Execution

T1059.001 - Command and Scripting Interpreter: PowerShell

Variation 1

This module uses the Win32 API CreateProcess to execute a specific command:

powershell -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAAMgAwAA==

Variation 2

This module uses the the System.Management.Automation .NET namespace to execute the same script.

T1059.003 Command and Scripting Interpreter: Windows Command Shell

This module uses the Win32 API CreateProcess to execute a specific command:

cmd.exe /C whoami

T1059.005 Command and Scripting Interpreter: Visual Basic

This module uses the Win32 API CreateProcess to execute a specific command:

wscript.exe invoice0420.vbs

T1059.007 Command and Scripting Interpreter: JavaScript/JScript

This module uses the Win32 API CreateProcess to execute a specific command:

wscript.exe invoice0420.js

T1053.005 Scheduled Task/Job: Scheduled Task

This module uses the Win32 API CreateProcess to execute a specific command:

SCHTASKS /CREATE /SC DAILY /TN BadScheduledTask /TR “C:WindowsTempxyz12345.exe” /ST 13:00

T1569.002 System Services: Service Execution

This module uses the Win32 API CreateProcess to execute a specific command:

net start UpdaterService