{"id":35472,"date":"2020-06-11T17:00:05","date_gmt":"2020-06-11T17:00:05","guid":{"rendered":"https:\/\/www.microsoft.com\/security\/blog\/?p=91260"},"modified":"2020-06-11T17:00:05","modified_gmt":"2020-06-11T17:00:05","slug":"blue-teams-helping-red-teams-a-tale-of-a-process-crash-powershell-and-the-mitre-attck-evaluation","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/blue-teams-helping-red-teams-a-tale-of-a-process-crash-powershell-and-the-mitre-attck-evaluation\/","title":{"rendered":"Blue teams helping red teams: A tale of a process crash, PowerShell, and the MITRE ATT&CK evaluation"},"content":{"rendered":"

In September 2019, MITRE<\/a> evaluated<\/a> Microsoft Threat Protection (MTP) and other endpoint security solutions. The ATT&CK evaluation lasted for three days, with a professional red team from MITRE emulating many advanced attack behaviors used by the nation-state threat group known as YTTRIUM (APT29). After releasing the results of the evaluation, MITRE published<\/a> the emulation methodology, including all of the attack scripts, tools, and code.<\/p>\n

During the evaluation, the Microsoft Threat Protection team noted an interesting behavior related to one of the steps in the APT29 attack chain: Step 19 was supposed to perform stealthy deletion of files using the SDELETE tool reflectively loaded in memory. However, we observed that the step repeatedly caused process crashes during the execution of red team operations.<\/p>\n

<\/p>\n

Crashes are unexpected surprises that could be a true gem for defenders for being a major indicator of an imminent attack, ruining the party for red teams and real attackers<\/a> alike. Inspired by the transparency of MITRE publishing all the payloads and tools used in the attack simulation, in this blog post, we\u2019ll describe the mystery that is Step 19, share our root cause analysis of the Step 19 attack script<\/a>, and tell a story about how blue teams, once in a while, share important learnings for red teams and their tools.<\/p>\n

Step 19 of the APT29 evaluation<\/h2>\n

The APT29 emulation involved 20 steps consisting of attacker techniques from the MITRE ATT&CK matrix<\/a> related to the APT29 group. These steps were executed in the course of two days (plus an extra day reserved as a buffer), 10 steps per day. Since these steps spanned the entire attack chain, each step logically flowed from the previous one.<\/p>\n

Step 19 was part of the attack chain executed on the second day. It emulated the attacker\u2019s goal of deleting artifacts from the machine at the end of the breach using the SDELETE tool, which was loaded via PowerShell through a reflective loader mechanism, without ever touching disk.<\/p>\n

<\/p>\n

Figure 1. Step 19 of the MITRE evaluation<\/em><\/p>\n

This was done by dropping and running a script file called wipe.ps1<\/em>, in a process that included:<\/p>\n

    \n
  1. Loading a PowerShell reflective loader<\/li>\n
  2. Reflectively loading sdelete.exe<\/em><\/a>, a Sysinternals<\/a> tool for secure file deletions<\/li>\n
  3. Running the reflected exe<\/em> with the desired files to be deleted<\/li>\n<\/ol>\n

    It\u2019s important to note that the wipe.ps1<\/em> payload was based on and inspired by the famous \u201cInvoke-ReflectivePEInjection<\/em><\/a>\u201d script from Joseph Bialek (@JosephBialek<\/a>) and Matt Graeber (@mattifestation<\/a>), which is also affected by the same issue that we discovered in our investigation and root cause analysis.<\/p>\n

    <\/p>\n

    Figure 2. Microsoft Threat Protection detection of the reflective loader with relevant cmdlets<\/em><\/p>\n

    <\/p>\n

    Figure 3. Entire script fetched using advanced hunting (truncated for brevity)<\/em><\/p>\n

    Microsoft Threat Protection automatically detected the execution of the reflective loader via PowerShell; however, during the execution of this attack, the telemetry provided by the product also captured the launch of WerFault.exe<\/em> process (the Windows Error Reporting process) forked from PowerShell.exe<\/em>, which was a sign of a crashing process.<\/p>\n

    Having noticed the repeated process crashing behavior, we decided to investigate further to understand what was happening in Step 19, and we observed the following:<\/p>\n\n\n\n\n\n\n\n
    Test<\/strong><\/td>\nResult<\/strong><\/td>\n<\/tr>\n
    Execution in MITRE test environment #1 (primary) with MTP<\/td>\nwipe.ps1<\/em> generated crash<\/td>\n<\/tr>\n
    Execution in MITRE test environment #2 (backup) with MTP<\/td>\nwipe.ps1<\/em> generated crash<\/td>\n<\/tr>\n
    Execution in MITRE private environment without MTP<\/td>\nwipe.ps1<\/em> executed with no crashes<\/td>\n<\/tr>\n
    Onboarding MTP to MITRE private environment<\/td>\nwipe.ps1<\/em> generated crash<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

