<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Microsoft PowerShell - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/microsoft-powershell/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Fri, 01 Nov 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/microsoft-powershell/feed.xml" rel="self" type="application/rss+xml"/><item><title>Windows Hosts Querying Abused Web Services</title><link>https://feed.craftedsignal.io/briefs/2024-11-abused-web-services/</link><pubDate>Fri, 01 Nov 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-11-abused-web-services/</guid><description>Suspicious processes on Windows hosts are making DNS queries to known, abused web services such as text-paste sites, file sharing platforms, and tunneling services, potentially indicating malware downloading or command and control activity.</description><content:encoded><![CDATA[<p>This threat brief highlights the use of legitimate web services for malicious purposes. Attackers often leverage these services to host malware, exfiltrate data, or establish command and control (C2) channels. This activity focuses on detecting suspicious processes making DNS queries to domains associated with services like pastebin.com, mediafire.com, and ngrok.io. These services are abused due to their widespread use and the trust often placed in them, making it easier for attackers to blend in with normal network traffic. The increased use of such services in malicious campaigns necessitates proactive detection and monitoring. The scope of targeting includes any Windows endpoint within an organization's network. This activity is commonly seen across various malware families.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>A user clicks a malicious link or opens a compromised document (not directly observed in source).</li>
<li>The compromised document executes a malicious script, such as PowerShell, via <code>cmd.exe</code>.</li>
<li>The script initiates a DNS query to a known, abused web service, like <code>pastebin.com</code>, using Windows DNS client.</li>
<li>The attacker retrieves a payload or configuration from the web service via HTTP or HTTPS.</li>
<li>The script downloads and executes the payload in memory or on disk.</li>
<li>The payload establishes persistence and begins beaconing to a command-and-control server, potentially using <code>ngrok.io</code> for tunneling.</li>
<li>The attacker uses the C2 channel to send commands and exfiltrate sensitive data or deploy additional malware.</li>
<li>The attacker achieves their final objective, such as data theft, ransomware deployment, or system compromise.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation can lead to various detrimental outcomes. Malware infections can disrupt business operations, resulting in financial losses and reputational damage. Data exfiltration can compromise sensitive information, leading to legal and regulatory penalties. Ransomware deployment can encrypt critical files, holding the organization hostage. The wide range of services abused makes detection challenging but crucial. The impact can range from a single compromised host to a full-scale network breach.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Enable Sysmon Event ID 22 (DNS Query) logging to capture DNS query events (reference: description, search query).</li>
<li>Deploy the Sigma rules provided in this brief to your SIEM and tune them based on your environment's baseline (reference: rules).</li>
<li>Review and update firewall rules to restrict access to known abused web services if they are not required for business operations (reference: iocs).</li>
<li>Investigate any alerts generated by these rules to identify and remediate potentially compromised hosts (reference: rules).</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>abused-web-services</category><category>command-and-control</category><category>windows</category></item><item><title>Potential PowerShell Obfuscated Script via High Entropy</title><link>https://feed.craftedsignal.io/briefs/2024-01-09-powershell-obfuscation/</link><pubDate>Tue, 09 Jan 2024 14:30:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-09-powershell-obfuscation/</guid><description>This rule detects potential PowerShell obfuscated scripts by identifying script blocks with high entropy and non-uniform character distributions, which attackers use to evade signature-based detections.</description><content:encoded><![CDATA[<p>Attackers often obfuscate PowerShell scripts using encoding, encryption, or compression to evade signature-based detections and hinder manual analysis. This technique allows malicious actors to hide their code's true intent, making it difficult for security analysts to identify and understand the script's behavior. This detection identifies PowerShell script blocks with high entropy and non-uniform character distributions, characteristics that are common in obfuscated scripts. The rule focuses on statistical anomalies in PowerShell script blocks. It checks for large script blocks (over 1000 characters) with high entropy (&gt;= 5.5 bits) and significant surprisal standard deviation (&gt; 0.7). Note that legitimate scripts can trigger this alert when they embed packed data (e.g., compressed resources).</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker gains initial access to a Windows system (e.g., via phishing or exploiting a vulnerability).</li>
<li>The attacker uploads or creates a PowerShell script on the target system.</li>
<li>The PowerShell script is obfuscated using techniques such as Base64 encoding, gzip compression, or encryption algorithms.</li>
<li>The obfuscated script is executed via <code>powershell.exe</code>.</li>
<li>The script decodes, decrypts, or decompresses the malicious payload in memory.</li>
<li>The payload is executed, performing actions such as establishing persistence, downloading additional malware, or exfiltrating data.</li>
<li>The attacker leverages the established foothold for lateral movement within the network.</li>
<li>The final objective is achieved (e.g., data theft, ransomware deployment).</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful obfuscation allows attackers to bypass traditional signature-based security controls. This can lead to undetected malware infections, data breaches, and system compromise. The impact includes potential data theft, system disruption, and financial loss. While the number of victims and specific sectors targeted are unknown, the widespread use of PowerShell makes this a broadly applicable threat.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Enable PowerShell Script Block Logging to generate the necessary events (4104) for this detection. Reference: <a href="https://ela.st/powershell-logging-setup">https://ela.st/powershell-logging-setup</a></li>
<li>Deploy the Sigma rule &quot;Detect Obfuscated PowerShell Script via High Entropy&quot; to your SIEM and tune the threshold values (<code>powershell.file.script_block_length</code>, <code>powershell.file.script_block_entropy_bits</code>, <code>powershell.file.script_block_surprisal_stdev</code>) to match your environment.</li>
<li>Investigate any alerts triggered by the Sigma rule, focusing on execution context, script content, and initiating source as detailed in the rule's description.</li>
<li>Review <code>file.path</code> (if present) to determine the script's origin and legitimacy.</li>
<li>Implement endpoint detection and response (EDR) solutions to monitor for post-execution activity, such as suspicious network connections and file modifications.</li>
<li>Block execution of PowerShell scripts from unusual file directories (user-writable or temporary locations).</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>powershell</category><category>obfuscation</category><category>defense_evasion</category><category>windows</category></item></channel></rss>