Execution¶
T1059.001 - Command and Scripting Interpreter: PowerShell¶
Variations¶
| Variation | Description |
| 1 | This module uses the Win32 API CreateProcess to execute the specified
commandlet:
powershell.exe -command {commandlet}
|
| 2 | This module uses the the System.Management.Automation .NET namespace
to execute the specified commandlet.
|
Parameters¶
| Parameter | Description |
| commandlet | The PowerShell commandlet to be executed in the simulation. |
T1059.003 Command and Scripting Interpreter: Windows Command Shell¶
Variations¶
| Variation | Description |
| 1 | This module uses the Win32 API CreateProcess to execute the specified
command:
cmd.exe /c command
|
Parameters¶
| Parameter | Description |
| command | The command shell to be executed in the simulation. |
T1059.005 Command and Scripting Interpreter: Visual Basic¶
Variations¶
| Variation | Description |
| 1 | This module uses the Win32 API CreateProcess to execute the specified
VB script:
wscript.exe file_path
|
Parameters¶
| Parameter | Description |
| file_path | The local file path of the VB script. |
T1059.007 Command and Scripting Interpreter: JavaScript/JScript¶
Variations¶
| Variation | Description |
| 1 | This module uses the Win32 API CreateProcess to execute the specified
JS script:
wscript.exe file_path
|
Parameters¶
| Parameter | Description |
| file_path | The local file path of the JS script. |
T1053.005 Scheduled Task/Job: Scheduled Task¶
Variations¶
| Variation | Description |
| 1 | This module uses the Win32 API CreateProcess to create a scheduled
task:
SCHTASKS /CREATE /SC DAILY /TN taskName /TR taskPath /ST 13:00
|
Parameters¶
| Parameter | Description |
| taskName | The name of the task to be created. |
| taskPath | The path of the binary to be executed by the scheduled task. |
| cleanup | Bool parameter to delete the scheduled task after created. |