    Indeed, it looked as if MTP was the cause of the wipe.ps1<\/em> script crashing. However, we validated that this shouldn\u2019t be the case. Therefore, we performed an extensive analysis independent of the MITRE test, with the hope of finding the root cause of this behavior and sharing with MITRE, red teams, and other researchers.<\/p>\n

    Deep dive into the crash<\/h2>\n

    Debugging the script wipe.ps1<\/em>, we noticed an unexpected crash in the GetCommandLineW<\/em> API, which was quite odd.<\/p>\n

    <\/p>\n

    Figure 4. Call stack analysis for crash<\/em><\/p>\n

    Since the crash happens at kernelbase!GetCommandLineW<\/em>, we examined its code before reflective loading:<\/p>\n

    <\/p>\n

    Figure 5. GetCommandLineW code before patching<\/em><\/p>\n

    Note that the code consists of:<\/p>\n

      \n
    1. An assignment to the RAX register (the return value register); the returned Unicode string is pointed by address 00007ffd200f9e68, as shown in the debugging session<\/li>\n
    2. The RET instruction, which causes the function to return from the function<\/li>\n
    3. Padding with the byte CC, which is encoded as INT 3; this is a debug-breakpoint and should never be executed due to the RET instruction<\/li>\n<\/ol>\n

      We then examined the code at the moment of the crash:<\/p>\n

      <\/p>\n

      Figure 6. GetCommandLineW code at the crash<\/em><\/p>\n

      Note that there\u2019s no RET instruction, so INT 3 (debug-breakpoint) was executed, causing the crash during the test (since no debugger is attached). Noting the byte encoding of the instructions and comparing them at a normal state and in the moment of the crash, we noticed a one-byte<\/strong> difference: the second byte changed from 8B to B8, causing a complete modification of the interpreted instruction! 8B is the opcode for a relative addressing move, while B8 is an immediate value move. The first byte 48 is a REX.W prefix, making the instruction refer to 64-bit operands.<\/p>\n

      Clearly, something strange was happening in the attack script wipe.ps1,<\/em> so we decided to perform an extensive, line-by-line analysis of the attack script internals.<\/p>\n

      Anatomy of the reflective loader<\/h2>\n

      As mentioned, the reflective loader used in the MITRE evaluation was inspired by Invoke-ReflectivePEInjection from PowerSploit<\/a>, so analysis was relatively easier, vis-\u00e0-vis reverse engineering a new reflective loader.<\/p>\n

      A reflective loader is a tool for loading executable code into a process address space without invoking the operating system API, allowing attackers to avoid security products\u2019 instrumentation of APIs such as LoadLibrary<\/em> WinAPI that loads a DLL. Since .exe files are compiled with relocation tables (due to address space layout randomization (ASLR) support), many reflective loaders support loading of .exe files as well as DLLs.<\/p>\n

      When reflectively loading an .exe file, special care must be taken, as processes tend to rely on certain memory structures to be uniquely reserved to them. This is especially true for structures like the Process Environment Block (PEB)<\/a>, which contains important information about the current running process without transitioning into kernel mode. The reflective loader used by MITRE indeed takes special care of certain APIs that obtain information from the PEB; it does so by inline hooking.<\/p>\n

      Specifically, the reflective loader hooks the function GetCommandLineW<\/em> that we saw earlier. Unless it does so, the reflected .exe code (sdelete.exe<\/em> in this case) would fetch the original command line (the one for PowerShell.exe<\/em> in this case) instead of the intended command line. Here\u2019s a step-by-step analysis of the hooking:<\/p>\n

        \n
      1. In the Update-ExeFunctions<\/em> PowerShell function, the code fetches GetCommandLineW<\/em> (and GetCommandLineA<\/em>) by calling GetProcAddress<\/em><\/a> on kernelbase.dll<\/em>.<\/li>\n<\/ol>\n

        <\/p>\n

          \n
        1. The reflective loader then prepares a shellcode composed of the following parts:\n
            \n
          1. Possible REX.W prefix (byte 48) in case of a 64-bit process<\/li>\n
          2. The MOV immediate instruction opcode (byte B8)<\/li>\n
          3. An immediate value, which is an allocated address for the new command line buffer<\/li>\n
          4. The RET instruction (byte C3)<\/li>\n<\/ol>\n<\/li>\n<\/ol>\n

            <\/p>\n

              \n
            1. The reflective loader hooks the GetCommandLineW<\/em> function by doing the following:\n
                \n
              1. Change the page permissions to RWX with the VirtualProtect<\/em> API<\/a><\/li>\n
              2. Call Write-BytesToMemory<\/em> to copy the REX.W prefix and the MOV opcode to their place<\/li>\n
              3. Call StructureToPtr<\/em><\/a> to encode the new address after the MOV instructionl; this also takes care of endianness<\/li>\n
              4. Call Write-BytesToMemory<\/em> again, this time to copy the RET instruction<\/li>\n<\/ol>\n<\/li>\n<\/ol>\n

                <\/p>\n

                When performed correctly and fully, this should work well. However, our debugging showed only one-byte change (from 8B to B8) and no RET instruction. This meant that either StructureToPtr<\/em><\/a> had some bug, or that patching was done partially<\/strong>. Assuming the latter, we concluded that the crash happens during the patching itself, after placing the MOV instruction but before encoding the new address, i.e. right after invoking Write-BytesToMemory<\/em>.<\/p>\n

                Partial patching and unexpected callbacks<\/h2>\n

                Debugging further, we discovered that the crash indeed happens after the first Write-BytesToMemory<\/em> cmdlet. The call stack analysis showed that the call originates from PowerShell itself (or more precisely, from the CLR which is invoked by PowerShell), which is odd. This means that some code in PowerShell somehow tries to fetch the current process command line immediately after the cmdlet is executed.<\/p>\n

                We discovered that the code responsible for fetching the command line is the code that generates Event Tracing for Windows (ETW) for cmdlets. The Microsoft-Windows-PowerShell event provider exposes event IDs that log cmdlets, such as event 7937. Here\u2019s an example of such an event:<\/p>\n

                <\/p>\n

                Figure 7. Cmdlet tracing with ETW<\/em><\/p>\n

                Note the captured information, such as the cmdlet name, cmdlet type, and the process command line<\/strong>. The ETW writer for cmdlets is invoked after the cmdlet has finished running and has logged all the information. The command line itself is fetched by the ETW writer by invoking GetCommandLineW<\/em>.<\/p>\n

                This means that an the ETW writer invoked for the first Write-BytesToMemory<\/em> would invoke GetCommandLineW<\/em>, but since only the first two bytes were patched, then GetCommandLineW<\/em> is \u201chalf-patched\u201d, eventually executing INT 3 and causing a crash.<\/p>\n

                While this explains the crash, it doesn\u2019t explain why there was no crash when Microsoft Threat Protection was not present. The solution for this is simple: if there are no ETW listeners to the event, the ETW writer is never invoked, and therefore never tries to fetch the command line. Indeed, Microsoft Threat Protection listens to many ETW providers, including the Microsoft-Windows-PowerShell ETW.<\/p>\n

                To summarize, here is a flow diagram showing how this scenario runs:<\/p>\n

                <\/p>\n

                Figure 8. Flow chart for the first Write-BytesToMemory cmdlet run<\/em><\/p>\n

                This conclusively proves that if any ETW listener registers to this ETW event (and not just Microsoft Threat Protection), the PowerSploit reflective loader implementation will crash. We reproduced this behavior without Microsoft Threat Protection and reported it to the MITRE red team to decide the course of action with Step 19.<\/p>\n

                What red teams can learn from this incident<\/h2>\n

                PowerSploit is a known and widely used infrastructure for red teams. It\u2019s used extensively and its codebase<\/a> is regularly checked and updated. Even such a well-established project may contain unexpected bugs, some of which could only occur under special conditions such as specific environment changes like the one we described here.<\/p>\n

                Data we gathered using the advanced hunting<\/a> capability in MTP further establishes this strong correlation: in real-world environments, 66% of the Invoke-ReflectivePEInjection<\/em> invocations end up crashing their hosting PowerShell instance. This is a statistically significant proof of this bug in PowerSploit.<\/p>\n

                <\/p>\n

                Figure 9. Advanced hunting query for correlating PowerShell crashes and Cmdlet invocation<\/em><\/p>\n

                The TL;DR advice for red teams is this: if you use \u201cInvoke-ReflectivePEInjection\u201d script during your regular penetration testing, be aware of an unexpected surprise in certain circumstances that may lead to immediate detection.<\/p>\n

                We thank MITRE for leading a transparent and collaborative evaluation process that encourages partnership and threat intelligence sharing. To learn how Microsoft Threat Protection did in the evaluation, read: Microsoft Threat Protection leads in real-world detection in MITRE ATT&CK evaluation<\/a>.<\/p>\n

                Jonathan Bar Or<\/em><\/strong><\/p>\n

                Microsoft Threat Protection Research Team<\/em><\/p>\n

                \n

                Talk to us<\/h3>\n

                Questions, concerns, or insights on this story? Join discussions at the Microsoft Threat Protection<\/a> and Microsoft Defender ATP<\/a> tech communities.<\/p>\n

                Read all Microsoft security intelligence blog posts<\/a>.<\/p>\n

                Follow us on Twitter @MsftSecIntel<\/strong><\/a>.<\/p>\n

                READ MORE HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

                Inspired by MITRE’s transparency in publishing the payloads and tools used in the attack simulation, we\u2019ll describe the mystery that is Step 19 and tell a story about how blue teams, once in a while, can share important learnings for red teams.
                \nThe post Blue teams helping red teams: A tale of a process crash, PowerShell, and the MITRE ATT&CK evaluation appeared first on Microsoft Security. READ MORE HERE…<\/p>\n","protected":false},"author":2,"featured_media":35473,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[276],"tags":[347,7221,4952,4941,2027,8704],"class_list":["post-35472","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-microsoft-secure","tag-cybersecurity","tag-microsoft-security-intelligence","tag-microsoft-threat-protection","tag-mitre","tag-powershell","tag-step-19"],"yoast_head":"\nBlue teams helping red teams: A tale of a process crash, PowerShell, and the MITRE ATT&CK evaluation 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/blue-teams-helping-red-teams-a-tale-of-a-process-crash-powershell-and-the-mitre-attck-evaluation\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Blue teams helping red teams: A tale of a process crash, PowerShell, and the MITRE ATT&CK evaluation 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/blue-teams-helping-red-teams-a-tale-of-a-process-crash-powershell-and-the-mitre-attck-evaluation\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2020-06-11T17:00:05+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2020\/06\/blue-teams-helping-red-teams-a-tale-of-a-process-crash-powershell-and-the-mitre-attck-evaluation.png\" \/>\n\t<meta property=\"og:image:width\" content=\"1024\" \/>\n\t<meta property=\"og:image:height\" content=\"189\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"9 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/blue-teams-helping-red-teams-a-tale-of-a-process-crash-powershell-and-the-mitre-attck-evaluation\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/blue-teams-helping-red-teams-a-tale-of-a-process-crash-powershell-and-the-mitre-attck-evaluation\\\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"Blue teams helping red teams: A tale of a process crash, PowerShell, and the MITRE ATT&CK evaluation\",\"datePublished\":\"2020-06-11T17:00:05+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/blue-teams-helping-red-teams-a-tale-of-a-process-crash-powershell-and-the-mitre-attck-evaluation\\\/\"},\"wordCount\":1891,\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/blue-teams-helping-red-teams-a-tale-of-a-process-crash-powershell-and-the-mitre-attck-evaluation\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2020\\\/06\\\/blue-teams-helping-red-teams-a-tale-of-a-process-crash-powershell-and-the-mitre-attck-evaluation.png\",\"keywords\":[\"Cybersecurity\",\"Microsoft security intelligence\",\"Microsoft Threat Protection\",\"MITRE\",\"PowerShell\",\"Step 19\"],\"articleSection\":[\"Microsoft Secure\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/blue-teams-helping-red-teams-a-tale-of-a-process-crash-powershell-and-the-mitre-attck-evaluation\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/blue-teams-helping-red-teams-a-tale-of-a-process-crash-powershell-and-the-mitre-attck-evaluation\\\/\",\"name\":\"Blue teams helping red teams: A tale of a process crash, PowerShell, and the MITRE ATT&CK evaluation 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/blue-teams-helping-red-teams-a-tale-of-a-process-crash-powershell-and-the-mitre-attck-evaluation\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/blue-teams-helping-red-teams-a-tale-of-a-process-crash-powershell-and-the-mitre-attck-evaluation\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2020\\\/06\\\/blue-teams-helping-red-teams-a-tale-of-a-process-crash-powershell-and-the-mitre-attck-evaluation.png\",\"datePublished\":\"2020-06-11T17:00:05+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/blue-teams-helping-red-teams-a-tale-of-a-process-crash-powershell-and-the-mitre-attck-evaluation\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/blue-teams-helping-red-teams-a-tale-of-a-process-crash-powershell-and-the-mitre-attck-evaluation\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/blue-teams-helping-red-teams-a-tale-of-a-process-crash-powershell-and-the-mitre-attck-evaluation\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2020\\\/06\\\/blue-teams-helping-red-teams-a-tale-of-a-process-crash-powershell-and-the-mitre-attck-evaluation.png\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2020\\\/06\\\/blue-teams-helping-red-teams-a-tale-of-a-process-crash-powershell-and-the-mitre-attck-evaluation.png\",\"width\":1024,\"height\":189},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/blue-teams-helping-red-teams-a-tale-of-a-process-crash-powershell-and-the-mitre-attck-evaluation\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Cybersecurity\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/tag\\\/cybersecurity\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Blue teams helping red teams: A tale of a process crash, PowerShell, and the MITRE ATT&CK evaluation\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Blue teams helping red teams: A tale of a process crash, PowerShell, and the MITRE ATT&CK evaluation 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/blue-teams-helping-red-teams-a-tale-of-a-process-crash-powershell-and-the-mitre-attck-evaluation\/","og_locale":"en_US","og_type":"article","og_title":"Blue teams helping red teams: A tale of a process crash, PowerShell, and the MITRE ATT&CK evaluation 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/blue-teams-helping-red-teams-a-tale-of-a-process-crash-powershell-and-the-mitre-attck-evaluation\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2020-06-11T17:00:05+00:00","og_image":[{"width":1024,"height":189,"url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2020\/06\/blue-teams-helping-red-teams-a-tale-of-a-process-crash-powershell-and-the-mitre-attck-evaluation.png","type":"image\/png"}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"9 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/blue-teams-helping-red-teams-a-tale-of-a-process-crash-powershell-and-the-mitre-attck-evaluation\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/blue-teams-helping-red-teams-a-tale-of-a-process-crash-powershell-and-the-mitre-attck-evaluation\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"Blue teams helping red teams: A tale of a process crash, PowerShell, and the MITRE ATT&CK evaluation","datePublished":"2020-06-11T17:00:05+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/blue-teams-helping-red-teams-a-tale-of-a-process-crash-powershell-and-the-mitre-attck-evaluation\/"},"wordCount":1891,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/blue-teams-helping-red-teams-a-tale-of-a-process-crash-powershell-and-the-mitre-attck-evaluation\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2020\/06\/blue-teams-helping-red-teams-a-tale-of-a-process-crash-powershell-and-the-mitre-attck-evaluation.png","keywords":["Cybersecurity","Microsoft security intelligence","Microsoft Threat Protection","MITRE","PowerShell","Step 19"],"articleSection":["Microsoft Secure"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/blue-teams-helping-red-teams-a-tale-of-a-process-crash-powershell-and-the-mitre-attck-evaluation\/","url":"https:\/\/www.threatshub.org\/blog\/blue-teams-helping-red-teams-a-tale-of-a-process-crash-powershell-and-the-mitre-attck-evaluation\/","name":"Blue teams helping red teams: A tale of a process crash, PowerShell, and the MITRE ATT&CK evaluation 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/blue-teams-helping-red-teams-a-tale-of-a-process-crash-powershell-and-the-mitre-attck-evaluation\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/blue-teams-helping-red-teams-a-tale-of-a-process-crash-powershell-and-the-mitre-attck-evaluation\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2020\/06\/blue-teams-helping-red-teams-a-tale-of-a-process-crash-powershell-and-the-mitre-attck-evaluation.png","datePublished":"2020-06-11T17:00:05+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/blue-teams-helping-red-teams-a-tale-of-a-process-crash-powershell-and-the-mitre-attck-evaluation\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/blue-teams-helping-red-teams-a-tale-of-a-process-crash-powershell-and-the-mitre-attck-evaluation\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/blue-teams-helping-red-teams-a-tale-of-a-process-crash-powershell-and-the-mitre-attck-evaluation\/#primaryimage","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2020\/06\/blue-teams-helping-red-teams-a-tale-of-a-process-crash-powershell-and-the-mitre-attck-evaluation.png","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2020\/06\/blue-teams-helping-red-teams-a-tale-of-a-process-crash-powershell-and-the-mitre-attck-evaluation.png","width":1024,"height":189},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/blue-teams-helping-red-teams-a-tale-of-a-process-crash-powershell-and-the-mitre-attck-evaluation\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"Cybersecurity","item":"https:\/\/www.threatshub.org\/blog\/tag\/cybersecurity\/"},{"@type":"ListItem","position":3,"name":"Blue teams helping red teams: A tale of a process crash, PowerShell, and the MITRE ATT&CK evaluation"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/35472","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=35472"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/35472\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media\/35473"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=35472"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=35472"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=35472"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}