{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/powershell/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["PowerShell"],"_cs_severities":["high"],"_cs_tags":["credential-access","kerberos","powershell","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis threat brief focuses on detecting PowerShell scripts designed to extract Kerberos tickets from memory. Attackers use these scripts to gain unauthorized access to credentials, which can then be leveraged for lateral movement within a network. The scripts achieve this by interacting with the Local Security Authority (LSA) and accessing Kerberos authentication packages. The observed PowerShell scripts utilize specific Kerberos ticket message types or dynamic Kerberos package lookup to enumerate and retrieve tickets. This behavior is often associated with post-exploitation activity, where attackers are attempting to escalate privileges or move laterally within a compromised environment. Defenders should monitor PowerShell activity for these patterns, as successful Kerberos ticket dumping can lead to significant security breaches. The scripts are not associated with any specific campaign or version.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows system (e.g., through phishing or exploiting a vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker executes a PowerShell script.\u003c/li\u003e\n\u003cli\u003eThe PowerShell script uses \u003ccode\u003eLsaCallAuthenticationPackage\u003c/code\u003e to interact with the LSA.\u003c/li\u003e\n\u003cli\u003eThe script attempts to retrieve Kerberos tickets by using functions like \u003ccode\u003eKerbRetrieveEncodedTicketMessage\u003c/code\u003e, \u003ccode\u003eKerbQueryTicketCacheMessage\u003c/code\u003e, \u003ccode\u003eKerbQueryTicketCacheExMessage\u003c/code\u003e, or \u003ccode\u003eKerbRetrieveTicketMessage\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eAlternatively, the script uses \u003ccode\u003eLsaLookupAuthenticationPackage\u003c/code\u003e to dynamically locate the Kerberos package.\u003c/li\u003e\n\u003cli\u003eThe script may then decrypt the ticket data using \u003ccode\u003eKerbDecryptDataMessage\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe script may attempt to serialize or export the extracted tickets to a file.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the dumped Kerberos tickets to impersonate users or services, gaining unauthorized access to resources and facilitating lateral movement.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to steal Kerberos tickets from memory. The attacker can then use these tickets to impersonate legitimate users or services, enabling them to move laterally within the network, access sensitive data, and potentially compromise critical systems. The impact includes unauthorized access to resources, data breaches, and potentially a complete compromise of the targeted Windows domain.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable PowerShell Script Block Logging to capture the malicious script content (as mentioned in the \u0026ldquo;Setup\u0026rdquo; section).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;PowerShell Kerberos Ticket Dump\u0026rdquo; to detect scripts exhibiting Kerberos ticket dumping behavior.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts triggered by the Sigma rule, focusing on the reconstructed script block content and process lineage as outlined in the \u0026ldquo;Triage and analysis\u0026rdquo; section.\u003c/li\u003e\n\u003cli\u003eMonitor for file creation events related to ticket material exports (e.g., \u0026ldquo;.kirbi\u0026rdquo; files) to identify potential ticket dumping activity.\u003c/li\u003e\n\u003cli\u003eReview authentication events (event codes 4624, 4625, 4648) to identify suspicious logins originating from compromised systems.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-26T12:00:00Z","date_published":"2024-01-26T12:00:00Z","id":"/briefs/2024-01-26-powershell-kerberos-dump/","summary":"Detection of PowerShell scripts attempting to dump Kerberos tickets from memory by accessing LSA authentication packages, potentially leading to credential access and lateral movement.","title":"PowerShell Kerberos Ticket Dumping via LSA Authentication Package Access","url":"https://feed.craftedsignal.io/briefs/2024-01-26-powershell-kerberos-dump/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["PowerShell"],"_cs_severities":["high"],"_cs_tags":["discovery","powershell","share-enumeration","lateral-movement","ransomware"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis detection identifies PowerShell scripts utilizing ShareFinder functions (Invoke-ShareFinder/Invoke-ShareFinderThreaded) or native Windows API calls for share enumeration. These techniques are commonly used by attackers to map accessible network shares within an environment. This reconnaissance is often a precursor to data collection, lateral movement, or the deployment of ransomware. The activity is detected via script block logging, and focuses on identifying specific function calls and API usage within the PowerShell script content. Defenders should be aware of this activity, particularly when performed by unexpected users or on unusual systems, as it may indicate malicious reconnaissance within the network. The references indicate that this activity can lead to corporate insurance policy exfiltration or Conti ransomware deployment.