Command and Scripting Interpreter: PowerShell

Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. [1] Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the Start-Process cmdlet which can be used to run an executable and the Invoke-Command cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).

PowerShell may also be used to download and run executables from the Internet, which can be executed from disk or in memory without touching disk.

A number of PowerShell-based offensive testing tools are available, including Empire, PowerSploit, PoshC2, and PSAttack.[2]

PowerShell commands/scripts can also be executed without directly invoking the powershell.exe binary through interfaces to PowerShell's underlying System.Management.Automation assembly DLL exposed through the .NET framework and Windows Common Language Interface (CLI). [3][4][5]

ID: T1059.001
Sub-technique of:  T1059
Tactic: Execution
Platforms: Windows
Permissions Required: Administrator, User
Supports Remote:  Yes
Contributors: Praetorian
Version: 1.1
Created: 09 March 2020
Last Modified: 28 May 2021

Procedure Examples

ID Name Description
S0622 AppleSeed

AppleSeed has the ability to execute its payload via PowerShell.[6]

G0073 APT19

APT19 used PowerShell commands to execute payloads.[7]

G0007 APT28

APT28 downloads and executes PowerShell scripts and performs PowerShell commands.[8][9][10]

G0016 APT29

APT29 has used encoded PowerShell scripts uploaded to CozyCar installations to download and install SeaDuke. APT29 also used PowerShell to create new tasks on remote machines, identify configuration settings, evade defenses, exfiltrate data, and to execute other commands.[11][12][13][14][15]

G0022 APT3

APT3 has used PowerShell on victim systems to download and run payloads after exploitation.[16]

G0050 APT32

APT32 has used PowerShell-based tools, PowerShell one-liners, and shellcode loaders for execution.[17][18][19]

G0064 APT33

APT33 has utilized PowerShell to download files from the C2 server and run various scripts. [20][21]

G0082 APT38

APT38 has used PowerShell to execute commands and other operational tasks.[22]

G0087 APT39

APT39 has used PowerShell to execute malicious code.[23][24]

G0096 APT41

APT41 leveraged PowerShell to deploy malware families in victims’ environments.[25][26]

S0129 AutoIt backdoor

AutoIt backdoor downloads a PowerShell script that decodes to a typical shellcode loader.[27]

S0234 Bandook

Bandook has used PowerShell loaders as part of execution.[28]

S0534 Bazar

Bazar can execute a PowerShell script received from C2.[29][30]

S0521 BloodHound

BloodHound can use PowerShell to pull Active Directory information from the target environment.[31]

G0108 Blue Mockingbird

Blue Mockingbird has used PowerShell reverse TCP shells to issue interactive commands over a network connection.[32]

S0360 BONDUPDATER

BONDUPDATER is written in PowerShell.[33][34]

G0060 BRONZE BUTLER

BRONZE BUTLER has used PowerShell for execution.[35]

G0114 Chimera

Chimera has used PowerShell scripts to execute malicious payloads and the DSInternals PowerShell module to make use of Active Directory features.[36][37]

G0080 Cobalt Group

Cobalt Group has used powershell.exe to download and execute scripts.[38][39][40][41][42][43]

S0154 Cobalt Strike

Cobalt Strike can execute a payload on a remote host with PowerShell. This technique does not write any data to disk.[44][45] Cobalt Strike can also use PowerSploit and other scripting frameworks to perform execution.[46][47][48][49]

S0126 ComRAT

ComRAT has used PowerShell to load itself every time a user logs in to the system. ComRAT can execute PowerShell scripts loaded into memory or from the file system.[50][51]

S0591 ConnectWise

ConnectWise can be used to execute PowerShell commands on target machines.[52]

G0052 CopyKittens

CopyKittens has used PowerShell Empire.[53]

S0488 CrackMapExec

CrackMapExec can execute PowerShell commands via WMI.[54]

S0625 Cuba

Cuba has been dropped onto systems and used for lateral movement via obfuscated PowerShell scripts.[55]

G0079 DarkHydrus

DarkHydrus leveraged PowerShell to download and execute additional scripts for execution.[56][57]

G0105 DarkVishnya

DarkVishnya used PowerShell to create shellcode loaders.[58]

G0009 Deep Panda

Deep Panda has used PowerShell scripts to download and execute programs in memory, without writing to disk.[59]

S0354 Denis

Denis has a version written in PowerShell.[19]

S0186 DownPaper

DownPaper uses PowerShell for execution.[60]

G0074 Dragonfly 2.0

Dragonfly 2.0 used PowerShell scripts for execution.[61][62][63]

S0554 Egregor

Egregor has used an encoded PowerShell command by a service created by Cobalt Strike for lateral movement.[64]

S0367 Emotet

Emotet has used Powershell to retrieve the malicious payload and download additional resources like Mimikatz. [65][66][67][68][69]

S0363 Empire

Empire leverages PowerShell for the majority of its client-side agent tasks. Empire also contains the ability to conduct PowerShell remoting with the Invoke-PSRemoting module.[70][71]

S0512 FatDuke

FatDuke has the ability to execute PowerShell scripts.[72]

G0051 FIN10

FIN10 uses PowerShell for execution as well as PowerShell Empire to establish persistence.[73][70]

G0037 FIN6

FIN6 has used PowerShell to gain access to merchant's networks, and a Metasploit PowerShell module to download and execute shellcode and to set up a local listener.[74][75][76]

G0046 FIN7

FIN7 used a PowerShell script to launch shellcode that retrieved an additional payload.[77][78]

G0061 FIN8

FIN8's malicious spearphishing payloads are executed as PowerShell. FIN8 has also used PowerShell for lateral movement and credential access.[79][80][81]

G0117 Fox Kitten

Fox Kitten has used PowerShell scripts to access credential data.[82]

G0101 Frankenstein

Frankenstein has used PowerShell to run a series of base64-encoded commands, that acted as a stager and enumerated hosts.[83]

