Spearphishing Attachment and PowerShell

بواسطة: Cybrary

Overview

PowerShell enables system administrators to perform a seemingly endless array of tasks on the machines in their environment, whether locally or remotely. PowerShell is also present on all modern Windows operating systems by default, making it a convenient attack vector if not properly secured.

Get the hands-on skills you need to detect and mitigate this attack in Cybrary's MITRE ATT&CK Framework courses aligned to the tactics and techniques used by financially motivated threat group FIN7. Prevent adversaries from accomplishing the tactic of Execution into your environment today.

Syllabus

Spearphishing Attachment and PowerShell

What is Spearphishing Attachment?
What is PowerShell?
Detection, Validation, and Mitigation (Lab)

Taught by

Owen Dubiel and Matthew Mullins

Computer Science / PowerShell

الذهاب الي الدورة

Spearphishing Attachment and PowerShell

بواسطة: Cybrary

Cybrary
مدفوعة
الإنجليزية
متاح شهادة
متاح في أي وقت
intermediate
N/A

Messages Timeline Exceptions Views14 Route Queries6 Models5 Gate Session Request

8.1.2178ms2MBGET ar/الدورات/{slug}

Booting (104ms)
Application (73.18ms)
1 x Booting (58.56%)
104.00ms
1 x Application (41.2%)
73.18ms

14 templates were rendered

public.courses.show (resources/views/public/courses/show.blade.php)3bladefile
Params
0
course
1
links
2
config
public.courses.partials.breadcrumbs (resources/views/public/courses/partials/breadcrumbs.blade.php)6bladefile
Params
0
__env
1
app
2
errors
3
course
4
links
5
config
public.courses.partials.heading (resources/views/public/courses/partials/heading.blade.php)7bladefile
Params
0
__env
1
app
2
errors
3
course
4
links
5
config
6
classes
public.courses.partials.details (resources/views/public/courses/partials/details.blade.php)6bladefile
Params
0
__env
1
app
2
errors
3
course
4
links
5
config
public.courses.partials.breadcrumbs (resources/views/public/courses/partials/breadcrumbs.blade.php)6bladefile
Params
0
__env
1
app
2
errors
3
course
4
links
5
config
public.courses.partials.heading (resources/views/public/courses/partials/heading.blade.php)7bladefile
Params
0
__env
1
app
2
errors
3
course
4
links
5
config
6
classes
public.layouts.main (resources/views/public/layouts/main.blade.php)6bladefile
Params
0
__env
1
app
2
errors
3
course
4
links
5
config
public.layouts.partials.meta (resources/views/public/layouts/partials/meta.blade.php)6bladefile
Params
0
__env
1
app
2
errors
3
course
4
links
5
config
public.layouts.partials.navbar (resources/views/public/layouts/partials/navbar.blade.php)6bladefile
Params
0
__env
1
app
2
errors
3
course
4
links
5
config
public.auth.profile.partials.links (resources/views/public/auth/profile/partials/links.blade.php)6bladefile
Params
0
__env
1
app
2
errors
3
course
4
links
5
config
public.auth.profile.partials.link (resources/views/public/auth/profile/partials/link.blade.php)8bladefile
Params
0
__env
1
app
2
errors
3
course
4
links
5
config
6
route
7
title
public.auth.profile.partials.link (resources/views/public/auth/profile/partials/link.blade.php)8bladefile
Params
0
__env
1
app
2
errors
3
course
4
links
5
config
6
route
7
title
public.auth.profile.partials.link (resources/views/public/auth/profile/partials/link.blade.php)8bladefile
Params
0
__env
1
app
2
errors
3
course
4
links
5
config
6
route
7
title
public.layouts.partials.flash-session (resources/views/public/layouts/partials/flash-session.blade.php)6bladefile
Params
0
__env
1
app
2
errors
3
course
4
links
5
config

Params
0	`course`
1	`links`
2	`config`

Params
0	`__env`
1	`app`
2	`errors`
3	`course`
4	`links`
5	`config`

Params
0	`__env`
1	`app`
2	`errors`
3	`course`
4	`links`
5	`config`
6	`classes`

Params
0	`__env`
1	`app`
2	`errors`
3	`course`
4	`links`
5	`config`

Params
0	`__env`
1	`app`
2	`errors`
3	`course`
4	`links`
5	`config`

Params
0	`__env`
1	`app`
2	`errors`
3	`course`
4	`links`
5	`config`
6	`classes`

Params
0	`__env`
1	`app`
2	`errors`
3	`course`
4	`links`
5	`config`

Params
0	`__env`
1	`app`
2	`errors`
3	`course`
4	`links`
5	`config`

Params
0	`__env`
1	`app`
2	`errors`
3	`course`
4	`links`
5	`config`

Params
0	`__env`
1	`app`
2	`errors`
3	`course`
4	`links`
5	`config`

Params
0	`__env`
1	`app`
2	`errors`
3	`course`
4	`links`
5	`config`
6	`route`
7	`title`