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows system, potentially through phishing or compromised credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker executes a PowerShell script, either directly or through a fileless execution method.\u003c/li\u003e\n\u003cli\u003eThe PowerShell script utilizes ShareFinder functions (Invoke-ShareFinder, Invoke-ShareFinderThreaded) or Windows share enumeration APIs (NetShareEnum, NetApiBufferFree) to discover network shares.\u003c/li\u003e\n\u003cli\u003eThe script identifies accessible network shares by leveraging API calls and parsing the results for share names (shi1_netname) and remarks (shi1_remark).\u003c/li\u003e\n\u003cli\u003eThe attacker analyzes the identified shares to determine those that are accessible and contain valuable data.\u003c/li\u003e\n\u003cli\u003eThe attacker may then attempt to access these shares using compromised credentials or exploiting existing vulnerabilities.\u003c/li\u003e\n\u003cli\u003eOnce access is gained, the attacker may collect sensitive data from the shares, move laterally to other systems, or deploy ransomware.\u003c/li\u003e\n\u003cli\u003eThe ultimate goal is data exfiltration, system compromise, or financial gain through ransomware.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this reconnaissance technique can lead to significant data breaches, lateral movement within the network, and potential ransomware deployment. Organizations that fail to detect and prevent share enumeration may suffer financial losses, reputational damage, and operational disruption. The referenced \u0026ldquo;Stolen Images\u0026rdquo; campaign led to Conti ransomware deployment, and the \u0026ldquo;Hunting for corporate insurance policies\u0026rdquo; post highlights data exfiltration.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable PowerShell script block logging to capture the necessary events for detection (as referenced in the rule setup).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;PowerShell Share Enumeration Script via Invoke-ShareFinder\u0026rdquo; to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;PowerShell Share Enumeration via NetShareEnum API\u0026rdquo; to detect share enumeration using native Windows APIs.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by these rules, focusing on the PowerShell launch context and the scope of the share discovery (see triage steps in the original rule).\u003c/li\u003e\n\u003cli\u003eReview and restrict PowerShell execution policies to prevent unauthorized script execution, especially from user-writable locations.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-09T15:00:00Z","date_published":"2024-01-09T15:00:00Z","id":"/briefs/2024-01-09-powershell-share-enumeration/","summary":"Detection of PowerShell scripts employing ShareFinder functions or Windows share enumeration APIs to discover accessible network shares for reconnaissance, lateral movement, or ransomware deployment.","title":"PowerShell Share Enumeration via ShareFinder or Native APIs","url":"https://feed.craftedsignal.io/briefs/2024-01-09-powershell-share-enumeration/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","SentinelOne Cloud Funnel","PowerShell"],"_cs_severities":["medium"],"_cs_tags":["lateral-movement","powershell","remoting"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","SentinelOne"],"content_html":"\u003cp\u003eThis detection identifies potential lateral movement through the exploitation of Windows PowerShell remoting. PowerShell remoting is a feature that enables administrators and attackers to execute commands on remote Windows systems. The detection focuses on identifying incoming network connections on ports 5985 (HTTP) and 5986 (HTTPS), the default ports used for PowerShell Remoting, followed by the execution of processes spawned by \u003ccode\u003ewsmprovhost.exe\u003c/code\u003e, the Windows Remote Management process host. This activity, when originating from unexpected sources, may indicate unauthorized access and lateral movement within a network. The rule is designed to detect suspicious activity by monitoring network traffic and process execution, flagging potential unauthorized remote executions, and enabling security teams to respond swiftly.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a network, possibly through phishing or exploiting a vulnerability on an internet-facing system.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages PowerShell remoting to initiate a connection to a target system on ports 5985 or 5986.