G0093 GALLIUM

GALLIUM used PowerShell for execution to assist in lateral movement as well as for dumping credentials stored on compromised machines.[84]

G0084 Gallmaker

Gallmaker used PowerShell to download additional payloads and for execution.[85]

G0115 GOLD SOUTHFIELD

GOLD SOUTHFIELD has staged and executed PowerShell scripts on compromised hosts.[86]

G0078 Gorgon Group

Gorgon Group malware can use PowerShell commands to download and execute a payload and open a decoy document on the victim’s machine.[87]

S0417 GRIFFON

GRIFFON has used PowerShell to execute the Meterpreter downloader TinyMet.[88]

G0125 HAFNIUM

HAFNIUM has used the Exchange Power Shell module Set-OabVirtualDirectoryPowerShell to export mailbox data.[89][90]

S0151 HALFBAKED

HALFBAKED can execute PowerShell scripts.[77]

S0037 HAMMERTOSS

HAMMERTOSS is known to use PowerShell.[91]

S0499 Hancitor

Hancitor has used PowerShell to execute commands.[92]

S0170 Helminth

One version of Helminth uses a PowerShell script.[93]

G0100 Inception

Inception has used PowerShell to execute malicious commands and payloads.[94][95]

G0119 Indrik Spider

Indrik Spider has used PowerShell Empire for execution of malware.[96][97]

S0389 JCry

JCry has used PowerShell to execute payloads.[98]

S0648 JSS Loader

JSS Loader has the ability to download and execute PowerShell scripts.[99]

S0387 KeyBoy

KeyBoy uses PowerShell commands to download and execute payloads.[100]

S0526 KGH_SPY

KGH_SPY can execute PowerShell commands on the victim's machine.[101]

G0094 Kimsuky

Kimsuky has executed a variety of PowerShell scripts.[102][103]

S0356 KONNI

KONNI used PowerShell to download and execute a specific 64-bit version of the malware.[104]

G0065 Leviathan

Leviathan has used PowerShell for execution.[105][106][107][108]

S0447 Lokibot

Lokibot has used PowerShell commands embedded inside batch scripts.[109]

G0059 Magic Hound

Magic Hound has used PowerShell for execution and privilege escalation.[110][111]

G0045 menuPass

menuPass uses PowerSploit to inject shellcode into PowerShell.[112][113]

S0553 MoleNet

MoleNet can use PowerShell to set persistence.[114]

G0021 Molerats

Molerats used PowerShell implants on target machines.[115]

S0256 Mosquito

Mosquito can launch PowerShell Scripts.[116]

G0069 MuddyWater

MuddyWater has used PowerShell for execution.[117][118][119][120][121][122][123][124]

G0129 Mustang Panda

Mustang Panda has used malicious PowerShell scripts to enable execution.[125][126]

S0457 Netwalker

Netwalker has been written in PowerShell and executed directly in memory, avoiding detection.[127][128]

S0198 NETWIRE

The NETWIRE binary has been executed via PowerShell script.[129]

S0385 njRAT

njRAT has executed PowerShell commands via auto-run registry key persistence.[130]

G0133 Nomadic Octopus

Nomadic Octopus has used PowerShell for execution.[131]

G0049 OilRig

OilRig has used PowerShell scripts for execution, including use of a macro to run a PowerShell command to decode file contents.[33][132][133]

G0116 Operation Wocao

Operation Wocao has used PowerShell on compromised systems.[134]

S0352 OSX_OCEANLOTUS.D

OSX_OCEANLOTUS.D uses PowerShell scripts.[135]

G0040 Patchwork

Patchwork used PowerSploit to download payloads, run a reverse shell, and execute malware on the victim's machine.[136][137]

S0517 Pillowmint

Pillowmint has used a PowerShell script to install a shim database.[138]

G0033 Poseidon Group

The Poseidon Group's Information Gathering Tool (IGT) includes PowerShell components.[139]

S0150 POSHSPY

POSHSPY uses PowerShell to execute various commands, one to execute its payload.[140]

S0441 PowerShower

PowerShower is a backdoor written in PowerShell.[94]

S0145 POWERSOURCE

POWERSOURCE is a PowerShell backdoor.[141][142]

S0194 PowerSploit

PowerSploit modules are written in and executed via PowerShell.[143][144]

S0393 PowerStallion

PowerStallion uses PowerShell loops to iteratively check for available commands in its OneDrive C2 server.[145]

S0223 POWERSTATS

POWERSTATS uses PowerShell for obfuscation and execution.[146][121][147]

S0371 POWERTON

POWERTON is written in PowerShell.[148]

S0184 POWRUNER

POWRUNER is written in PowerShell.[33]

S0613 PS1

PS1 can utilize a PowerShell loader.[149]

S0196 PUNCHBUGGY

PUNCHBUGGY has used PowerShell scripts.[150]

S0192 Pupy

Pupy has a module for loading and executing PowerShell scripts.[151]

S0583 Pysa

Pysa has used Powershell scripts to deploy its ransomware.[152]

S0650 QakBot

QakBot can use PowerShell to download and execute payloads.[153]

S0269 QUADAGENT

QUADAGENT uses PowerShell scripts for execution.[154]

S0241 RATANKBA

There is a variant of RATANKBA that uses a PowerShell script instead of the traditional PE form.[155][156]

S0511 RegDuke

RegDuke can extract and execute PowerShell scripts from C2 communications.[72]

S0379 Revenge RAT

Revenge RAT uses the PowerShell command Reflection.Assembly to load itself into memory to aid in execution.[157]

S0496 REvil

REvil has used PowerShell to delete volume shadow copies and download files.[158][159][160][161]

S0270 RogueRobin

RogueRobin uses a command prompt to run a PowerShell script from Excel.[56] To assist in establishing persistence, RogueRobin creates %APPDATA%\OneDrive.bat and saves the following string to it:powershell.exe -WindowStyle Hidden -exec bypass -File "%APPDATA%\OneDrive.ps1".[162][56]

