Azorult — CraftedSignal Threat Feedhttps://feed.craftedsignal.io/actors/azorult/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioWed, 03 Jan 2024 18:23:00 +0000Detect PowerShell AppLocker Policy Import Activityhttps://feed.craftedsignal.io/briefs/2024-01-powershell-applocker-policy-import/Wed, 03 Jan 2024 18:23:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-powershell-applocker-policy-import/Detection of PowerShell commands to import AppLocker policy via Import-Module Applocker and Set-AppLockerPolicy, potentially used to enforce restrictive policies or disable security products like antivirus.This threat brief outlines the detection of malicious PowerShell activity involving the import of AppLocker policies. Attackers may use AppLocker to enforce restrictive policies on compromised systems, which can lead to the disabling of security products like antivirus software, as observed with the Azorult malware. The activity is detected through PowerShell Script Block Logging, specifically EventCode 4104, which captures and analyzes script block text for the use of “Import-Module Applocker” and “Set-AppLockerPolicy” commands with an XML policy file. Detecting this activity early is crucial to prevent attackers from establishing persistence and further compromising the system by bypassing security controls.

Attack Chain

  1. An attacker gains initial access to the target system, potentially through phishing or exploiting a vulnerability.
  2. The attacker executes a PowerShell script to import the AppLocker module using Import-Module Applocker.
  3. The script then uses Set-AppLockerPolicy to apply a new AppLocker policy.
  4. The -XMLPolicy parameter is used to specify an XML file containing the malicious AppLocker rules.
  5. The new AppLocker policy restricts the execution of legitimate applications, including antivirus software.
  6. The attacker establishes persistence by ensuring the malicious AppLocker policy is applied at system startup.
  7. With security controls disabled, the attacker deploys and executes additional malware or performs lateral movement.
  8. The final objective is data exfiltration or further system compromise.

Impact

A successful attack can lead to the complete bypass of endpoint security controls, leaving systems vulnerable to malware infections and data breaches. This can result in significant financial losses, reputational damage, and legal liabilities. If security software is disabled on a large number of endpoints, the impact is organization-wide.

Recommendation

  • Enable PowerShell Script Block Logging (EventCode 4104) on all endpoints to capture the necessary data for detection.
  • Deploy the Sigma rule Detect AppLocker Policy Import via PowerShell to your SIEM and tune for your environment.
  • Investigate any alerts generated by the Sigma rule, focusing on the ScriptBlockText and the source of the PowerShell execution.
  • Implement strict AppLocker policies to prevent unauthorized applications from running.
  • Monitor endpoints for unexpected changes to AppLocker policies.
]]>highthreatapplockerpowershelldefense-evasionendpoint