Params
0	`__env`
1	`app`
2	`errors`
3	`course`
4	`links`
5	`config`
6	`route`
7	`title`

Params
0	`__env`
1	`app`
2	`errors`
3	`course`
4	`links`
5	`config`
6	`route`
7	`title`

Params
0	`__env`
1	`app`
2	`errors`
3	`course`
4	`links`
5	`config`

uri: GET ar/الدورات/{slug}
middleware: web, localize:ar
controller: App\Http\Controllers\CourseController@show
as: ar.courses.show
namespace
prefix: /ar
where
file: app/Http/Controllers/CourseController.php:17-35

6 statements were executed7.6ms

select * from `courses` where `slug_ar` = 'spearphishing-attachment-and-powershell' limit 1

5.84ms/app/Http/Controllers/CourseController.php:20corspedia

Metadata
Bindings	0. spearphishing-attachment-and-powershell
Backtrace	17. /app/Http/Controllers/CourseController.php:20 18. /vendor/laravel/framework/src/Illuminate/Routing/Controller.php:54 19. /vendor/laravel/framework/src/Illuminate/Routing/ControllerDispatcher.php:43 20. /vendor/laravel/framework/src/Illuminate/Routing/Route.php:260 21. /vendor/laravel/framework/src/Illuminate/Routing/Route.php:205

update `courses` set `visitors` = `visitors` + 1, `courses`.`updated_at` = '2025-04-10 09:42:10' where `id` = 2159

950μs/app/Http/Controllers/CourseController.php:21corspedia

Metadata
Bindings	0. 2025-04-10 09:42:10 1. 2159
Backtrace	17. /app/Http/Controllers/CourseController.php:21 18. /vendor/laravel/framework/src/Illuminate/Routing/Controller.php:54 19. /vendor/laravel/framework/src/Illuminate/Routing/ControllerDispatcher.php:43 20. /vendor/laravel/framework/src/Illuminate/Routing/Route.php:260 21. /vendor/laravel/framework/src/Illuminate/Routing/Route.php:205

select `id`, `name_en`, `name_ar`, `topic_id`, `slug_en`, `slug_ar` from `subjects` where `subjects`.`id` in (87)

170μs/app/Http/Controllers/CourseController.php:23corspedia

Metadata
Backtrace	20. /app/Http/Controllers/CourseController.php:23 21. /vendor/laravel/framework/src/Illuminate/Routing/Controller.php:54 22. /vendor/laravel/framework/src/Illuminate/Routing/ControllerDispatcher.php:43 23. /vendor/laravel/framework/src/Illuminate/Routing/Route.php:260 24. /vendor/laravel/framework/src/Illuminate/Routing/Route.php:205

select `id`, `name_en`, `name_ar`, `slug_en`, `slug_ar` from `topics` where `topics`.`id` in (1)

140μs/app/Http/Controllers/CourseController.php:23corspedia

Metadata
Backtrace	25. /app/Http/Controllers/CourseController.php:23 26. /vendor/laravel/framework/src/Illuminate/Routing/Controller.php:54 27. /vendor/laravel/framework/src/Illuminate/Routing/ControllerDispatcher.php:43 28. /vendor/laravel/framework/src/Illuminate/Routing/Route.php:260 29. /vendor/laravel/framework/src/Illuminate/Routing/Route.php:205

select * from `providers` where `providers`.`id` in (43) and `providers`.`deleted_at` is null

190μs/app/Http/Controllers/CourseController.php:23corspedia

Metadata
Backtrace	20. /app/Http/Controllers/CourseController.php:23 21. /vendor/laravel/framework/src/Illuminate/Routing/Controller.php:54 22. /vendor/laravel/framework/src/Illuminate/Routing/ControllerDispatcher.php:43 23. /vendor/laravel/framework/src/Illuminate/Routing/Route.php:260 24. /vendor/laravel/framework/src/Illuminate/Routing/Route.php:205

select * from `html_files` where `html_files`.`id` = 2150 limit 1

310μs/app/Models/Course.php:84corspedia

Metadata
Bindings	0. 2150
Backtrace	21. /app/Models/Course.php:84 28. view::public.courses.show:29 30. /vendor/laravel/framework/src/Illuminate/Filesystem/Filesystem.php:125 31. /vendor/laravel/framework/src/Illuminate/View/Engines/PhpEngine.php:58 32. /vendor/laravel/framework/src/Illuminate/View/Engines/CompilerEngine.php:72