G0034 Sandworm Team

Sandworm Team has used PowerShell scripts to run a credential harvesting tool in memory to evade defenses.[163][164]

S0053 SeaDuke

SeaDuke uses a module to execute Mimikatz with PowerShell to perform Pass the Ticket.[13]

S0382 ServHelper

ServHelper has the ability to execute a PowerShell script to get information from the infected host.[165]

S0546 SharpStage

SharpStage can execute arbitrary commands with PowerShell.[114][166]

S0450 SHARPSTATS

SHARPSTATS has the ability to employ a custom PowerShell script.[147]

G0121 Sidewinder

Sidewinder has used PowerShell to drop and execute malware loaders.[167]

G0091 Silence

Silence has used PowerShell to download and execute payloads.[168][169]

S0649 SMOKEDHAM

SMOKEDHAM can execute Powershell commands sent from its C2 server.[170]

S0273 Socksbot

Socksbot can write and execute PowerShell scripts.[137]

S0390 SQLRat

SQLRat has used PowerShell to create a Meterpreter session.[171]

G0038 Stealth Falcon

Stealth Falcon malware uses PowerShell commands to perform various functions, including gathering system information via WMI and executing commands from its C2 server.[172]

S0491 StrongPity

StrongPity can use PowerShell to add files to the Windows Defender exclusions list.[173]

G0062 TA459

TA459 has used PowerShell for execution of a payload.[174]

G0092 TA505

TA505 has used PowerShell to download and execute malware and reconnaissance scripts.[175][176][177][178]

G0139 TeamTNT

TeamTNT has executed PowerShell commands in batch scripts.[179]

G0088 TEMP.Veles

TEMP.Veles has used a publicly-available PowerShell-based tool, WMImplant.[180] The group has also used PowerShell to perform Timestomping.[181]

G0027 Threat Group-3390

Threat Group-3390 has used PowerShell for execution.[182]

G0076 Thrip

Thrip leveraged PowerShell to run commands to download payloads, traverse the compromised networks, and carry out reconnaissance.[183]

G0131 Tonto Team

Tonto Team has used PowerShell to download additional payloads.[184]

S0266 TrickBot

TrickBot has been known to use PowerShell to download new payloads, open documents, and upload data to command and control servers. [185]

G0010 Turla

Turla has used PowerShell to execute commands/scripts, in some cases via a custom executable or code from Empire's PSInject.[186][145][187] Turla has also used PowerShell scripts to load and execute malware in memory.

S0386 Ursnif

Ursnif droppers have used PowerShell in download cradles to download and execute the malware's full executable payload.[188]

S0476 Valak

Valak has used PowerShell to download additional modules.[189]

S0514 WellMess

WellMess can execute PowerShell scripts received from C2.[190][191]

G0090 WIRTE

WIRTE has used PowerShell for script execution.[192]

G0102 Wizard Spider

Wizard Spider has used macros to execute PowerShell scripts to download malware on victim's machines.[193] It has also used PowerShell to execute commands and move laterally through a victim network.[194][195][196]

S0341 Xbash

Xbash can use scripts to invoke PowerShell to download a malicious PE executable or PE DLL for execution.[197]

S0330 Zeus Panda

Zeus Panda uses PowerShell to download and execute the payload.[198]

Mitigations

ID Mitigation Description
M1049 Antivirus/Antimalware

Anti-virus can be used to automatically quarantine suspicious files.

M1045 Code Signing

Set PowerShell execution policy to execute only signed scripts.

M1042 Disable or Remove Feature or Program

It may be possible to remove PowerShell from systems when not needed, but a review should be performed to assess the impact to an environment, since it could be in use for many legitimate purposes and administrative functions.

Disable/restrict the WinRM Service to help prevent uses of PowerShell for remote execution.

M1038 Execution Prevention

Use application control where appropriate.

M1026 Privileged Account Management

When PowerShell is necessary, restrict PowerShell execution policy to administrators. Be aware that there are methods of bypassing the PowerShell execution policy, depending on environment configuration.[199]

Detection

ID Data Source Data Component
DS0017 Command Command Execution
DS0011 Module Module Load
DS0009 Process Process Creation
DS0012 Script Script Execution

If proper execution policy is set, adversaries will likely be able to define their own execution policy if they obtain administrator or system access, either through the Registry or at the command line. This change in policy on a system may be a way to detect malicious use of PowerShell. If PowerShell is not used in an environment, then simply looking for PowerShell execution may detect malicious activity.

Monitor for loading and/or execution of artifacts associated with PowerShell specific assemblies, such as System.Management.Automation.dll (especially to unusual process names/locations).[3][4]

It is also beneficial to turn on PowerShell logging to gain increased fidelity in what occurs during execution (which is applied to .NET invocations). [200] PowerShell 5.0 introduced enhanced logging capabilities, and some of those features have since been added to PowerShell 4.0. Earlier versions of PowerShell do not have many logging features.[201] An organization can gather PowerShell execution details in a data analytic platform to supplement it with other data.