\u003c/li\u003e\n\u003cli\u003eThe target system accepts the incoming PowerShell Remoting connection.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003ewsmprovhost.exe\u003c/code\u003e process is launched on the target system to facilitate the remote PowerShell session.\u003c/li\u003e\n\u003cli\u003eThe attacker executes commands remotely, spawning child processes from \u003ccode\u003ewsmprovhost.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to escalate privileges or move laterally to other systems within the network using the remote PowerShell session.\u003c/li\u003e\n\u003cli\u003eThe attacker uses tools such as \u003ccode\u003enet.exe\u003c/code\u003e or \u003ccode\u003ePsExec\u003c/code\u003e over the remote PowerShell session to further propagate.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective, such as data exfiltration or deploying ransomware, by leveraging the established remote session.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of PowerShell Remoting for lateral movement can lead to widespread compromise within an organization. An attacker could gain control over multiple systems, potentially leading to data breaches, system outages, or ransomware deployment. The number of affected systems could range from a few critical servers to a significant portion of the network, depending on the attacker\u0026rsquo;s objectives and the organization\u0026rsquo;s security posture. The impact could include financial losses, reputational damage, and disruption of business operations.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eIncoming Execution via PowerShell Remoting\u003c/code\u003e to your SIEM to detect suspicious PowerShell remoting activity and tune for your environment.\u003c/li\u003e\n\u003cli\u003eMonitor network connections to ports 5985 and 5986, and investigate any unauthorized or unexpected traffic using the \u003ccode\u003enetwork_connection\u003c/code\u003e log source.\u003c/li\u003e\n\u003cli\u003eInvestigate processes spawned by \u003ccode\u003ewsmprovhost.exe\u003c/code\u003e for unusual or malicious activity using the \u003ccode\u003eprocess_creation\u003c/code\u003e log source.\u003c/li\u003e\n\u003cli\u003eWhitelist authorized administrative IP addresses or user accounts that frequently perform remote management tasks, as mentioned in the false positives analysis.\u003c/li\u003e\n\u003cli\u003eReview and document automated scripts or scheduled tasks that use PowerShell Remoting for system maintenance, then create exceptions for their specific process names or execution paths.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T18:53:23Z","date_published":"2024-01-03T18:53:23Z","id":"/briefs/2024-01-03-powershell-remoting/","summary":"This rule identifies remote execution via Windows PowerShell remoting, which allows a user to run any Windows PowerShell command on one or more remote computers, potentially indicating lateral movement.","title":"Incoming Execution via PowerShell Remoting","url":"https://feed.craftedsignal.io/briefs/2024-01-03-powershell-remoting/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["PowerShell","Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud"],"_cs_severities":["high"],"_cs_tags":["process-injection","powershell","pinvoke","defense-evasion"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Splunk"],"content_html":"\u003cp\u003eThis detection identifies PowerShell scripts leveraging the P/Invoke (Platform Invoke) technology to perform process injection. P/Invoke allows managed code (like PowerShell) to call unmanaged functions exported from DLLs, including critical Windows API functions. Attackers use this to inject malicious code into legitimate processes for evasion and persistence. The detection focuses on identifying specific API chains commonly used in process injection techniques, such as allocating memory in a target process (VirtualAlloc), writing malicious code into the allocated memory (WriteProcessMemory), and executing the injected code (CreateRemoteThread). This activity is often associated with malware deployment, privilege escalation, and defense evasion. The detection logic is designed to identify these API chains either at the compile phase using Add-Type or during the execution phase, alerting on suspicious PowerShell behavior.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains initial access to the system, potentially through phishing or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003ePowerShell is invoked to execute a malicious script.\u003c/li\u003e\n\u003cli\u003eThe PowerShell script uses Add-Type and DllImport to declare external functions from Windows DLLs, including kernel32.dll and ntdll.dll.\u003c/li\u003e\n\u003cli\u003eThe script uses functions such as OpenProcess to gain a handle to a target process.\u003c/li\u003e\n\u003cli\u003eVirtualAllocEx is called to allocate memory within the target process.