Detections
Analytics
Command and Scripting Interpreter: PowerShell (Windows)
Description
Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.[1] Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the Start-Process cmdlet which can be used to run an executable and the Invoke-Command cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Products, Sensors, and Dependencies
| Product | Dependencies | Data source | Access required | Protocol | Data Collected | Notes |
|---|---|---|---|---|---|---|
| Tenable.io | Advanced Network Scan | Windows machines | Authenticated Scan | SMB | PowerShell Execution Policy | Plugin ID: 92367 |
References
Attack Path Technique Details
Framework: MITRE ATT&CK
Family: Execution
Technique: Command and Scripting Interpreter
Sub-Technique: Powershell
Platform: Windows
Products Required: Tenable.io
Tenable Release Date: 2022 Q2