References

  1. Microsoft. (n.d.). Windows PowerShell Scripting. Retrieved April 28, 2016.
  2. Haight, J. (2016, April 21). PS>Attack. Retrieved June 1, 2016.
  3. Warner, J.. (2015, January 6). Inexorable PowerShell – A Red Teamer’s Tale of Overcoming Simple AppLocker Policies. Retrieved December 8, 2018.
  4. Christensen, L.. (2015, December 28). The Evolution of Offensive PowerShell Invocation. Retrieved December 8, 2018.
  5. Babinec, K. (2014, April 28). Executing PowerShell scripts from C#. Retrieved April 22, 2019.
  6. Jazi, H. (2021, June 1). Kimsuky APT continues to target South Korean government using AppleSeed backdoor. Retrieved June 10, 2021.
  7. Ahl, I. (2017, June 06). Privileges and Credentials: Phished at the Request of Counsel. Retrieved May 17, 2018.
  8. Lee, B., Falcone, R. (2018, June 06). Sofacy Group’s Parallel Attacks. Retrieved June 18, 2018.
  9. Hacquebord, F., Remorin, L. (2020, December 17). Pawn Storm’s Lack of Sophistication as a Strategy. Retrieved January 13, 2021.
  10. NSA, CISA, FBI, NCSC. (2021, July). Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments. Retrieved July 26, 2021.
  11. Cash, D. et al. (2020, December 14). Dark Halo Leverages SolarWinds Compromise to Breach Organizations. Retrieved December 29, 2020.
  12. MSTIC. (2020, December 18). Analyzing Solorigate, the compromised DLL file that started a sophisticated cyberattack, and how Microsoft Defender helps protect customers . Retrieved January 5, 2021.
  13. Symantec Security Response. (2015, July 13). “Forkmeiamfamous”: Seaduke, latest weapon in the Duke armory. Retrieved July 22, 2015.
  14. Dunwoody, M. and Carr, N.. (2016, September 27). No Easy Breach DerbyCon 2016. Retrieved October 4, 2016.
  15. Dunwoody, M., et al. (2018, November 19). Not So Cozy: An Uncomfortable Examination of a Suspected APT29 Phishing Campaign. Retrieved November 27, 2018.
  16. Moran, N., et al. (2014, November 21). Operation Double Tap. Retrieved January 14, 2016.
  17. Carr, N.. (2017, May 14). Cyber Espionage is Alive and Well: APT32 and the Threat to Global Corporations. Retrieved June 18, 2017.
  18. Dahan, A. (2017, May 24). OPERATION COBALT KITTY: A LARGE-SCALE APT IN ASIA CARRIED OUT BY THE OCEANLOTUS GROUP. Retrieved November 5, 2018.
  19. Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018.
  20. Security Response attack Investigation Team. (2019, March 27). Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.. Retrieved April 10, 2019.
  21. Microsoft Threat Protection Intelligence Team. (2020, June 18). Inside Microsoft Threat Protection: Mapping attack chains from cloud to endpoint. Retrieved June 22, 2020.
  22. DHS/CISA. (2020, August 26). FASTCash 2.0: North Korea's BeagleBoyz Robbing Banks. Retrieved September 29, 2021.
  23. Rusu, B. (2020, May 21). Iranian Chafer APT Targeted Air Transportation and Government in Kuwait and Saudi Arabia. Retrieved May 22, 2020.
  24. Symantec. (2018, February 28). Chafer: Latest Attacks Reveal Heightened Ambitions. Retrieved May 22, 2020.
  25. Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.
  26. Glyer, C, et al. (2020, March). This Is Not a Test: APT41 Initiates Global Intrusion Campaign Using Multiple Exploits. Retrieved April 28, 2020.
  27. Settle, A., et al. (2016, August 8). MONSOON - Analysis Of An APT Campaign. Retrieved September 22, 2016.
  28. Check Point. (2020, November 26). Bandook: Signed & Delivered. Retrieved May 31, 2021.
  29. Pantazopoulos, N. (2020, June 2). In-depth analysis of the new Team9 malware family. Retrieved December 1, 2020.
  30. Podlosky, A., Hanel, A. et al. (2020, October 16). WIZARD SPIDER Update: Resilient, Reactive and Resolute. Retrieved June 15, 2021.
  31. Red Team Labs. (2018, April 24). Hidden Administrative Accounts: BloodHound to the Rescue. Retrieved October 28, 2020.
  32. Lambert, T. (2020, May 7). Introducing Blue Mockingbird. Retrieved May 26, 2020.
  33. Sardiwal, M, et al. (2017, December 7). New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit. Retrieved December 20, 2017.
  34. Wilhoit, K. and Falcone, R. (2018, September 12). OilRig Uses Updated BONDUPDATER to Target Middle Eastern Government. Retrieved February 18, 2019.
  35. Counter Threat Unit Research Team. (2017, October 12). BRONZE BUTLER Targets Japanese Enterprises. Retrieved January 4, 2018.
  36. Cycraft. (2020, April 15). APT Group Chimera - APT Operation Skeleton key Targets Taiwan Semiconductor Vendors. Retrieved August 24, 2020.
  37. Jansen, W . (2021, January 12). Abusing cloud services to fly under the radar. Retrieved January 19, 2021.
  38. Svajcer, V. (2018, July 31). Multiple Cobalt Personality Disorder. Retrieved September 5, 2018.
  39. Positive Technologies. (2017, August 16). Cobalt Strikes Back: An Evolving Multinational Threat to Finance. Retrieved September 5, 2018.
  40. Positive Technologies. (2016, December 16). Cobalt Snatch. Retrieved October 9, 2018.
  41. Matveeva, V. (2017, August 15). Secrets of Cobalt. Retrieved October 10, 2018.
  42. Klijnsma, Y.. (2018, January 16). First Activities of Cobalt Group in 2018: Spear Phishing Russian Banks. Retrieved October 10, 2018.