\u003c/li\u003e\n\u003cli\u003eWriteProcessMemory is used to write malicious code into the allocated memory region of the target process.\u003c/li\u003e\n\u003cli\u003eCreateRemoteThread is called to create a new thread within the target process, pointing to the injected code.\u003c/li\u003e\n\u003cli\u003eThe injected code executes within the context of the target process, achieving code execution and potential privilege escalation.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful process injection allows attackers to execute arbitrary code within the context of a trusted process, bypassing security controls and potentially gaining elevated privileges. This can lead to data theft, system compromise, or further propagation within the network. The use of PowerShell and P/Invoke makes detection more challenging, as the activity can blend in with legitimate system administration tasks. A successful attack could lead to the deployment of a VIP Keylogger or other malware, as noted in the provided references.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable PowerShell Script Block Logging (Event ID 4104) to provide the necessary data for detection (data_source).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003ePowerShell PInvoke Process Injection\u003c/code\u003e to your SIEM and tune the rule to your environment (rules).\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on the specific API chains identified in the \u003ccode\u003edetection\u003c/code\u003e section of the rule.\u003c/li\u003e\n\u003cli\u003eReview PowerShell execution policies and restrict the execution of unsigned scripts to reduce the attack surface.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T18:23:00Z","date_published":"2024-01-03T18:23:00Z","id":"/briefs/2024-01-powershell-pinvoke-process-injection/","summary":"This analytic detects PowerShell code that uses P/Invoke to call Windows API functions associated with process injection, such as VirtualAlloc, WriteProcessMemory, and CreateRemoteThread, indicating potential malicious activity.","title":"PowerShell P/Invoke Process Injection API Chain Detection","url":"https://feed.craftedsignal.io/briefs/2024-01-powershell-pinvoke-process-injection/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["PowerShell"],"_cs_severities":["medium"],"_cs_tags":["command-and-control","file-download","powershell","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eAttackers frequently use PowerShell, a legitimate administration tool, to download malicious payloads into compromised systems. This technique allows them to bypass traditional security measures by leveraging a trusted tool. This activity often occurs during the command and control phase, where attackers introduce additional tooling or malware for further exploitation. This rule identifies instances where PowerShell downloads executable and script files from untrusted remote destinations. It does this by correlating network and file events, specifically looking for PowerShell processes initiating network connections to non-whitelisted domains followed by the creation of executable or script files. The rule helps defenders identify and respond to potential command and control activity and malware deployment attempts.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows system, possibly through phishing or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker uses PowerShell (powershell.exe, pwsh.exe, or powershell_ise.exe) to initiate a network connection to a remote domain.\u003c/li\u003e\n\u003cli\u003eThe DNS request is made to a domain not in the allowed list (e.g., not *.microsoft.com, *.azureedge.net, etc.).\u003c/li\u003e\n\u003cli\u003ePowerShell downloads a file with an executable extension (e.g., .exe, .dll, .ps1, .bat) or a file with a MZ header.\u003c/li\u003e\n\u003cli\u003eThe downloaded file is saved to disk.\u003c/li\u003e\n\u003cli\u003eThe file is saved to a location that is not excluded by the rule, filtering out commonly used temporary directories.\u003c/li\u003e\n\u003cli\u003eThe downloaded executable or script is then executed, leading to further malicious activities.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves persistence, lateral movement, or data exfiltration depending on the downloaded payload.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack can lead to the introduction of malware, backdoors, or other malicious tools into the compromised system. This can enable attackers to perform a wide range of malicious activities, including data theft, system compromise, and further propagation within the network. The compromised system can become a beachhead for further attacks, potentially impacting numerous systems and leading to significant financial and reputational damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003ePowerShell Remote File Download\u003c/code\u003e to detect PowerShell processes downloading executable files from untrusted remote destinations by correlating network and file creation events.