 · attack.defense_evasion attack.t1027 attack.execution attack.t1059.001 ·
Share on:
Detects Obfuscated use of Environment Variables to execute PowerShell

Read More
Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - PowerShell Module
May 15, 2023 · attack.defense_evasion attack.t1027 attack.execution attack.t1059.001 ·
Share on:
Detects Obfuscated Powershell via VAR++ LAUNCHER

Read More
Invoke-Obfuscation Via Stdin - PowerShell Module
May 15, 2023 · attack.defense_evasion attack.t1027 attack.execution attack.t1059.001 ·
Share on:
Detects Obfuscated Powershell via Stdin in Scripts

Read More
Invoke-Obfuscation Via Use Clip - PowerShell Module
May 15, 2023 · attack.defense_evasion attack.t1027 attack.execution attack.t1059.001 ·
Share on:
Detects Obfuscated Powershell via use Clip.exe in Scripts

Read More
Invoke-Obfuscation Via Use MSHTA - PowerShell Module
May 15, 2023 · attack.defense_evasion attack.t1027 attack.execution attack.t1059.001 ·
Share on:
Detects Obfuscated Powershell via use MSHTA in Scripts

Read More
Invoke-Obfuscation Via Use Rundll32 - PowerShell Module
May 15, 2023 · attack.defense_evasion attack.t1027 attack.execution attack.t1059.001 ·
Share on:
Detects Obfuscated Powershell via use Rundll32 in Scripts

Read More
Malicious PowerShell Commandlets - PoshModule
May 15, 2023 · attack.execution attack.discovery attack.t1482 attack.t1087 attack.t1087.001 attack.t1087.002 attack.t1069.001 attack.t1069.002 attack.t1069 attack.t1059.001 ·
Share on:
Detects Commandlet names from well-known PowerShell exploitation frameworks

Read More
Malicious PowerShell Scripts - PoshModule
May 15, 2023 · attack.execution attack.t1059.001 ·
Share on:
Detects the execution of known offensive powershell scripts used for exploitation or reconnaissance

Read More
Non Interactive PowerShell Process Spawned
May 15, 2023 · attack.execution attack.t1059.001 ·
Share on:
Detects non-interactive PowerShell activity by looking at the "powershell" process with a non-user GUI process such as "explorer.exe" as a parent.

Read More
Remote PowerShell Session (PS Module)
May 15, 2023 · attack.execution attack.t1059.001 attack.lateral_movement attack.t1021.006 ·
Share on:
Detects remote PowerShell sessions

Read More
Suspicious PowerShell Download - PoshModule
May 15, 2023 · attack.execution attack.t1059.001 ·
Share on:
Detects suspicious PowerShell download command

Read More
Suspicious PowerShell Invocations - Generic - PowerShell Module
May 15, 2023 · attack.execution attack.t1059.001 ·
Share on:
Detects suspicious PowerShell invocation command parameters

Read More
Suspicious PowerShell Invocations - Specific - PowerShell Module
May 15, 2023 · attack.execution attack.t1059.001 ·
Share on:
Detects suspicious PowerShell invocation command parameters

Read More
Usage Of Web Request Commands And Cmdlets
May 15, 2023 · attack.execution attack.t1059.001 ·
Share on:
Detects the use of various web request commands with commandline tools and Windows PowerShell cmdlets (including aliases) via CommandLine

Read More
Usage Of Web Request Commands And Cmdlets - ScriptBlock
May 15, 2023 · attack.execution attack.t1059.001 ·
Share on:
Detects the use of various web request commands with commandline tools and Windows PowerShell cmdlets (including aliases) via PowerShell scriptblock logs

Read More
Remote Thread Creation Via PowerShell
May 5, 2023 · attack.execution attack.t1059.001 ·
Share on:
Detects the creation of a remote thread from a Powershell process to another process

Read More
Remote Thread Creation Via PowerShell In Rundll32
May 5, 2023 · attack.defense_evasion attack.execution attack.t1218.011 attack.t1059.001 ·
Share on:
Detects the creation of a remote thread from a Powershell process in a rundll32 process

Read More
Potential Suspicious PowerShell Keywords
Apr 21, 2023 · attack.execution attack.t1059.001 ·
Share on:
Detects potentially suspicious keywords that could indicate the use of a PowerShell exploitation framework

Read More
Malicious PowerShell Commandlets - ProcessCreation
Apr 21, 2023 · attack.execution attack.discovery attack.t1482 attack.t1087 attack.t1087.001 attack.t1087.002 attack.t1069.001 attack.t1069.002 attack.t1069 attack.t1059.001 ·
Share on:
Detects Commandlet names from well-known PowerShell exploitation frameworks

Read More
Malicious PowerShell Commandlets - ScriptBlock
Apr 21, 2023 · attack.execution attack.discovery attack.t1482 attack.t1087 attack.t1087.001 attack.t1087.002 attack.t1069.001 attack.t1069.002 attack.t1069 attack.t1059.001 ·
Share on:
Detects Commandlet names from well-known PowerShell exploitation frameworks

Read More
Malicious PowerShell Scripts - FileCreation
Apr 21, 2023 · attack.execution attack.t1059.001 ·
Share on:
Detects the creation of known offensive powershell scripts used for exploitation

Read More
Malicious PowerView PowerShell Commandlets
Apr 20, 2023 · attack.execution attack.t1059.001 ·
Share on:
Detects Commandlet names from PowerView of PowerSploit exploitation framework.