  43. Giagone, R., Bermejo, L., and Yarochkin, F. (2017, November 20). Cobalt Strikes Again: Spam Runs Use Macros and CVE-2017-8759 Exploit Against Russian Banks. Retrieved March 7, 2019.
  44. Strategic Cyber LLC. (2017, March 14). Cobalt Strike Manual. Retrieved May 24, 2017.
  45. Dahan, A. et al. (2019, December 11). DROPPING ANCHOR: FROM A TRICKBOT INFECTION TO THE DISCOVERY OF THE ANCHOR MALWARE. Retrieved September 10, 2020.
  46. Cobalt Strike. (2017, December 8). Tactics, Techniques, and Procedures. Retrieved December 20, 2017.
  47. Mudge, R. (2017, May 23). Cobalt Strike 3.8 – Who’s Your Daddy?. Retrieved June 4, 2019.
  48. Mavis, N. (2020, September 21). The Art and Science of Detecting Cobalt Strike. Retrieved April 6, 2021.
  49. Strategic Cyber LLC. (2020, November 5). Cobalt Strike: Advanced Threat Tactics for Penetration Testers. Retrieved April 13, 2021.
  50. Faou, M. (2020, May). From Agent.btz to ComRAT v4: A ten-year journey. Retrieved June 15, 2020.
  51. CISA. (2020, October 29). Malware Analysis Report (AR20-303A). Retrieved December 9, 2020.
  52. Mele, G. et al. (2021, February 10). Probable Iranian Cyber Actors, Static Kitten, Conducting Cyberespionage Campaign Targeting UAE and Kuwait Government Agencies. Retrieved March 17, 2021.
  53. ClearSky Cyber Security and Trend Micro. (2017, July). Operation Wilted Tulip: Exposing a cyber espionage apparatus. Retrieved August 21, 2017.
  54. byt3bl33d3r. (2018, September 8). SMB: Command Reference. Retrieved July 17, 2020.
  55. Roccio, T., et al. (2021, April). Technical Analysis of Cuba Ransomware. Retrieved June 18, 2021.
  56. Falcone, R., et al. (2018, July 27). New Threat Actor Group DarkHydrus Targets Middle East Government. Retrieved August 2, 2018.
  57. Unit 42. (2017, December 15). Unit 42 Playbook Viewer. Retrieved December 20, 2017.
  58. Golovanov, S. (2018, December 6). DarkVishnya: Banks attacked through direct connection to local network. Retrieved May 15, 2020.
  59. Alperovitch, D. (2014, July 7). Deep in Thought: Chinese Targeting of National Security Think Tanks. Retrieved November 12, 2014.
  60. ClearSky Cyber Security. (2017, December). Charming Kitten. Retrieved December 27, 2017.
  61. US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018.
  62. Symantec Security Response. (2017, September 6). Dragonfly: Western energy sector targeted by sophisticated attack group. Retrieved September 9, 2017.
  63. US-CERT. (2017, October 20). Alert (TA17-293A): Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved November 2, 2017.
  64. Bichet, J. (2020, November 12). Egregor – Prolock: Fraternal Twins ?. Retrieved January 6, 2021.
  65. Symantec. (2018, July 18). The Evolution of Emotet: From Banking Trojan to Threat Distributor. Retrieved March 25, 2019.
  66. Trend Micro. (2019, January 16). Exploring Emotet's Activities . Retrieved March 25, 2019.
  67. Özarslan, S. (2018, December 21). The Christmas Card you never wanted - A new wave of Emotet is back to wreak havoc. Retrieved March 25, 2019.
  68. Donohue, B.. (2019, February 13). https://redcanary.com/blog/stopping-emotet-before-it-moves-laterally/. Retrieved March 25, 2019.
  69. Lee, S.. (2019, April 24). Emotet Using WMI to Launch PowerShell Encoded Code. Retrieved May 24, 2019.
  70. Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016.
  71. The Australian Cyber Security Centre (ACSC), the Canadian Centre for Cyber Security (CCCS), the New Zealand National Cyber Security Centre (NZ NCSC), CERT New Zealand, the UK National Cyber Security Centre (UK NCSC) and the US National Cybersecurity and Communications Integration Center (NCCIC). (2018, October 11). Joint report on publicly available hacking tools. Retrieved March 11, 2019.
  72. Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020.
  73. FireEye iSIGHT Intelligence. (2017, June 16). FIN10: Anatomy of a Cyber Extortion Operation. Retrieved June 25, 2017.
  74. FireEye Threat Intelligence. (2016, April). Follow the Money: Dissecting the Operations of the Cyber Crime Group FIN6. Retrieved June 1, 2016.
  75. McKeague, B. et al. (2019, April 5). Pick-Six: Intercepting a FIN6 Intrusion, an Actor Recently Tied to Ryuk and LockerGoga Ransomware. Retrieved April 17, 2019.
  76. Visa Public. (2019, February). FIN6 Cybercrime Group Expands Threat to eCommerce Merchants. Retrieved September 16, 2019.
  77. Carr, N., et al. (2017, April 24). FIN7 Evolution and the Phishing LNK. Retrieved April 24, 2017.
  78. Gorelik, M.. (2017, June 9). FIN7 Takes Another Bite at the Restaurant Industry. Retrieved July 13, 2017.
  79. Bohannon, D. & Carr N. (2017, June 30). Obfuscation in the Wild: Targeted Attackers Lead the Way in Evasion Techniques. Retrieved February 12, 2018.
  80. Martin Zugec. (2021, July 27). Deep Dive Into a FIN8 Attack - A Forensic Investigation. Retrieved September 1, 2021.
  81. Elovitz, S. & Ahl, I. (2016, August 18). Know Your Enemy: New Financially-Motivated & Spear-Phishing Group. Retrieved February 26, 2018.
  82. CISA. (2020, September 15). Iran-Based Threat Actor Exploits VPN Vulnerabilities. Retrieved December 21, 2020.
  83. Adamitis, D. et al. (2019, June 4). It's alive: Threat actors cobble together open-source pieces into monstrous Frankenstein campaign. Retrieved May 11, 2020.
