Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.(Citation: TechNet PowerShell) Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the <code>Start-Process</code> cmdlet which can be used to run an executable and the <code>Invoke-Command</code> cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
PowerShell may also be used to download and run executables from the Internet, which can be executed from disk or in memory without touching disk.
A number of PowerShell-based offensive testing tools are available, including Empire, PowerSploit, PoshC2, and PSAttack.(Citation: Github PSAttack)
PowerShell commands/scripts can also be executed without directly invoking the <code>powershell.exe</code> binary through interfaces to PowerShell's underlying <code>System.Management.Automation</code> assembly DLL exposed through the .NET framework and Windows Common Language Interface (CLI).(Citation: Sixdub PowerPick Jan 2016)(Citation: SilentBreak Offensive PS Dec 2015)(Citation: Microsoft PSfromCsharp APR 2014)
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| intel-tdt | Intel Threat Detection Technology | CrowdStrike AMS | T1059.001 | PowerShell |
Comments
Intel Threat Detection Technology (TDT), integrated with CrowdStrike Falcon Accelerated Memory Scanning (CAMS), strengthens cybersecurity defenses by enabling faster, real-time detection of PowerShell attacks. This integrated solution enhances CrowdStrike Falcon, improving its ability to detect and mitigate cyber threats earlier in the kill chain, while minimizing system performance impact.
PowerShell attacks involve adversaries using PowerShell scripts or commands to execute malicious actions, such as downloading payloads, executing remote commands, or performing other activities designed to evade detection. PowerShell is a powerful tool often leveraged by attackers to bypass security controls, escalate privileges, or maintain persistence on compromised systems. Intel TDT plays a key role in identifying these threats by providing real-time telemetry on program execution, memory access, and control flow, enabling rapid detection of suspicious PowerShell activity such as script execution or abnormal command-line behavior that could signal malicious actions.
Additionally, CAMS offloads the memory scanning workload from the CPU to the Intel Integrated GPU, allowing for faster and more efficient detection of malicious activity without negatively impacting system performance. CAMS helps identify suspicious behaviors such as the execution of unauthorized PowerShell scripts or the use of PowerShell for payload delivery, data exfiltration, or privilege escalation.
References
|
| intel-tdt | Intel Threat Detection Technology | CrowdStrike AMS | T1059.001 | PowerShell |
Comments
Intel Threat Detection Technology (TDT), integrated with CrowdStrike Falcon Accelerated Memory Scanning (CAMS), strengthens cybersecurity defenses by enabling faster, real-time detection of PowerShell attacks. This integrated solution enhances CrowdStrike Falcon, improving its ability to detect and mitigate cyber threats earlier in the kill chain, while minimizing system performance impact.
PowerShell attacks involve adversaries using PowerShell scripts or commands to execute malicious actions, such as downloading payloads, executing remote commands, or performing other activities designed to evade detection. PowerShell is a powerful tool often leveraged by attackers to bypass security controls, escalate privileges, or maintain persistence on compromised systems. Intel TDT plays a key role in identifying these threats by providing real-time telemetry on program execution, memory access, and control flow, enabling rapid detection of suspicious PowerShell activity such as script execution or abnormal command-line behavior that could signal malicious actions.
Additionally, CAMS offloads the memory scanning workload from the CPU to the Intel Integrated GPU, allowing for faster and more efficient detection of malicious activity without negatively impacting system performance. CAMS helps identify suspicious behaviors such as the execution of unauthorized PowerShell scripts or the use of PowerShell for payload delivery, data exfiltration, or privilege escalation.
References
|