Skip to content
Threat Feed
medium advisory

Suspicious PowerShell TabExpansion Direct Call

This detection identifies PowerShell scripts that directly call the TabExpansion internal function, which is uncommon and may indicate malicious activity, such as TabShell, potentially bypassing sandboxes by loading PowerShell functions via directory traversal.

This alert detects specific indicators associated with the execution of the TabExpansion internal function in PowerShell. Direct calls to this function are not normal and can be indicative of malicious activity such as TabShell. This technique can bypass PowerShell’s restricted language mode. By exploiting PowerShell internals, attackers can use directory traversal in conjunction with the TabExpansion function to load arbitrary PowerShell functions, even within a sandboxed environment. While legitimate use of TabExpansion is rare, it’s crucial for defenders to understand that direct calls to this function can be a sign of malicious activity attempting to circumvent security restrictions within PowerShell.

Attack Chain

  1. An attacker gains initial access to the system. This step is not specified in the source, but is a prerequisite.
  2. The attacker executes a PowerShell script.
  3. The PowerShell script directly calls the TabExpansion internal function.
  4. The TabExpansion function, when called directly, attempts to resolve paths or commands based on partial input.
  5. The attacker crafts a malicious payload, using directory traversal to point to a malicious PowerShell script location.
  6. The TabExpansion function resolves the crafted path, effectively bypassing intended restrictions.
  7. The malicious PowerShell script is loaded and executed within the current PowerShell session, even if sandboxed.
  8. The attacker achieves arbitrary code execution and potentially escalates privileges.

Impact

Successful exploitation can allow an attacker to bypass PowerShell’s security restrictions, including constrained language mode. This could lead to arbitrary code execution, privilege escalation, and potentially complete system compromise. The impact is significant, as it allows malicious actors to execute code within an environment that is supposed to be restricted and secure.

Recommendation

  • Enable PowerShell Script Block Logging (Event ID 4104) to capture the necessary telemetry to detect this activity.
  • Deploy the Sigma rule Suspicious PowerShell TabExpansion Call to your SIEM and tune for your environment to reduce false positives.
  • Investigate any alerts generated by the Suspicious PowerShell TabExpansion Call rule to determine if the activity is legitimate or malicious.
  • Filter alerts generated by the Suspicious PowerShell TabExpansion Call rule if direct calls originate from trusted administrative or development activities, as noted in the “known_false_positives” section of the source.

Detection coverage 2

Suspicious PowerShell TabExpansion Call

medium

Detects PowerShell scripts directly calling the TabExpansion function, potentially indicating malicious activity like TabShell.

sigma tactics: defense_evasion, execution techniques: T1059.001, T1129 sources: process_creation, windows

Suspicious PowerShell ScriptBlock with TabExpansion and Directory Traversal

high

Detects PowerShell script blocks that contain TabExpansion and potential directory traversal sequences.

sigma tactics: defense_evasion, execution techniques: T1059.001, T1129 sources: powershell_script, windows

Detection queries are kept inside the platform. Get full rules →