Read More
Invoke-Obfuscation CLIP+ Launcher - System
Apr 14, 2023 · attack.defense_evasion attack.t1027 attack.execution attack.t1059.001 ·
Share on:
Detects Obfuscated use of Clip.exe to execute PowerShell

Read More
Invoke-Obfuscation COMPRESS OBFUSCATION - System
Apr 14, 2023 · attack.defense_evasion attack.t1027 attack.execution attack.t1059.001 ·
Share on:
Detects Obfuscated Powershell via COMPRESS OBFUSCATION

Read More
Invoke-Obfuscation RUNDLL LAUNCHER - System
Apr 14, 2023 · attack.defense_evasion attack.t1027 attack.execution attack.t1059.001 ·
Share on:
Detects Obfuscated Powershell via RUNDLL LAUNCHER

Read More
Invoke-Obfuscation STDIN+ Launcher - System
Apr 14, 2023 · attack.defense_evasion attack.t1027 attack.execution attack.t1059.001 ·
Share on:
Detects Obfuscated use of stdin to execute PowerShell

Read More
Invoke-Obfuscation VAR+ Launcher - System
Apr 14, 2023 · attack.defense_evasion attack.t1027 attack.execution attack.t1059.001 ·
Share on:
Detects Obfuscated use of Environment Variables to execute PowerShell

Read More
Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - System
Apr 14, 2023 · attack.defense_evasion attack.t1027 attack.execution attack.t1059.001 ·
Share on:
Detects Obfuscated Powershell via VAR++ LAUNCHER

Read More
Invoke-Obfuscation Via Stdin - System
Apr 14, 2023 · attack.defense_evasion attack.t1027 attack.execution attack.t1059.001 ·
Share on:
Detects Obfuscated Powershell via Stdin in Scripts

Read More
Invoke-Obfuscation Via Use Clip - System
Apr 14, 2023 · attack.defense_evasion attack.t1027 attack.execution attack.t1059.001 ·
Share on:
Detects Obfuscated Powershell via use Clip.exe in Scripts

Read More
Invoke-Obfuscation Via Use MSHTA - System
Apr 14, 2023 · attack.defense_evasion attack.t1027 attack.execution attack.t1059.001 ·
Share on:
Detects Obfuscated Powershell via use MSHTA in Scripts

Read More
Invoke-Obfuscation Via Use Rundll32 - System
Apr 14, 2023 · attack.defense_evasion attack.t1027 attack.execution attack.t1059.001 ·
Share on:
Detects Obfuscated Powershell via use Rundll32 in Scripts

Read More
HTML Help HH.EXE Suspicious Child Process
Apr 12, 2023 · attack.defense_evasion attack.execution attack.initial_access attack.t1047 attack.t1059.001 attack.t1059.003 attack.t1059.005 attack.t1059.007 attack.t1218 attack.t1218.001 attack.t1218.010 attack.t1218.011 attack.t1566 attack.t1566.001 ·
Share on:
Detects a suspicious child process of a Microsoft HTML Help (HH.exe)

Read More
Suspicious HH.EXE Execution
Apr 12, 2023 · attack.defense_evasion attack.execution attack.initial_access attack.t1047 attack.t1059.001 attack.t1059.003 attack.t1059.005 attack.t1059.007 attack.t1218 attack.t1218.001 attack.t1218.010 attack.t1218.011 attack.t1566 attack.t1566.001 ·
Share on:
Detects a suspicious execution of a Microsoft HTML Help (HH.exe)

Read More
Alternate PowerShell Hosts
Apr 12, 2023 · attack.execution attack.t1059.001 ·
Share on:
Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe

Read More
BloodHound Collection Files
Apr 11, 2023 · attack.discovery attack.t1087.001 attack.t1087.002 attack.t1482 attack.t1069.001 attack.t1069.002 attack.execution attack.t1059.001 ·
Share on:
Detects default file names outputted by the BloodHound collection tool SharpHound

Read More
Potential PowerShell Command Line Obfuscation
Apr 11, 2023 · attack.execution attack.defense_evasion attack.t1027 attack.t1059.001 ·
Share on:
Detects the PowerShell command lines with special characters

Read More
Potential Powershell ReverseShell Connection
Apr 11, 2023 · attack.execution attack.t1059.001 ·
Share on:
Detects usage of the "TcpClient" class. Which can be abused to establish remote connections and reverse-shells. As seen used by the Nishang "Invoke-PowerShellTcpOneLine" reverse shell and other.

Read More
PowerShell Base64 Encoded FromBase64String Cmdlet
Apr 11, 2023 · attack.defense_evasion attack.t1140 attack.execution attack.t1059.001 ·
Share on:
Detects usage of a base64 encoded "FromBase64String" cmdlet in a process command line

Read More
PowerShell Base64 Encoded IEX Cmdlet
Apr 11, 2023 · attack.execution attack.t1059.001 ·
Share on:
Detects usage of a base64 encoded "IEX" cmdlet in a process command line

Read More
- 1
- 2
- 3
- 4