  84. Cybereason Nocturnus. (2019, June 25). Operation Soft Cell: A Worldwide Campaign Against Telecommunications Providers. Retrieved July 18, 2019.
  85. Symantec Security Response. (2018, October 10). Gallmaker: New Attack Group Eschews Malware to Live off the Land. Retrieved November 27, 2018.
  86. Tetra Defense. (2020, March). CAUSE AND EFFECT: SODINOKIBI RANSOMWARE ANALYSIS. Retrieved December 14, 2020.
  87. Falcone, R., et al. (2018, August 02). The Gorgon Group: Slithering Between Nation State and Cybercrime. Retrieved August 7, 2018.
  88. Namestnikov, Y. and Aime, F. (2019, May 8). FIN7.5: the infamous cybercrime rig “FIN7” continues its activities. Retrieved October 11, 2019.
  89. MSTIC. (2021, March 2). HAFNIUM targeting Exchange Servers with 0-day exploits. Retrieved March 3, 2021.
  90. Gruzweig, J. et al. (2021, March 2). Operation Exchange Marauder: Active Exploitation of Multiple Zero-Day Microsoft Exchange Vulnerabilities. Retrieved March 3, 2021.
  91. FireEye Labs. (2015, July). HAMMERTOSS: Stealthy Tactics Define a Russian Cyber Threat Group. Retrieved September 17, 2015.
  92. Anubhav, A., Jallepalli, D. (2016, September 23). Hancitor (AKA Chanitor) observed using multiple attack approaches. Retrieved August 13, 2020.
  93. Falcone, R. and Lee, B.. (2016, May 26). The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor. Retrieved May 3, 2017.
  94. Lancaster, T. (2018, November 5). Inception Attackers Target Europe with Year-old Office Vulnerability. Retrieved May 8, 2020.
  95. GReAT. (2014, December 10). Cloud Atlas: RedOctober APT is back in style. Retrieved May 8, 2020.
  96. Frankoff, S., Hartley, B. (2018, November 14). Big Game Hunting: The Evolution of INDRIK SPIDER From Dridex Wire Fraud to BitPaymer Targeted Ransomware. Retrieved January 6, 2021.
  97. Symantec Threat Intelligence. (2020, June 25). WastedLocker: Symantec Identifies Wave of Attacks Against U.S. Organizations. Retrieved May 20, 2021.
  98. Lee, S.. (2019, May 14). JCry Ransomware. Retrieved June 18, 2019.
  99. Loui, E. and Reynolds, J. (2021, August 30). CARBON SPIDER Embraces Big Game Hunting, Part 1. Retrieved September 20, 2021.
  100. Parys, B. (2017, February 11). The KeyBoys are back in town. Retrieved June 13, 2019.
  101. Dahan, A. et al. (2020, November 2). Back to the Future: Inside the Kimsuky KGH Spyware Suite. Retrieved November 6, 2020.
  1. Alyac. (2019, April 3). Kimsuky Organization Steals Operation Stealth Power. Retrieved August 13, 2019.
  2. CISA, FBI, CNMF. (2020, October 27). https://us-cert.cisa.gov/ncas/alerts/aa20-301a. Retrieved November 4, 2020.
  3. Rascagneres, P. (2017, May 03). KONNI: A Malware Under The Radar For Years. Retrieved November 5, 2018.
  4. Axel F, Pierre T. (2017, October 16). Leviathan: Espionage actor spearphishes maritime and defense targets. Retrieved February 15, 2018.
  5. FireEye. (2018, March 16). Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries. Retrieved April 11, 2018.
  6. CISA. (2021, July 19). (AA21-200A) Joint Cybersecurity Advisory – Tactics, Techniques, and Procedures of Indicted APT40 Actors Associated with China’s MSS Hainan State Security Department.. Retrieved August 12, 2021.
  7. Accenture iDefense Unit. (2019, March 5). Mudcarp's Focus on Submarine Technologies. Retrieved August 24, 2021.
  8. Muhammad, I., Unterbrink, H.. (2021, January 6). A Deep Dive into Lokibot Infection Chain. Retrieved August 31, 2021.
  9. Lee, B. and Falcone, R. (2017, February 15). Magic Hound Campaign Attacks Saudi Targets. Retrieved December 27, 2017.
  10. Mandiant. (2018). Mandiant M-Trends 2018. Retrieved July 9, 2018.
  11. PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017.
  12. Symantec. (2020, November 17). Japan-Linked Organizations Targeted in Long-Running and Sophisticated Attack Campaign. Retrieved December 17, 2020.
  13. Cybereason Nocturnus Team. (2020, December 9). MOLERATS IN THE CLOUD: New Malware Arsenal Abuses Cloud Platforms in Middle East Espionage Campaign. Retrieved December 22, 2020.
  14. GReAT. (2019, April 10). Gaza Cybergang Group1, operation SneakyPastes. Retrieved May 13, 2020.
  15. ESET, et al. (2018, January). Diplomats in Eastern Europe bitten by a Turla mosquito. Retrieved July 3, 2018.
  16. Singh, S. et al.. (2018, March 13). Iranian Threat Group Updates Tactics, Techniques and Procedures in Spear Phishing Campaign. Retrieved April 11, 2018.
  17. Villanueva, M., Co, M. (2018, June 14). Another Potential MuddyWater Campaign uses Powershell-based PRB-Backdoor. Retrieved July 3, 2018.
  18. Kaspersky Lab's Global Research & Analysis Team. (2018, October 10). MuddyWater expands operations. Retrieved November 2, 2018.
  19. Symantec DeepSight Adversary Intelligence Team. (2018, December 10). Seedworm: Group Compromises Government Agencies, Oil & Gas, NGOs, Telecoms, and IT Firms. Retrieved December 14, 2018.
  20. ClearSky Cyber Security. (2018, November). MuddyWater Operations in Lebanon and Oman: Using an Israeli compromised domain for a two-stage campaign. Retrieved November 29, 2018.
  21. Adamitis, D. et al. (2019, May 20). Recent MuddyWater-associated BlackWater campaign shows signs of new anti-detection techniques. Retrieved June 5, 2019.
