{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/microsoft-powershell/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Microsoft Windows","Microsoft PowerShell","MediaFire","ngrok","Pastebin"],"_cs_severities":["high"],"_cs_tags":["abused-web-services","command-and-control","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","MediaFire","ngrok","Pastebin"],"content_html":"\u003cp\u003eThis threat brief highlights the use of legitimate web services for malicious purposes. Attackers often leverage these services to host malware, exfiltrate data, or establish command and control (C2) channels. This activity focuses on detecting suspicious processes making DNS queries to domains associated with services like pastebin.com, mediafire.com, and ngrok.io. These services are abused due to their widespread use and the trust often placed in them, making it easier for attackers to blend in with normal network traffic. The increased use of such services in malicious campaigns necessitates proactive detection and monitoring. The scope of targeting includes any Windows endpoint within an organization's network. This activity is commonly seen across various malware families.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA user clicks a malicious link or opens a compromised document (not directly observed in source).\u003c/li\u003e\n\u003cli\u003eThe compromised document executes a malicious script, such as PowerShell, via \u003ccode\u003ecmd.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe script initiates a DNS query to a known, abused web service, like \u003ccode\u003epastebin.com\u003c/code\u003e, using Windows DNS client.\u003c/li\u003e\n\u003cli\u003eThe attacker retrieves a payload or configuration from the web service via HTTP or HTTPS.\u003c/li\u003e\n\u003cli\u003eThe script downloads and executes the payload in memory or on disk.\u003c/li\u003e\n\u003cli\u003eThe payload establishes persistence and begins beaconing to a command-and-control server, potentially using \u003ccode\u003engrok.io\u003c/code\u003e for tunneling.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the C2 channel to send commands and exfiltrate sensitive data or deploy additional malware.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their final objective, such as data theft, ransomware deployment, or system compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to various detrimental outcomes. Malware infections can disrupt business operations, resulting in financial losses and reputational damage. Data exfiltration can compromise sensitive information, leading to legal and regulatory penalties. Ransomware deployment can encrypt critical files, holding the organization hostage. The wide range of services abused makes detection challenging but crucial. The impact can range from a single compromised host to a full-scale network breach.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon Event ID 22 (DNS Query) logging to capture DNS query events (reference: description, search query).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules provided in this brief to your SIEM and tune them based on your environment's baseline (reference: rules).\u003c/li\u003e\n\u003cli\u003eReview and update firewall rules to restrict access to known abused web services if they are not required for business operations (reference: iocs).\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by these rules to identify and remediate potentially compromised hosts (reference: rules).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-11-01T12:00:00Z","date_published":"2024-11-01T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-11-abused-web-services/","summary":"Suspicious processes on Windows hosts are making DNS queries to known, abused web services such as text-paste sites, file sharing platforms, and tunneling services, potentially indicating malware downloading or command and control activity.","title":"Windows Hosts Querying Abused Web Services","url":"https://feed.craftedsignal.io/briefs/2024-11-abused-web-services/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Microsoft Windows","Microsoft PowerShell"],"_cs_severities":["medium"],"_cs_tags":["powershell","obfuscation","defense_evasion","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eAttackers often obfuscate PowerShell scripts using encoding, encryption, or compression to evade signature-based detections and hinder manual analysis. This technique allows malicious actors to hide their code's true intent, making it difficult for security analysts to identify and understand the script's behavior. This detection identifies PowerShell script blocks with high entropy and non-uniform character distributions, characteristics that are common in obfuscated scripts. The rule focuses on statistical anomalies in PowerShell script blocks. It checks for large script blocks (over 1000 characters) with high entropy (\u0026gt;= 5.5 bits) and significant surprisal standard deviation (\u0026gt; 0.7). Note that legitimate scripts can trigger this alert when they embed packed data (e.g., compressed resources).\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows system (e.g., via phishing or exploiting a vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker uploads or creates a PowerShell script on the target system.\u003c/li\u003e\n\u003cli\u003eThe PowerShell script is obfuscated using techniques such as Base64 encoding, gzip compression, or encryption algorithms.\u003c/li\u003e\n\u003cli\u003eThe obfuscated script is executed via \u003ccode\u003epowershell.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe script decodes, decrypts, or decompresses the malicious payload in memory.\u003c/li\u003e\n\u003cli\u003eThe payload is executed, performing actions such as establishing persistence, downloading additional malware, or exfiltrating data.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the established foothold for lateral movement within the network.\u003c/li\u003e\n\u003cli\u003eThe final objective is achieved (e.g., data theft, ransomware deployment).\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful obfuscation allows attackers to bypass traditional signature-based security controls. This can lead to undetected malware infections, data breaches, and system compromise. The impact includes potential data theft, system disruption, and financial loss. While the number of victims and specific sectors targeted are unknown, the widespread use of PowerShell makes this a broadly applicable threat.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable PowerShell Script Block Logging to generate the necessary events (4104) for this detection. Reference: \u003ca href=\"https://ela.st/powershell-logging-setup\"\u003ehttps://ela.st/powershell-logging-setup\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;Detect Obfuscated PowerShell Script via High Entropy\u0026quot; to your SIEM and tune the threshold values (\u003ccode\u003epowershell.file.script_block_length\u003c/code\u003e, \u003ccode\u003epowershell.file.script_block_entropy_bits\u003c/code\u003e, \u003ccode\u003epowershell.file.script_block_surprisal_stdev\u003c/code\u003e) to match your environment.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts triggered by the Sigma rule, focusing on execution context, script content, and initiating source as detailed in the rule's description.\u003c/li\u003e\n\u003cli\u003eReview \u003ccode\u003efile.path\u003c/code\u003e (if present) to determine the script's origin and legitimacy.\u003c/li\u003e\n\u003cli\u003eImplement endpoint detection and response (EDR) solutions to monitor for post-execution activity, such as suspicious network connections and file modifications.\u003c/li\u003e\n\u003cli\u003eBlock execution of PowerShell scripts from unusual file directories (user-writable or temporary locations).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-09T14:30:00Z","date_published":"2024-01-09T14:30:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-09-powershell-obfuscation/","summary":"This rule detects potential PowerShell obfuscated scripts by identifying script blocks with high entropy and non-uniform character distributions, which attackers use to evade signature-based detections.","title":"Potential PowerShell Obfuscated Script via High Entropy","url":"https://feed.craftedsignal.io/briefs/2024-01-09-powershell-obfuscation/"}],"language":"en","title":"CraftedSignal Threat Feed - Microsoft PowerShell","version":"https://jsonfeed.org/version/1.1"}