App\Models\HtmlFile: 1
App\Models\Provider: 1
App\Models\Topic: 1
App\Models\Subject: 1
App\Models\Course: 1

_token: haJOGtWMsgloZSrHkh3MiHhwtZJee0bJ1Md26DlK
locale: ar
_previous: array:1 [ "url" => "https://www.corspedia.com/ar/%D8%A7%D9%84%D8%AF%D9%88%D8%B1%D8%A7%D8%AA/spearp...
_flash: array:2 [ "old" => [] "new" => [] ]
PHPDEBUGBAR_STACK_DATA: []

path_info

/ar/%D8%A7%D9%84%D8%AF%D9%88%D8%B1%D8%A7%D8%AA/spearphishing-attachment-and-powershell

status_code

status_text

format

html

content_type

text/html; charset=UTF-8

request_query

[]

request_request

[]

request_headers

  0 of 0   
array:24 [▼
  "sec-ch-ua-mobile" => array:1 [▶
    0 => "?0"
  ]
  "sec-ch-ua" => array:1 [▶
    0 => ""HeadlessChrome";v="129", "Not=A?Brand";v="8", "Chromium";v="129""
  ]
  "cache-control" => array:1 [▶
    0 => "no-cache"
  ]
  "pragma" => array:1 [▶
    0 => "no-cache"
  ]
  "upgrade-insecure-requests" => array:1 [▶
    0 => "1"
  ]
  "priority" => array:1 [▶
    0 => "u=0, i"
  ]
  "user-agent" => array:1 [▶
    0 => "Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko; compatible; ClaudeBot/1.0; +claudebot@anthropic.com)"
  ]
  "cf-ipcountry" => array:1 [▶
    0 => "US"
  ]
  "cf-connecting-ip" => array:1 [▶
    0 => "52.15.176.138"
  ]
  "accept" => array:1 [▶
    0 => "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7"
  ]
  "sec-fetch-site" => array:1 [▶
    0 => "none"
  ]
  "cf-visitor" => array:1 [▶
    0 => "{"scheme":"https"}"
  ]
  "sec-fetch-mode" => array:1 [▶
    0 => "navigate"
  ]
  "sec-fetch-user" => array:1 [▶
    0 => "?1"
  ]
  "x-forwarded-proto" => array:1 [▶
    0 => "https"
  ]
  "cdn-loop" => array:1 [▶
    0 => "cloudflare; loops=1"
  ]
  "accept-encoding" => array:1 [▶
    0 => "gzip, br"
  ]
  "sec-fetch-dest" => array:1 [▶
    0 => "document"
  ]
  "sec-ch-ua-platform" => array:1 [▶
    0 => ""Windows""
  ]
  "x-forwarded-for" => array:1 [▶
    0 => "52.15.176.138"
  ]
  "cf-ray" => array:1 [▶
    0 => "92e14aec780968f6-IAD"
  ]
  "host" => array:1 [▶
    0 => "www.corspedia.com"
  ]
  "content-length" => array:1 [▶
    0 => ""
  ]
  "content-type" => array:1 [▶
    0 => ""
  ]
]