\u003c/li\u003e\n\u003cli\u003eEnable Elastic Defend to provide the necessary network and file event data for the rule to function correctly as noted in the \u003ca href=\"https://ela.st/install-elastic-defend\"\u003esetup instructions\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on the parent process of the PowerShell process, the reputation of the downloaded file, and any other suspicious activities on the affected host, as per the investigation guide in the rule\u0026rsquo;s \u003ccode\u003enote\u003c/code\u003e field.\u003c/li\u003e\n\u003cli\u003eReview and customize the whitelisted domains in the Sigma rule to match your organization\u0026rsquo;s specific environment and trusted external resources, as described in the \u003ccode\u003equery\u003c/code\u003e field.\u003c/li\u003e\n\u003cli\u003eBlock the identified malicious domains or IP addresses at the network perimeter to prevent further downloads.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T15:25:00Z","date_published":"2024-01-03T15:25:00Z","id":"/briefs/2024-01-remote-file-download-powershell/","summary":"Detects PowerShell being used to download executable files from untrusted remote destinations, a common technique for attackers to introduce tooling or malware into a compromised environment.","title":"Remote File Download via PowerShell","url":"https://feed.craftedsignal.io/briefs/2024-01-remote-file-download-powershell/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["PowerShell"],"_cs_severities":["high"],"_cs_tags":["process-injection","powershell","pinvoke"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis brief focuses on the detection of PowerShell scripts utilizing Platform Invoke (P/Invoke) to perform process injection. P/Invoke allows managed code (PowerShell) to call native, unmanaged code (Windows API functions). Adversaries leverage this capability to inject malicious code into other processes, bypassing traditional defenses. This activity is identified through PowerShell script block logging (Event ID 4104). The detection strategy covers both the compile phase (detecting inline .NET class definitions with DllImport declarations) and the execution phase (detecting static method invocation patterns using ::MethodName syntax with execution context indicators). This ensures broad coverage, even when pre-compiled assemblies are loaded. The techniques detected cover a wide range of process injection methods, increasing the likelihood of detection against various attack vectors.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker executes a PowerShell script containing malicious code designed for process injection.\u003c/li\u003e\n\u003cli\u003eThe script uses \u003ccode\u003eAdd-Type -TypeDefinition\u003c/code\u003e to define a .NET class inline, embedding C# source code that includes \u003ccode\u003e[DllImport]\u003c/code\u003e declarations for Windows API functions.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eDllImport\u003c/code\u003e attribute specifies the native DLL (e.g., kernel32.dll, ntdll.dll) and the function name to import.\u003c/li\u003e\n\u003cli\u003eThe script declares external functions like \u003ccode\u003eVirtualAlloc\u003c/code\u003e, \u003ccode\u003eWriteProcessMemory\u003c/code\u003e, \u003ccode\u003eCreateRemoteThread\u003c/code\u003e, \u003ccode\u003eNtCreateSection\u003c/code\u003e, and \u003ccode\u003eNtMapViewOfSection\u003c/code\u003e using \u003ccode\u003eextern \u0026lt;ReturnType\u0026gt; \u0026lt;FunctionName\u0026gt;\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe script uses static method invocation (e.g., \u003ccode\u003e[IntPtr]::Zero\u003c/code\u003e, \u003ccode\u003e[Marshal]::Copy\u003c/code\u003e) to call the declared functions.\u003c/li\u003e\n\u003cli\u003eThe script allocates memory in the target process using \u003ccode\u003eVirtualAllocEx\u003c/code\u003e or \u003ccode\u003eNtAllocateVirtualMemory\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe malicious code (shellcode or DLL) is written to the allocated memory using \u003ccode\u003eWriteProcessMemory\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eA new thread is created in the target process to execute the injected code using \u003ccode\u003eCreateRemoteThread\u003c/code\u003e or \u003ccode\u003eRtlCreateUserThread\u003c/code\u003e. Alternatively, APC injection uses \u003ccode\u003eQueueUserAPC\u003c/code\u003e to queue an Asynchronous Procedure Call in the target process.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful process injection allows attackers to execute arbitrary code within the context of a legitimate process. This can lead to privilege escalation, credential theft, and persistence. Process injection can also be used to bypass security software and gain unauthorized access to sensitive data. This technique has been observed in malware campaigns associated with VIP Keylogger and similar threats, leading to data exfiltration and system compromise.