Skip to content

Hide Navigation Hide TOC

PowerShell (acbc359f-5b4a-4ae1-ba35-67f1d89b2ac3)

Microsoft's powershell scripting language is available by default from Windows 7 upwards and therefore provides stealth with that environment for launching attacks. Further, powershell has been made open-source and cross-platform with the advent of 'powershell core' in 2016.

PowerShell provides full access to all Windows services including Microsoft COM (Component Object Model) and Microsoft Windows Management Instrumentation (WMI), while add-ins can easily be imported to include functionality for managing Active Directory, Exchange, etc.

Some other features that make powershell an interesting choice for attackers include: - Ability to run code directly in memory with ease - Flexibility to encode elements of a script in a multitude of ways - Full access to the Microsoft .Net framework - Ability to re-create the powershell framework binary using .Net framework dll's. - Logging and detecting behavior is difficult in older versions - Availability of a number of quality attack frameworks written in powershell.[MicrosoftLearn October 30 2024]

Cluster A Galaxy A Cluster B Galaxy B Level
UNC3886 (23af694a-11f4-43eb-a176-683059b301cb) Tidal Groups PowerShell (acbc359f-5b4a-4ae1-ba35-67f1d89b2ac3) Tidal Software 1
UNC5221 (71e9b27e-8d68-4ed6-b3ab-14142558b9ff) Tidal Groups PowerShell (acbc359f-5b4a-4ae1-ba35-67f1d89b2ac3) Tidal Software 1
Ransomhouse Group (61fe900f-d317-41fb-aed8-7f1052acfc5e) Tidal Groups PowerShell (acbc359f-5b4a-4ae1-ba35-67f1d89b2ac3) Tidal Software 1