Skip to content

Hide Navigation Hide TOC

Script - DS0012 (12c1e727-7fa4-49b6-af81-366ed2ce231e)

A file or stream containing a list of commands, allowing them to be launched in sequence(Citation: Microsoft PowerShell Logging)(Citation: FireEye PowerShell Logging)(Citation: Microsoft AMSI)

Cluster A Galaxy A Cluster B Galaxy B Level
Script - DS0012 (12c1e727-7fa4-49b6-af81-366ed2ce231e) mitre-data-source Script Execution (9f387817-df83-432a-b56b-a8fb7f71eedd) mitre-data-component 1
Archive via Library - T1560.002 (41868330-6ee2-4d0f-b743-9f2294c3c9b6) Attack Pattern Script Execution (9f387817-df83-432a-b56b-a8fb7f71eedd) mitre-data-component 2
GUI Input Capture - T1056.002 (a2029942-0a85-4947-b23c-ca434698171d) Attack Pattern Script Execution (9f387817-df83-432a-b56b-a8fb7f71eedd) mitre-data-component 2
Command Obfuscation - T1027.010 (d511a6f6-4a33-41d5-bc95-c343875d1377) Attack Pattern Script Execution (9f387817-df83-432a-b56b-a8fb7f71eedd) mitre-data-component 2
Script Execution (9f387817-df83-432a-b56b-a8fb7f71eedd) mitre-data-component Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern 2
Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529) Attack Pattern Script Execution (9f387817-df83-432a-b56b-a8fb7f71eedd) mitre-data-component 2
Automated Exfiltration - T1020 (774a3188-6ba9-4dc4-879d-d54ee48a5ce9) Attack Pattern Script Execution (9f387817-df83-432a-b56b-a8fb7f71eedd) mitre-data-component 2
Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c) Attack Pattern Script Execution (9f387817-df83-432a-b56b-a8fb7f71eedd) mitre-data-component 2
PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736) Attack Pattern Script Execution (9f387817-df83-432a-b56b-a8fb7f71eedd) mitre-data-component 2
VBA Stomping - T1564.007 (c898c4b5-bf36-4e6e-a4ad-5b8c4c13e35b) Attack Pattern Script Execution (9f387817-df83-432a-b56b-a8fb7f71eedd) mitre-data-component 2
Component Object Model - T1559.001 (2f6b4ed7-fef1-44ba-bcb8-1b4beb610b64) Attack Pattern Script Execution (9f387817-df83-432a-b56b-a8fb7f71eedd) mitre-data-component 2
Script Execution (9f387817-df83-432a-b56b-a8fb7f71eedd) mitre-data-component Reflective Code Loading - T1620 (4933e63b-9b77-476e-ab29-761bc5b7d15a) Attack Pattern 2
Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5) Attack Pattern Script Execution (9f387817-df83-432a-b56b-a8fb7f71eedd) mitre-data-component 2
System Script Proxy Execution - T1216 (f6fe9070-7a65-49ea-ae72-76292f42cebe) Attack Pattern Script Execution (9f387817-df83-432a-b56b-a8fb7f71eedd) mitre-data-component 2
Archive via Custom Method - T1560.003 (143c0cbb-a297-4142-9624-87ffc778980b) Attack Pattern Script Execution (9f387817-df83-432a-b56b-a8fb7f71eedd) mitre-data-component 2
Inter-Process Communication - T1559 (acd0ba37-7ba9-4cc5-ac61-796586cd856d) Attack Pattern Script Execution (9f387817-df83-432a-b56b-a8fb7f71eedd) mitre-data-component 2
System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0) Attack Pattern Script Execution (9f387817-df83-432a-b56b-a8fb7f71eedd) mitre-data-component 2
JavaScript - T1059.007 (0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d) Attack Pattern Script Execution (9f387817-df83-432a-b56b-a8fb7f71eedd) mitre-data-component 2
Script Execution (9f387817-df83-432a-b56b-a8fb7f71eedd) mitre-data-component Hide Artifacts - T1564 (22905430-4901-4c2a-84f6-98243cb173f8) Attack Pattern 2
PubPrn - T1216.001 (09cd431f-eaf4-4d2a-acaf-2a7acfe7ed58) Attack Pattern Script Execution (9f387817-df83-432a-b56b-a8fb7f71eedd) mitre-data-component 2
Domain Trust Discovery - T1482 (767dbf9e-df3f-45cb-8998-4903ab5f80c0) Attack Pattern Script Execution (9f387817-df83-432a-b56b-a8fb7f71eedd) mitre-data-component 2
Reversible Encryption - T1556.005 (d50955c2-272d-4ac8-95da-10c29dda1c48) Attack Pattern Script Execution (9f387817-df83-432a-b56b-a8fb7f71eedd) mitre-data-component 2
Dynamic Data Exchange - T1559.002 (232a7e42-cd6e-4902-8fe9-2960f529dd4d) Attack Pattern Script Execution (9f387817-df83-432a-b56b-a8fb7f71eedd) mitre-data-component 2