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable PowerShell script block logging (Event ID 4104) to capture the necessary data for detection.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rules to your SIEM to detect malicious PowerShell scripts using P/Invoke for process injection.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rules, focusing on processes that exhibit suspicious API call patterns.\u003c/li\u003e\n\u003cli\u003eReview and tune the Sigma rules based on your environment to minimize false positives and ensure accurate detection.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-powershell-pinvoke-injection/","summary":"This brief details detection of PowerShell scripts leveraging P/Invoke API calls to perform process injection, covering techniques like self-injection, remote thread injection, APC injection, thread-context hijacking, process hollowing, section-map injection, reflective DLL loading, and DLL injection.","title":"PowerShell P/Invoke API Chain for Process Injection","url":"https://feed.craftedsignal.io/briefs/2024-01-powershell-pinvoke-injection/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["PowerShell"],"_cs_severities":["high"],"_cs_tags":["defense-evasion","powershell","obfuscation","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis detection identifies PowerShell scripts that repeatedly concatenate quoted string literals using the \u003ccode\u003e+\u003c/code\u003e operator. Attackers use this technique to obfuscate malicious commands, URLs, or tokens, thereby evading static analysis and Anti-Malware Scan Interface (AMSI). The rule focuses on scripts with a script block length greater than 500 characters to reduce false positives. Successful exploitation allows attackers to execute malicious code without detection. This behavior matters for defenders as it bypasses traditional security measures that rely on static code analysis. This rule has been in production since 2025 and was updated in April 2026.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows system through various means (e.g., phishing, exploit).\u003c/li\u003e\n\u003cli\u003eThe attacker uploads or introduces a PowerShell script containing obfuscated code via string concatenation.\u003c/li\u003e\n\u003cli\u003eThe script is executed using \u003ccode\u003epowershell.exe\u003c/code\u003e, potentially with arguments to bypass execution policies.\u003c/li\u003e\n\u003cli\u003ePowerShell interprets the script, which dynamically assembles commands by concatenating multiple string literals.\u003c/li\u003e\n\u003cli\u003eThe dynamically assembled commands execute malicious actions, such as downloading a payload from a remote server.\u003c/li\u003e\n\u003cli\u003eThe downloaded payload is saved to disk or executed directly in memory.\u003c/li\u003e\n\u003cli\u003eThe payload establishes persistence using registry keys or scheduled tasks.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective, such as data exfiltration or deploying ransomware.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful obfuscation can lead to the execution of arbitrary code, bypassing security measures, and potentially leading to system compromise. Consequences include data theft, system disruption, or ransomware deployment. The number of potential victims is broad, encompassing any Windows system running PowerShell. This technique can affect any sector.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable PowerShell Script Block Logging to capture the full script content (referenced in the rule\u0026rsquo;s \u003ccode\u003eData Source: PowerShell Logs\u003c/code\u003e tag and the \u003ccode\u003esetup\u003c/code\u003e section of the source).\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM and tune the \u003ccode\u003eEsql.script_block_pattern_count\u003c/code\u003e threshold based on your environment (see \u003ccode\u003erules\u003c/code\u003e section below).\u003c/li\u003e\n\u003cli\u003eInvestigate alerts generated by this rule, focusing on the reconstructed PowerShell script and its execution context (see \u003ccode\u003enote\u003c/code\u003e section of the source).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-posh-string-concat/","summary":"This rule detects PowerShell scripts employing string concatenation to evade static analysis and AMSI by fragmenting keywords or URLs at runtime.","title":"PowerShell Obfuscation via String Concatenation","url":"https://feed.craftedsignal.io/briefs/2024-01-posh-string-concat/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["PowerShell"],"_cs_severities":["high"],"_cs_tags":["credential-access","powershell","minidump","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis rule detects PowerShell scripts that contain references to MiniDumpWriteDump, MiniDumpWithFullMemory, or obfuscated versions of these strings (e.g., pmuDetirWpmuDiniM). Attackers can leverage these functions to create memory dumps of processes, including sensitive processes such as LSASS, which contains cached credentials. The dumping of LSASS memory allows attackers to extract credentials for lateral movement and privilege escalation within a compromised network. The rule is designed to detect scripts utilizing these techniques, providing an early warning sign of potential credential theft attempts. The rule leverages PowerShell script block logging (event ID 4104). The original rule was created in 2021 and updated in April 2026 according to the source.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows system through various means, such as phishing, exploiting a vulnerability, or using compromised credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker executes a PowerShell script on the target system. This script may be directly executed or injected into an existing PowerShell process.\u003c/li\u003e\n\u003cli\u003eThe PowerShell script contains code that references MiniDumpWriteDump or MiniDumpWithFullMemory, or an obfuscated variant, indicating an intention to create a memory dump.\u003c/li\u003e\n\u003cli\u003eThe script identifies a target process, often LSASS (lsass.exe), or iterates through running processes to select a target.\u003c/li\u003e\n\u003cli\u003eUsing the MiniDumpWriteDump function, the script creates a memory dump of the targeted process.\u003c/li\u003e\n\u003cli\u003eThe memory dump is saved to a file on the system, potentially in a location that is easily accessible to the attacker.\u003c/li\u003e\n\u003cli\u003eThe attacker may then compress or encrypt the dump file to avoid detection and prepare it for exfiltration.\u003c/li\u003e\n\u003cli\u003eThe attacker exfiltrates the memory dump from the compromised system for offline analysis and credential extraction.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful execution of this attack can lead to the compromise of sensitive credentials stored in memory, such as domain administrator accounts. This can enable attackers to move laterally within the network, escalate privileges, and gain access to critical systems and data. The impact could include data breaches, financial losses, and reputational damage. The number of victims can vary depending on the scope of the initial compromise and the effectiveness of the attacker\u0026rsquo;s lateral movement.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable PowerShell Script Block Logging (event ID 4104) to capture the necessary events for detection. Reference: \u003ca href=\"https://atc-project.org/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md\"\u003ehttps://atc-project.org/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;PowerShell MiniDump Script\u0026rdquo; to your SIEM and tune for your environment to detect suspicious PowerShell scripts.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on the script content, target process, and output file. Use the investigation steps provided in the rule\u0026rsquo;s documentation.\u003c/li\u003e\n\u003cli\u003eMonitor for file creation events related to memory dumps (e.g., *.dmp files) and analyze these files for sensitive information.\u003c/li\u003e\n\u003cli\u003eImplement strict access controls and privilege management to limit the potential impact of credential theft.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-powershell-minidump/","summary":"This brief detects PowerShell scripts that reference MiniDumpWriteDump or full-memory minidump types, potentially used to capture process memory from credential-bearing processes like LSASS.","title":"PowerShell MiniDump Script Detection","url":"https://feed.craftedsignal.io/briefs/2024-01-powershell-minidump/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["PowerShell"],"_cs_severities":["high"],"_cs_tags":["powershell","reflection","dotnet","memory-injection","attack.execution","attack.t1059.001"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis threat brief addresses the use of PowerShell to load .NET assemblies into memory using reflection, a technique frequently observed in advanced attacks. Threat actors, including those employing frameworks like Empire and Cobalt Strike, utilize this method to execute code directly in memory, evading traditional file-based security controls. The detection strategy focuses on PowerShell Script Block Logging (EventCode=4104), which captures the full commands executed, enabling analysis for specific reflection-related keywords. This behavior is a strong indicator of potential malicious activity, as it allows for unauthorized code execution, privilege escalation, and persistent access. Defenders should prioritize detection and response to such events to mitigate the risk of compromise. The technique allows attackers to bypass traditional defenses, execute code in memory, and potentially establish persistence within the targeted environment.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial Access: The attacker gains initial access to the system, possibly through phishing or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003ePowerShell Execution: The attacker executes PowerShell, often obfuscated or encoded, to avoid detection.