request_server

  0 of 0   
array:50 [▼
  "USER" => "www-data"
  "HOME" => "/var/www"
  "HTTP_SEC_CH_UA_MOBILE" => "?0"
  "HTTP_SEC_CH_UA" => ""HeadlessChrome";v="129", "Not=A?Brand";v="8", "Chromium";v="129""
  "HTTP_CACHE_CONTROL" => "no-cache"
  "HTTP_PRAGMA" => "no-cache"
  "HTTP_UPGRADE_INSECURE_REQUESTS" => "1"
  "HTTP_PRIORITY" => "u=0, i"
  "HTTP_USER_AGENT" => "Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko; compatible; ClaudeBot/1.0; +claudebot@anthropic.com)"
  "HTTP_CF_IPCOUNTRY" => "US"
  "HTTP_CF_CONNECTING_IP" => "52.15.176.138"
  "HTTP_ACCEPT" => "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7"
  "HTTP_SEC_FETCH_SITE" => "none"
  "HTTP_CF_VISITOR" => "{"scheme":"https"}"
  "HTTP_SEC_FETCH_MODE" => "navigate"
  "HTTP_SEC_FETCH_USER" => "?1"
  "HTTP_X_FORWARDED_PROTO" => "https"
  "HTTP_CDN_LOOP" => "cloudflare; loops=1"
  "HTTP_ACCEPT_ENCODING" => "gzip, br"
  "HTTP_SEC_FETCH_DEST" => "document"
  "HTTP_SEC_CH_UA_PLATFORM" => ""Windows""
  "HTTP_X_FORWARDED_FOR" => "52.15.176.138"
  "HTTP_CF_RAY" => "92e14aec780968f6-IAD"
  "HTTP_HOST" => "www.corspedia.com"
  "REDIRECT_STATUS" => "200"
  "SERVER_NAME" => "corspedia.com"
  "SERVER_PORT" => "443"
  "SERVER_ADDR" => "141.95.147.152"
  "REMOTE_USER" => ""
  "REMOTE_PORT" => "43726"
  "REMOTE_ADDR" => "172.71.190.192"
  "SERVER_SOFTWARE" => "nginx/1.18.0"
  "GATEWAY_INTERFACE" => "CGI/1.1"
  "HTTPS" => "on"
  "REQUEST_SCHEME" => "https"
  "SERVER_PROTOCOL" => "HTTP/2.0"
  "DOCUMENT_ROOT" => "/var/www/corspedia/public"
  "DOCUMENT_URI" => "/index.php"
  "REQUEST_URI" => "/ar/%D8%A7%D9%84%D8%AF%D9%88%D8%B1%D8%A7%D8%AA/spearphishing-attachment-and-powershell"
  "SCRIPT_NAME" => "/index.php"
  "CONTENT_LENGTH" => ""
  "CONTENT_TYPE" => ""
  "REQUEST_METHOD" => "GET"
  "QUERY_STRING" => ""
  "SCRIPT_FILENAME" => "/var/www/corspedia/public/index.php"
  "PATH_INFO" => ""
  "FCGI_ROLE" => "RESPONDER"
  "PHP_SELF" => "/index.php"
  "REQUEST_TIME_FLOAT" => 1744278130.847
  "REQUEST_TIME" => 1744278130
]

request_cookies

[]