Script Execution (9f387817-df83-432a-b56b-a8fb7f71eedd) mitre-data-component SyncAppvPublishingServer - T1216.002 (e6f19759-dde3-47fc-99cc-d9f5fa4ade60) Attack Pattern 2
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern Script Execution (9f387817-df83-432a-b56b-a8fb7f71eedd) mitre-data-component 2
Cloud Administration Command - T1651 (d94b3ae9-8059-4989-8e9f-ea0f601f80a7) Attack Pattern Script Execution (9f387817-df83-432a-b56b-a8fb7f71eedd) mitre-data-component 2
Group Policy Discovery - T1615 (1b20efbf-8063-4fc3-a07d-b575318a301b) Attack Pattern Script Execution (9f387817-df83-432a-b56b-a8fb7f71eedd) mitre-data-component 2
Automated Collection - T1119 (30208d3e-0d6b-43c8-883e-44462a514619) Attack Pattern Script Execution (9f387817-df83-432a-b56b-a8fb7f71eedd) mitre-data-component 2
Disable Windows Event Logging - T1562.002 (4eb28bed-d11a-4641-9863-c2ac017d910a) Attack Pattern Script Execution (9f387817-df83-432a-b56b-a8fb7f71eedd) mitre-data-component 2
Archive Collected Data - T1560 (53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a) Attack Pattern Script Execution (9f387817-df83-432a-b56b-a8fb7f71eedd) mitre-data-component 2
Script Execution (9f387817-df83-432a-b56b-a8fb7f71eedd) mitre-data-component Hidden Window - T1564.003 (cbb66055-0325-4111-aca0-40547b6ad5b0) Attack Pattern 2
Visual Basic - T1059.005 (dfd7cc1d-e1d8-4394-a198-97c4cab8aa67) Attack Pattern Script Execution (9f387817-df83-432a-b56b-a8fb7f71eedd) mitre-data-component 2
Archive via Library - T1560.002 (41868330-6ee2-4d0f-b743-9f2294c3c9b6) Attack Pattern Archive Collected Data - T1560 (53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a) Attack Pattern 3
GUI Input Capture - T1056.002 (a2029942-0a85-4947-b23c-ca434698171d) Attack Pattern Input Capture - T1056 (bb5a00de-e086-4859-a231-fa793f6797e2) Attack Pattern 3
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern Command Obfuscation - T1027.010 (d511a6f6-4a33-41d5-bc95-c343875d1377) Attack Pattern 3
PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736) Attack Pattern Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern 3
VBA Stomping - T1564.007 (c898c4b5-bf36-4e6e-a4ad-5b8c4c13e35b) Attack Pattern Hide Artifacts - T1564 (22905430-4901-4c2a-84f6-98243cb173f8) Attack Pattern 3
Inter-Process Communication - T1559 (acd0ba37-7ba9-4cc5-ac61-796586cd856d) Attack Pattern Component Object Model - T1559.001 (2f6b4ed7-fef1-44ba-bcb8-1b4beb610b64) Attack Pattern 3
Archive via Custom Method - T1560.003 (143c0cbb-a297-4142-9624-87ffc778980b) Attack Pattern Archive Collected Data - T1560 (53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a) Attack Pattern 3
JavaScript - T1059.007 (0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d) Attack Pattern Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern 3
System Script Proxy Execution - T1216 (f6fe9070-7a65-49ea-ae72-76292f42cebe) Attack Pattern PubPrn - T1216.001 (09cd431f-eaf4-4d2a-acaf-2a7acfe7ed58) Attack Pattern 3
Modify Authentication Process - T1556 (f4c1826f-a322-41cd-9557-562100848c84) Attack Pattern Reversible Encryption - T1556.005 (d50955c2-272d-4ac8-95da-10c29dda1c48) Attack Pattern 3
Inter-Process Communication - T1559 (acd0ba37-7ba9-4cc5-ac61-796586cd856d) Attack Pattern Dynamic Data Exchange - T1559.002 (232a7e42-cd6e-4902-8fe9-2960f529dd4d) Attack Pattern 3
System Script Proxy Execution - T1216 (f6fe9070-7a65-49ea-ae72-76292f42cebe) Attack Pattern SyncAppvPublishingServer - T1216.002 (e6f19759-dde3-47fc-99cc-d9f5fa4ade60) Attack Pattern 3
Disable Windows Event Logging - T1562.002 (4eb28bed-d11a-4641-9863-c2ac017d910a) Attack Pattern Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529) Attack Pattern 3
Hide Artifacts - T1564 (22905430-4901-4c2a-84f6-98243cb173f8) Attack Pattern Hidden Window - T1564.003 (cbb66055-0325-4111-aca0-40547b6ad5b0) Attack Pattern 3
Visual Basic - T1059.005 (dfd7cc1d-e1d8-4394-a198-97c4cab8aa67) Attack Pattern Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern 3