  22. Reaqta. (2017, November 22). A dive into MuddyWater APT targeting Middle-East. Retrieved May 18, 2020.
  23. Peretz, A. and Theck, E. (2021, March 5). Earth Vetala – MuddyWater Continues to Target Organizations in the Middle East. Retrieved March 18, 2021.
  24. Meyers, A. (2018, June 15). Meet CrowdStrike’s Adversary of the Month for June: MUSTANG PANDA. Retrieved April 12, 2021.
  25. Anomali Threat Research. (2019, October 7). China-Based APT Mustang Panda Targets Minority Groups, Public and Private Sector Organizations. Retrieved April 12, 2021.
  26. Victor, K.. (2020, May 18). Netwalker Fileless Ransomware Injected via Reflective Loading . Retrieved May 26, 2020.
  27. Szappanos, G., Brandt, A.. (2020, May 27). Netwalker ransomware tools give insight into threat actor. Retrieved May 27, 2020.
  28. Maniath, S. and Kadam P. (2019, March 19). Dissecting a NETWIRE Phishing Campaign's Usage of Process Hollowing. Retrieved January 7, 2021.
  29. Pascual, C. (2018, November 27). AutoIt-Compiled Worm Affecting Removable Media Delivers Fileless Version of BLADABINDI/njRAT Backdoor. Retrieved June 4, 2019.
  30. Cherepanov, A. (2018, October 4). Nomadic Octopus Cyber espionage in Central Asia. Retrieved October 13, 2021.
  31. Falcone, R. and Lee, B. (2017, October 9). OilRig Group Steps Up Attacks with New Delivery Documents and New Injector Trojan. Retrieved January 8, 2018.
  32. Meyers, A. (2018, November 27). Meet CrowdStrike’s Adversary of the Month for November: HELIX KITTEN. Retrieved December 18, 2018.
  33. Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020.
  34. Horejsi, J. (2018, April 04). New MacOS Backdoor Linked to OceanLotus Found. Retrieved November 13, 2018.
  35. Cymmetria. (2016). Unveiling Patchwork - The Copy-Paste APT. Retrieved August 3, 2016.
  36. Lunghi, D., et al. (2017, December). Untangling the Patchwork Cyberespionage Group. Retrieved July 10, 2018.
  37. Trustwave SpiderLabs. (2020, June 22). Pillowmint: FIN7’s Monkey Thief . Retrieved July 27, 2020.
  38. Kaspersky Lab's Global Research and Analysis Team. (2016, February 9). Poseidon Group: a Targeted Attack Boutique specializing in global cyber-espionage. Retrieved March 16, 2016.
  39. Dunwoody, M.. (2017, April 3). Dissecting One of APT29’s Fileless WMI and PowerShell Backdoors (POSHSPY). Retrieved April 5, 2017.
  40. Miller, S., et al. (2017, March 7). FIN7 Spear Phishing Campaign Targets Personnel Involved in SEC Filings. Retrieved March 8, 2017.
  41. Brumaghin, E. and Grady, C.. (2017, March 2). Covert Channels and Poor Decisions: The Tale of DNSMessenger. Retrieved March 8, 2017.
  42. PowerShellMafia. (2012, May 26). PowerSploit - A PowerShell Post-Exploitation Framework. Retrieved February 6, 2018.
  43. PowerSploit. (n.d.). PowerSploit. Retrieved February 6, 2018.
  44. Faou, M. and Dumont R.. (2019, May 29). A dive into Turla PowerShell usage. Retrieved June 14, 2019.
  45. Lancaster, T.. (2017, November 14). Muddying the Water: Targeted Attacks in the Middle East. Retrieved March 15, 2018.
  46. Lunghi, D. and Horejsi, J.. (2019, June 10). MuddyWater Resurfaces, Uses Multi-Stage Backdoor POWERSTATS V3 and New Post-Exploitation Tools. Retrieved May 14, 2020.
  47. Ackerman, G., et al. (2018, December 21). OVERRULED: Containing a Potentially Destructive Adversary. Retrieved January 17, 2019.
  48. The BlackBerry Research and Intelligence Team. (2020, November 12). The CostaRicto Campaign: Cyber-Espionage Outsourced. Retrieved May 24, 2021.
  49. Gorelik, M.. (2019, June 10). SECURITY ALERT: FIN8 IS BACK IN BUSINESS, TARGETING THE HOSPITALITY INDUSTRY. Retrieved June 13, 2019.
  50. Nicolas Verdier. (n.d.). Retrieved January 29, 2018.
  51. CERT-FR. (2020, April 1). ATTACKS INVOLVING THE MESPINOZA/PYSA RANSOMWARE. Retrieved March 1, 2021.
  52. Group IB. (2020, September). LOCK LIKE A PRO. Retrieved September 27, 2021.
  53. Lee, B., Falcone, R. (2018, July 25). OilRig Targets Technology Service Provider and Government Agency with QUADAGENT. Retrieved August 9, 2018.
  54. Lei, C., et al. (2018, January 24). Lazarus Campaign Targeting Cryptocurrencies Reveals Remote Controller Tool, an Evolved RATANKBA, and More. Retrieved May 22, 2018.
  55. Trend Micro. (2017, February 27). RATANKBA: Delving into Large-scale Watering Holes against Enterprises. Retrieved May 22, 2018.
  56. Gannon, M. (2019, February 11). With Upgrades in Delivery and Support Infrastructure, Revenge RAT Malware is a Bigger Threat. Retrieved May 1, 2019.
  57. Secureworks . (2019, September 24). REvil: The GandCrab Connection. Retrieved August 4, 2020.
  58. Cadieux, P, et al (2019, April 30). Sodinokibi ransomware exploits WebLogic Server vulnerability. Retrieved August 4, 2020.
  59. Intel 471 Malware Intelligence team. (2020, March 31). REvil Ransomware-as-a-Service – An analysis of a ransomware affiliate operation. Retrieved August 4, 2020.
  60. Group IB. (2020, May). Ransomware Uncovered: Attackers’ Latest Methods. Retrieved August 5, 2020.
  61. Lee, B., Falcone, R. (2019, January 18). DarkHydrus delivers new Trojan that can use Google Drive for C2 communications. Retrieved April 17, 2019.
  62. Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020.
