Skip to content

Update PowerShell ATT&CK technique (T1086) if a ps1 script is run as part of any PBA #1513

New issue
New issue
Closed
#1522
Closed
Update PowerShell ATT&CK technique (T1086) if a ps1 script is run as part of any PBA#1513
#1522
Assignees
shreyamalviya
Labels
BugAn error, flaw, misbehavior or failure in the Monkey or Monkey Island.Complexity: MediumImpact: LowMITRE ATT&CKReported by user
@shreyamalviya

Description

@shreyamalviya
shreyamalviya
opened on Oct 6, 2021

Describe the bug

Technique T1086 ("PowerShell") states that adversaries can use PowerShell to run commands and scripts for information discovery and malicious code execution.
PBAs "Timestomping" and "Modify shell startup files" run ps1 scripts but don't map to T1086.
For a user going through the logs, they can see that ps1 scripts were run but can't see those events in the ATT&CK report under T1086.

To Reproduce

Steps to reproduce the behavior:

  1. Configure the Monkey to only run the PBA "Timestomping". Don't touch the ATT&CK config.
  2. Run the Monkey on a Windows machine.
  3. Click on the "PowerShell" technique in the ATT&CK report and see no results.
  4. Go to the logs and see that a ps1 script was run.

Expected behavior

T1086 should show that a ps1 script was run, in such a scenario.

Metadata

Metadata

Assignees

Labels

BugAn error, flaw, misbehavior or failure in the Monkey or Monkey Island.Complexity: MediumImpact: LowMITRE ATT&CKReported by user

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions