{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/actors/azorult/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":["Azorult"],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud"],"_cs_severities":["high"],"_cs_tags":["applocker","powershell","defense-evasion","endpoint"],"_cs_type":"threat","_cs_vendors":["Splunk"],"content_html":"\u003cp\u003eThis threat brief outlines the detection of malicious PowerShell activity involving the import of AppLocker policies. Attackers may use AppLocker to enforce restrictive policies on compromised systems, which can lead to the disabling of security products like antivirus software, as observed with the Azorult malware. The activity is detected through PowerShell Script Block Logging, specifically EventCode 4104, which captures and analyzes script block text for the use of \u0026ldquo;Import-Module Applocker\u0026rdquo; and \u0026ldquo;Set-AppLockerPolicy\u0026rdquo; commands with an XML policy file. Detecting this activity early is crucial to prevent attackers from establishing persistence and further compromising the system by bypassing security controls.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to the target system, potentially through phishing or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker executes a PowerShell script to import the AppLocker module using \u003ccode\u003eImport-Module Applocker\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe script then uses \u003ccode\u003eSet-AppLockerPolicy\u003c/code\u003e to apply a new AppLocker policy.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003e-XMLPolicy\u003c/code\u003e parameter is used to specify an XML file containing the malicious AppLocker rules.\u003c/li\u003e\n\u003cli\u003eThe new AppLocker policy restricts the execution of legitimate applications, including antivirus software.\u003c/li\u003e\n\u003cli\u003eThe attacker establishes persistence by ensuring the malicious AppLocker policy is applied at system startup.\u003c/li\u003e\n\u003cli\u003eWith security controls disabled, the attacker deploys and executes additional malware or performs lateral movement.\u003c/li\u003e\n\u003cli\u003eThe final objective is data exfiltration or further system compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack can lead to the complete bypass of endpoint security controls, leaving systems vulnerable to malware infections and data breaches. This can result in significant financial losses, reputational damage, and legal liabilities. If security software is disabled on a large number of endpoints, the impact is organization-wide.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable PowerShell Script Block Logging (EventCode 4104) on all endpoints to capture the necessary data for detection.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect AppLocker Policy Import via PowerShell\u003c/code\u003e to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on the \u003ccode\u003eScriptBlockText\u003c/code\u003e and the source of the PowerShell execution.\u003c/li\u003e\n\u003cli\u003eImplement strict AppLocker policies to prevent unauthorized applications from running.\u003c/li\u003e\n\u003cli\u003eMonitor endpoints for unexpected changes to AppLocker policies.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T18:23:00Z","date_published":"2024-01-03T18:23:00Z","id":"/briefs/2024-01-powershell-applocker-policy-import/","summary":"Detection of PowerShell commands to import AppLocker policy via Import-Module Applocker and Set-AppLockerPolicy, potentially used to enforce restrictive policies or disable security products like antivirus.","title":"Detect PowerShell AppLocker Policy Import Activity","url":"https://feed.craftedsignal.io/briefs/2024-01-powershell-applocker-policy-import/"}],"language":"en","title":"CraftedSignal Threat Feed — Azorult","version":"https://jsonfeed.org/version/1.1"}