Command and Scripting Interpreter, PowerShell [T1059.001]
Command line interface scripting has long been used to manage *nix-based systems, and the ability to build and execute scripts is often exploited by attackers. For years there was no equivalent available on Windows, and in the early 2000s MS began development of a new approach to command line management. Soon thereafter Powershell (PS) 1.0 was created. PS, in its various iterations, is a built-in tool used to automate system administration tasks and it is based on the .NET framework. It provides an interface for users to access services of the Windows operating system.
Although certain PowerShell commands are restricted by default, many commands are available to obtain system information without an executable file. Attackers can use LNK extensions to bypass safeguards and execute a PowerShell script. LNK files are usually seen as shortcuts, generally found on a user's Desktop and Start Menu.
Malicious LNK files are often embedded within what appears to be legitimate documents or pictures. Once opened, the LNK executes a legitimate windows application such as CMD.exe or MSHTA.exe to bypass security settings.
Corelight’s file extraction capabilities and integration with various intel platforms provide insight to malware obfuscated by file type. By utilizing Corelight’s built-in filtering, you can tune the file extraction parameters to target specific mime-types that are commonly used for malware delivery, including:
- Compressed files
- Microsoft Office (Word, PowerPoint, etc)
- PDF files
- TXT files (PowerShell, VBS)
| Name | URL |
|---|---|
| LNK File Download or Usage over HTTP | https://tdm.socprime.com/tdm/info/tggPAHEDXNm6 |
| LNK File Download or Usage over SMB (Overview Query) | https://tdm.socprime.com/tdm/info/wIed0z8aOxuN |