{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/octopus-deploy/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Endpoint Security","Octopus Deploy"],"_cs_severities":["medium"],"_cs_tags":["powershell","encryption","defense-evasion","windows"],"_cs_type":"advisory","_cs_vendors":["Elastic","Octopus Deploy"],"content_html":"\u003cp\u003eThis threat brief focuses on the detection of PowerShell scripts utilizing .NET cryptography APIs for file encryption or decryption. Attackers often leverage these capabilities to encrypt data for impact, potentially leading to data exfiltration or ransomware deployment, or to decrypt staged payloads, circumventing traditional security measures. Defenders should be aware of PowerShell scripts employing symmetric cryptography classes (AES/Rijndael, SymmetricAlgorithm), key derivation helpers (PasswordDeriveBytes, Rfc2898DeriveBytes), explicit cipher configurations (CipherMode, PaddingMode), and functions that generate encryptors/decryptors. Identifying such scripts is crucial for preventing both data compromise and the execution of malicious payloads. This detection specifically targets Windows systems where PowerShell is commonly used for both legitimate administration and malicious activities.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains initial access to the target system (e.g., via compromised credentials or a phishing attack).\u003c/li\u003e\n\u003cli\u003eAttacker uploads or stages a PowerShell script containing encryption/decryption capabilities.\u003c/li\u003e\n\u003cli\u003eThe PowerShell script utilizes .NET cryptography APIs (e.g., \u003ccode\u003eAESManaged\u003c/code\u003e, \u003ccode\u003eRijndaelManaged\u003c/code\u003e, \u003ccode\u003ePasswordDeriveBytes\u003c/code\u003e, \u003ccode\u003eRfc2898DeriveBytes\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe script configures the cipher using \u003ccode\u003eCipherMode\u003c/code\u003e and \u003ccode\u003ePaddingMode\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe script invokes \u003ccode\u003e.CreateEncryptor()\u003c/code\u003e or \u003ccode\u003e.CreateDecryptor()\u003c/code\u003e methods to initialize the cryptographic operation.\u003c/li\u003e\n\u003cli\u003eIf encrypting, the script iterates through target files, encrypting their content and potentially renaming or deleting originals.\u003c/li\u003e\n\u003cli\u003eIf decrypting, the script processes an encrypted payload, converting it to executable form or writing it to a new artifact.\u003c/li\u003e\n\u003cli\u003eThe attacker executes the decrypted payload or exfiltrates the encrypted data, completing their objective.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to significant data loss, system downtime, and financial damage. Data encryption for impact can render systems unusable, while the decryption of staged payloads can introduce malware into the environment. The number of victims can vary widely depending on the scope of the attack, ranging from individual workstations to entire networks. Targeted sectors may include any organization reliant on Windows-based systems, with potential consequences including operational disruption, reputational damage, and regulatory fines.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable PowerShell Script Block Logging to capture the events required for detection, specifically event ID 4104, as detailed in the \u003ca href=\"https://ela.st/powershell-logging-setup\"\u003eElastic PowerShell logging setup guide\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003ePowerShell Script with Encryption/Decryption Capabilities\u003c/code\u003e to your SIEM to detect suspicious PowerShell scripts utilizing .NET cryptography APIs.\u003c/li\u003e\n\u003cli\u003eInvestigate alerts triggered by the Sigma rule, focusing on \u003ccode\u003epowershell.file.script_block_text\u003c/code\u003e to understand the cryptographic intent and data flow.\u003c/li\u003e\n\u003cli\u003eTune the Sigma rule by adding exceptions for legitimate PowerShell scripts that use encryption, referencing the \u0026ldquo;False positive analysis\u0026rdquo; section in this brief.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-03-powershell-encryption/","summary":"PowerShell scripts employing .NET cryptography APIs are used to encrypt data for impact or decrypt payloads for defense evasion.","title":"PowerShell Script with Encryption/Decryption Capabilities","url":"https://feed.craftedsignal.io/briefs/2024-01-03-powershell-encryption/"}],"language":"en","title":"CraftedSignal Threat Feed — Octopus Deploy","version":"https://jsonfeed.org/version/1.1"}