Esc

PowerShell - T1059.001

(ATT&CK® Technique)

Definition

Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the Start-Process cmdlet which can be used to run an executable and the Invoke-Command cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).

D3FEND Inferred Relationships

Browse the D3FEND knowledge graph by clicking on the nodes below.

        graph LR;

     T1059001["PowerShell"] --> |executes| ExecutableScript["Executable Script"]; class T1059001 OffensiveTechniqueNode;
        class ExecutableScript ArtifactNode; click ExecutableScript href "/dao/artifact/d3f:ExecutableScript";
        click T1059001 href "/offensive-technique/attack/T1059.001/"; click ExecutableScript href "/dao/artifact/d3f:ExecutableScript";DecoyFile["Decoy File"] -->
          | spoofs | ExecutableScript["Executable Script"];

          DecoyFile["Decoy File"] -.->
            | May Deceive | T1059001["PowerShell"] ;
          class DecoyFile DefensiveTechniqueNode;
          class ExecutableScript ArtifactNode;
          click DecoyFile href "/technique/d3f:DecoyFile"; DynamicAnalysis["Dynamic Analysis"] -->
          | analyzes | ExecutableScript["Executable Script"];

          DynamicAnalysis["Dynamic Analysis"] -.->
            | May Detect | T1059001["PowerShell"] ;
          class DynamicAnalysis DefensiveTechniqueNode;
          class ExecutableScript ArtifactNode;
          click DynamicAnalysis href "/technique/d3f:DynamicAnalysis"; EmulatedFileAnalysis["Emulated File Analysis"] -->
          | analyzes | ExecutableScript["Executable Script"];

          EmulatedFileAnalysis["Emulated File Analysis"] -.->
            | May Detect | T1059001["PowerShell"] ;
          class EmulatedFileAnalysis DefensiveTechniqueNode;
          class ExecutableScript ArtifactNode;
          click EmulatedFileAnalysis href "/technique/d3f:EmulatedFileAnalysis"; FileIntegrityMonitoring["File Integrity Monitoring"] -->
          | analyzes | ExecutableScript["Executable Script"];

          FileIntegrityMonitoring["File Integrity Monitoring"] -.->
            | May Detect | T1059001["PowerShell"] ;
          class FileIntegrityMonitoring DefensiveTechniqueNode;
          class ExecutableScript ArtifactNode;
          click FileIntegrityMonitoring href "/technique/d3f:FileIntegrityMonitoring"; FileEviction["File Eviction"] -->
          | deletes | ExecutableScript["Executable Script"];

          FileEviction["File Eviction"] -.->
            | May Evict | T1059001["PowerShell"] ;
          class FileEviction DefensiveTechniqueNode;
          class ExecutableScript ArtifactNode;
          click FileEviction href "/technique/d3f:FileEviction"; FileEncryption["File Encryption"] -->
          | encrypts | ExecutableScript["Executable Script"];

          FileEncryption["File Encryption"] -.->
            | May Harden | T1059001["PowerShell"] ;
          class FileEncryption DefensiveTechniqueNode;
          class ExecutableScript ArtifactNode;
          click FileEncryption href "/technique/d3f:FileEncryption"; LocalFilePermissions["Local File Permissions"] -->
          | restricts | ExecutableScript["Executable Script"];

          LocalFilePermissions["Local File Permissions"] -.->
            | May Harden | T1059001["PowerShell"] ;
          class LocalFilePermissions DefensiveTechniqueNode;
          class ExecutableScript ArtifactNode;
          click LocalFilePermissions href "/technique/d3f:LocalFilePermissions"; ExecutableAllowlisting["Executable Allowlisting"] -->
          | blocks | ExecutableScript["Executable Script"];

          ExecutableAllowlisting["Executable Allowlisting"] -.->
            | May Isolate | T1059001["PowerShell"] ;
          class ExecutableAllowlisting DefensiveTechniqueNode;
          class ExecutableScript ArtifactNode;
          click ExecutableAllowlisting href "/technique/d3f:ExecutableAllowlisting"; ExecutableDenylisting["Executable Denylisting"] -->
          | blocks | ExecutableScript["Executable Script"];

          ExecutableDenylisting["Executable Denylisting"] -.->
            | May Isolate | T1059001["PowerShell"] ;
          class ExecutableDenylisting DefensiveTechniqueNode;
          class ExecutableScript ArtifactNode;
          click ExecutableDenylisting href "/technique/d3f:ExecutableDenylisting"; RestoreFile["Restore File"] -->
          | restores | ExecutableScript["Executable Script"];

          RestoreFile["Restore File"] -.->
            | May Restore | T1059001["PowerShell"] ;
          class RestoreFile DefensiveTechniqueNode;
          class ExecutableScript ArtifactNode;
          click RestoreFile href "/technique/d3f:RestoreFile"; FileAnalysis["File Analysis"] -->
          | analyzes | ExecutableScript["Executable Script"];

          FileAnalysis["File Analysis"] -.->
            | May Detect | T1059001["PowerShell"] ;
          class FileAnalysis DefensiveTechniqueNode;
          class ExecutableScript ArtifactNode;
          click FileAnalysis href "/technique/d3f:FileAnalysis";

json