response_headers

  0 of 0   
array:5 [▼
  "content-type" => array:1 [▶
    0 => "text/html; charset=UTF-8"
  ]
  "cache-control" => array:1 [▶
    0 => "no-cache, private"
  ]
  "date" => array:1 [▶
    0 => "Thu, 10 Apr 2025 09:42:10 GMT"
  ]
  "set-cookie" => array:2 [▶
    0 => "XSRF-TOKEN=eyJpdiI6Ik9HVFd5YStLUW13NEhDa3AwdC9Ycmc9PSIsInZhbHVlIjoiYWVYOUkvd3JGU2VYWmxLYmRhdUdiRjU0M3YxVFY0MndCRGFCNG1vN1JrSjBZd1hxQkZWZ2txN1VYT3hmVDZkbjZjbzhSTktVM0R2VjgwUzlNRDZlaHplRjdEdVpPU3o3c0Z1Um9INGo1MTV4Qld1UGhUbE5FQnd3bG5XM2xkM0IiLCJtYWMiOiIzNzM5ZTk5OGRmNjBmYTk2NmYzNTlkYjcxMzRmZGJiYmY3Zjk1NTRjNjI5Yzc2YzY1YjJiOWU5YWNhODg0MGM3IiwidGFnIjoiIn0%3D; expires=Thu, 10 Apr 2025 11:42:11 GMT; Max-Age=7200; path=/; samesite=lax ◀XSRF-TOKEN=eyJpdiI6Ik9HVFd5YStLUW13NEhDa3AwdC9Ycmc9PSIsInZhbHVlIjoiYWVYOUkvd3JGU2VYWmxLYmRhdUdiRjU0M3YxVFY0MndCRGFCNG1vN1JrSjBZd1hxQkZWZ2txN1VYT3hmVDZkbjZjbzhST ▶"
    1 => "laravel_session=eyJpdiI6IkJTT2Q1VnJDME1GZU5BOC83RE80N2c9PSIsInZhbHVlIjoiNnZOeG1Rd0c1T1FyK0V4ZXdDbk5Ib1N4VGFCVWluSGNQbHlJbVFPZWV4Q3dwN1dkSFhoVGZwNzhNeWdDU1dMTWpJVFp1ZXl4dUFrZjRHQWVSbUFxVGlJTWtDQ2cwbHVBdURqdHJhOWZzanVHU210VjdHRTVGRUVHZTFjMHV1TlYiLCJtYWMiOiIyNGZjYzYwODNjNWE1YzliMTI0YTY4OGE4YjNhNzllMDQ5NDAyNDYyNmY4NjVlYzVlZTcyMzI3ZTljYjU5ZDkwIiwidGFnIjoiIn0%3D; expires=Thu, 10 Apr 2025 11:42:11 GMT; Max-Age=7200; path=/; httponly; samesite=lax ◀laravel_session=eyJpdiI6IkJTT2Q1VnJDME1GZU5BOC83RE80N2c9PSIsInZhbHVlIjoiNnZOeG1Rd0c1T1FyK0V4ZXdDbk5Ib1N4VGFCVWluSGNQbHlJbVFPZWV4Q3dwN1dkSFhoVGZwNzhNeWdDU1dMTWpJ ▶"
  ]
  "Set-Cookie" => array:2 [▶
    0 => "XSRF-TOKEN=eyJpdiI6Ik9HVFd5YStLUW13NEhDa3AwdC9Ycmc9PSIsInZhbHVlIjoiYWVYOUkvd3JGU2VYWmxLYmRhdUdiRjU0M3YxVFY0MndCRGFCNG1vN1JrSjBZd1hxQkZWZ2txN1VYT3hmVDZkbjZjbzhSTktVM0R2VjgwUzlNRDZlaHplRjdEdVpPU3o3c0Z1Um9INGo1MTV4Qld1UGhUbE5FQnd3bG5XM2xkM0IiLCJtYWMiOiIzNzM5ZTk5OGRmNjBmYTk2NmYzNTlkYjcxMzRmZGJiYmY3Zjk1NTRjNjI5Yzc2YzY1YjJiOWU5YWNhODg0MGM3IiwidGFnIjoiIn0%3D; expires=Thu, 10-Apr-2025 11:42:11 GMT; path=/ ◀XSRF-TOKEN=eyJpdiI6Ik9HVFd5YStLUW13NEhDa3AwdC9Ycmc9PSIsInZhbHVlIjoiYWVYOUkvd3JGU2VYWmxLYmRhdUdiRjU0M3YxVFY0MndCRGFCNG1vN1JrSjBZd1hxQkZWZ2txN1VYT3hmVDZkbjZjbzhST ▶"
    1 => "laravel_session=eyJpdiI6IkJTT2Q1VnJDME1GZU5BOC83RE80N2c9PSIsInZhbHVlIjoiNnZOeG1Rd0c1T1FyK0V4ZXdDbk5Ib1N4VGFCVWluSGNQbHlJbVFPZWV4Q3dwN1dkSFhoVGZwNzhNeWdDU1dMTWpJVFp1ZXl4dUFrZjRHQWVSbUFxVGlJTWtDQ2cwbHVBdURqdHJhOWZzanVHU210VjdHRTVGRUVHZTFjMHV1TlYiLCJtYWMiOiIyNGZjYzYwODNjNWE1YzliMTI0YTY4OGE4YjNhNzllMDQ5NDAyNDYyNmY4NjVlYzVlZTcyMzI3ZTljYjU5ZDkwIiwidGFnIjoiIn0%3D; expires=Thu, 10-Apr-2025 11:42:11 GMT; path=/; httponly ◀laravel_session=eyJpdiI6IkJTT2Q1VnJDME1GZU5BOC83RE80N2c9PSIsInZhbHVlIjoiNnZOeG1Rd0c1T1FyK0V4ZXdDbk5Ib1N4VGFCVWluSGNQbHlJbVFPZWV4Q3dwN1dkSFhoVGZwNzhNeWdDU1dMTWpJ ▶"
  ]
]

session_attributes

  0 of 0   
array:5 [▼
  "_token" => "haJOGtWMsgloZSrHkh3MiHhwtZJee0bJ1Md26DlK"
  "locale" => "ar"
  "_previous" => array:1 [▶
    "url" => "https://www.corspedia.com/ar/%D8%A7%D9%84%D8%AF%D9%88%D8%B1%D8%A7%D8%AA/spearphishing-attachment-and-powershell"
  ]
  "_flash" => array:2 [▶
    "old" => []
    "new" => []
  ]
  "PHPDEBUGBAR_STACK_DATA" => []
]

1 x Booting (58.56%)	104.00ms
1 x Application (41.2%)	73.18ms