Home  >  APT29  >  Results  >  Elastic  >  PowerShell

Technique Results: PowerShell (T1086) Technique Page Information

The ATT&CK technique page displays all procedures used to test the technique, and their respective detections. The Procedure column contains a description of how the technique was tested . The Step column is where the procedure occurred in the operational flow. Click the Step Number to view it in the Operational Flow panel. Detections are classified by one or more Detection Types, summarized by the Detection Notes, and may be supported by screenshots.

MITRE does not assign scores, rankings, or ratings. The evaluation results are available to the public, so other organizations may provide their own analysis and interpretation - these are not endorsed or validated by MITRE.

Vendor Configuration     All Results JSON Legend
Legend
Main Detection Categories: Detection Modifiers:

None

Telemetry

Indicator of
Compromise

General
Behavior

MSSP

General

Tactic

Specific
Behavior

Technique

Enrichment

Tainted

Alert

Correlated

Delayed

Host
Interrogation

Residual
Artifact

Configuration
Change

Innovative
Procedures Criteria Step
Detection Type Detection Notes
Spawned interactive powershell.exe
powershell.exe spawning from cmd.exe
1.B.2
Technique (Correlated)
A Technique detection called "ATT&CK T1086 PowerShell" was generated for the execution of PowerShell. The event was correlated to a parent alert for malicious file execution. [1]
Telemetry (Correlated)
Telemetry showed cmd.exe executing powershell.exe. The telemetry was correlated to a parent alert for malicious file execution. [1]
Spawned interactive powershell.exe
powershell.exe spawning from powershell.exe
4.A.2
Technique (Correlated, Alert)
A Technique alert detection (high severity) for "ATT&CK T1086 Powershell" was generated when powershell.exe spawned. The detection was correlated to a parent alert for malicious file execution. [1]
Telemetry (Correlated)
Telemetry showed a new powershell.exe spawning from powershell.exe. The detection was correlated to a parent alert for malicious file execution. [1]
Spawned interactive powershell.exe
powershell.exe​ spawning from python.exe
9.B.1
Technique (Correlated, Alert)
A Technique alert detection (medium severity) for "T1086 PowerShell" was generated due to powershell.exe executing. This event was correlated to a Technique detection for the creation of psexesvc.exe. [1] [2]
Telemetry
Telemetery showed python.exe executing powershell.exe. [1]
Executed PowerShell stager payload
powershell.exe spawning from from the schemas ADS (powershell.exe)
11.A.12
Technique (Alert)
A Technique alert detection (medium severity) was generated for powershell.exe executed with unusual arguments. [1]
Technique (Alert)
A Technique alert detection (medium severity) was generated for powershell.exe executing an obfuscated command. [1]
Technique
A Technique detection for "ATT&CK T1086 PowerShell" was generated for powershell.exe spawned from a PowerShell stager. [1]
Telemetry
Telemetry showed powershell.exe spawned from a PowerShell stager. [1]
Executed PowerShell payload from WMI event subscription persistence
SYSTEM-level powershell.exe spawned from the powershell.exe
20.A.3
Technique (Alert)
A Technique alert detection (orange, medium severity) for "PowerShell with Unusual Arguments" was generated for the execution of PowerShell. [1]
Technique
A Technique detection for "ATT&CK T1085 PowerShell" was generated due to the execution of PowerShell. [1]
Telemetry
Telemetry showed powershell.exe spawned from WMI event subscription (wmiprvse.exe) as SYSTEM. [1]