  63. Joe Slowik. (2018, October 12). Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE. Retrieved December 18, 2020.
  64. Hiroaki, H. and Lu, L. (2019, June 12). Shifting Tactics: Breaking Down TA505 Group’s Use of HTML, RATs and Other Techniques in Latest Campaigns. Retrieved May 29, 2020.
  65. Ilascu, I. (2020, December 14). Hacking group’s new malware abuses Google and Facebook services. Retrieved December 28, 2020.
  66. Hegel, T. (2021, January 13). A Global Perspective of the SideWinder APT. Retrieved January 27, 2021.
  67. Skulkin, O.. (2019, January 20). Silence: Dissecting Malicious CHM Files and Performing Forensic Analysis. Retrieved May 24, 2019.
  68. Group-IB. (2018, September). Silence: Moving Into the Darkside. Retrieved May 5, 2020.
  69. FireEye. (2021, June 16). Smoking Out a DARKSIDE Affiliate’s Supply Chain Software Compromise. Retrieved September 22, 2021.
  70. Platt, J. and Reeves, J.. (2019, March). FIN7 Revisited: Inside Astra Panel and SQLRat Malware. Retrieved June 18, 2019.
  71. Marczak, B. and Scott-Railton, J.. (2016, May 29). Keep Calm and (Don’t) Enable Macros: A New Threat Actor Targets UAE Dissidents. Retrieved June 8, 2016.
  72. Mercer, W. et al. (2020, June 29). PROMETHIUM extends global reach with StrongPity3 APT. Retrieved July 20, 2020.
  73. Axel F. (2017, April 27). APT Targets Financial Analysts with CVE-2017-0199. Retrieved February 15, 2018.
  74. Proofpoint Staff. (2017, September 27). Threat Actor Profile: TA505, From Dridex to GlobeImposter. Retrieved May 28, 2019.
  75. Proofpoint Staff. (2018, July 19). TA505 Abusing SettingContent-ms within PDF files to Distribute FlawedAmmyy RAT. Retrieved April 19, 2019.
  76. Salem, E. (2019, April 25). Threat Actor TA505 Targets Financial Enterprises Using LOLBins and a New Backdoor Malware. Retrieved May 28, 2019.
  77. Vilkomir-Preisman, S. (2019, April 2). New ServHelper Variant Employs Excel 4.0 Macro to Drop Signed Payload. Retrieved May 28, 2019.
  78. AT&T Alien Labs. (2021, September 8). TeamTNT with new campaign aka Chimaera. Retrieved September 22, 2021.
  79. FireEye Intelligence . (2018, October 23). TRITON Attribution: Russian Government-Owned Lab Most Likely Built Custom Intrusion Tools for TRITON Attackers. Retrieved April 16, 2019.
  80. Miller, S, et al. (2019, April 10). TRITON Actor TTP Profile, Custom Attack Tools, Detections, and ATT&CK Mapping. Retrieved April 16, 2019.
  81. Counter Threat Unit Research Team. (2017, June 27). BRONZE UNION Cyberespionage Persists Despite Disclosures. Retrieved July 13, 2017.
  82. Security Response Attack Investigation Team. (2018, June 19). Thrip: Espionage Group Hits Satellite, Telecoms, and Defense Companies. Retrieved July 10, 2018.
  83. Faou, M., Tartare, M., Dupuy, T. (2021, March 10). Exchange servers under siege from at least 10 APT groups. Retrieved May 21, 2021.
  84. Radu Tudorica. (2021, July 12). A Fresh Look at Trickbot’s Ever-Improving VNC Module. Retrieved September 28, 2021.
  85. ESET Research. (2018, May 22). Turla Mosquito: A shift towards more generic tools. Retrieved July 3, 2018.
  86. Symantec DeepSight Adversary Intelligence Team. (2019, June 20). Waterbug: Espionage Group Rolls Out Brand-New Toolset in Attacks Against Governments. Retrieved July 8, 2019.
  87. Holland, A. (2019, March 7). Tricks and COMfoolery: How Ursnif Evades Detection. Retrieved June 10, 2019.
  88. Salem, E. et al. (2020, May 28). VALAK: MORE THAN MEETS THE EYE . Retrieved June 19, 2020.
  89. PWC. (2020, July 16). How WellMess malware has been used to target COVID-19 vaccines. Retrieved September 24, 2020.
  90. CISA. (2020, July 16). MAR-10296782-2.v1 – WELLMESS. Retrieved September 24, 2020.
  91. S2 Grupo. (2019, April 2). WIRTE Group attacking the Middle East. Retrieved May 24, 2019.
  92. John, E. and Carvey, H. (2019, May 30). Unraveling the Spiderweb: Timelining ATT&CK Artifacts Used by GRIM SPIDER. Retrieved May 12, 2020.
  93. DHS/CISA. (2020, October 28). Ransomware Activity Targeting the Healthcare and Public Health Sector. Retrieved October 28, 2020.
  94. Kimberly Goody, Jeremy Kennelly, Joshua Shilko, Steve Elovitz, Douglas Bienstock. (2020, October 28). Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser. Retrieved October 28, 2020.
  95. Brian Donohue, Katie Nickels, Paul Michaud, Adina Bodkins, Taylor Chapman, Tony Lambert, Jeff Felling, Kyle Rainey, Mike Haag, Matt Graeber, Aaron Didier.. (2020, October 29). A Bazar start: How one hospital thwarted a Ryuk ransomware outbreak. Retrieved October 30, 2020.
  96. Xiao, C. (2018, September 17). Xbash Combines Botnet, Ransomware, Coinmining in Worm that Targets Linux and Windows. Retrieved November 14, 2018.
  97. Brumaghin, E., et al. (2017, November 02). Poisoning the Well: Banking Trojan Targets Google Search Results. Retrieved November 5, 2018.
  98. Sutherland, S. (2014, September 9). 15 Ways to Bypass the PowerShell Execution Policy. Retrieved July 23, 2015.
  99. Malware Archaeology. (2016, June). WINDOWS POWERSHELL LOGGING CHEAT SHEET - Win 7/Win 2008 or later. Retrieved June 24, 2016.
  100. Dunwoody, M. (2016, February 11). GREATER VISIBILITY THROUGH POWERSHELL LOGGING. Retrieved February 16, 2016.