\u003c/li\u003e\n\u003cli\u003eReflection Assembly Loading: The PowerShell script uses reflection techniques, such as \u003ccode\u003e[System.Reflection.Assembly]::Load()\u003c/code\u003e, to load a .NET assembly directly into memory.\u003c/li\u003e\n\u003cli\u003eBypassing Security Controls: The in-memory execution bypasses traditional security controls that scan files on disk.\u003c/li\u003e\n\u003cli\u003eMalicious Code Execution: The loaded assembly contains malicious code, which could be a payload for lateral movement, data exfiltration, or other malicious activities.\u003c/li\u003e\n\u003cli\u003ePrivilege Escalation: The malicious code may attempt to escalate privileges to gain higher-level access to the system.\u003c/li\u003e\n\u003cli\u003ePersistence: The attacker establishes persistence by creating scheduled tasks or modifying registry keys.\u003c/li\u003e\n\u003cli\u003eLateral Movement: The attacker uses the compromised system as a springboard to move laterally within the network, compromising additional systems.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to unauthorized code execution, privilege escalation, and persistent access within the environment. By loading .NET assemblies directly into memory, attackers can bypass traditional file-based security controls, making detection more challenging. This technique is often employed in advanced attacks, potentially affecting numerous systems across the network, leading to significant data breaches and system compromise. While specific victim counts are not available, the impact is considered high due to the potential for widespread damage and data loss.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable PowerShell Script Block Logging (EventCode=4104) on all endpoints to capture the full commands executed, as referenced in the description.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rules to your SIEM to detect PowerShell scripts loading .NET assemblies into memory via reflection.\u003c/li\u003e\n\u003cli\u003eInvestigate and remediate any alerts generated by the Sigma rules, prioritizing systems with high-value data or critical functions.\u003c/li\u003e\n\u003cli\u003eRegularly review and update PowerShell execution policies to restrict the execution of unsigned or untrusted scripts.\u003c/li\u003e\n\u003cli\u003eMonitor PowerShell logs for suspicious activity, such as the use of reflection techniques to load assemblies from unusual locations.\u003c/li\u003e\n\u003cli\u003eConsult the references provided, specifically the Microsoft .NET API documentation and the Palantir article on event tracing, to deepen your understanding of the attack techniques and potential mitigations.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T10:00:00Z","date_published":"2024-01-03T10:00:00Z","id":"/briefs/2024-01-03-powershell-reflection-load/","summary":"This analytic detects PowerShell scripts leveraging .NET reflection to load assemblies into memory, a technique commonly used by threat actors to bypass defenses and execute malicious code.","title":"PowerShell Loading .NET Assemblies via Reflection","url":"https://feed.craftedsignal.io/briefs/2024-01-03-powershell-reflection-load/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["windows","PowerShell"],"_cs_severities":["high"],"_cs_tags":["powershell","obfuscation","defense-evasion","variable-expansion","windows"],"_cs_type":"advisory","_cs_vendors":["Elastic","Microsoft"],"content_html":"\u003cp\u003eThis rule detects PowerShell scripts employing backtick-escaped characters within \u003ccode\u003e${}\u003c/code\u003e variable expansion, a technique used to reconstruct strings at runtime. Attackers leverage variable-expansion obfuscation to split keywords, conceal commands, and bypass static analysis and AMSI (Antimalware Scan Interface). This obfuscation method involves inserting multiple backticks between word characters inside \u003ccode\u003e${}\u003c/code\u003e blocks. Detecting this behavior is crucial as it signifies attempts to evade security measures and potentially execute malicious code on compromised systems. The rule focuses on identifying scripts with a length exceeding 500 characters to minimize false positives and targets PowerShell event code 4104.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows system, potentially through phishing or exploiting a software vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker uploads or creates a PowerShell script on the target system.\u003c/li\u003e\n\u003cli\u003eThe PowerShell script employs backtick-escaped variable expansion (e.g., \u003ccode\u003e$env:use``r``na``me\u003c/code\u003e) to obfuscate its contents.\u003c/li\u003e\n\u003cli\u003eThe obfuscated script is executed using powershell.exe.\u003c/li\u003e\n\u003cli\u003eThe script dynamically reconstructs commands and strings by evaluating the backtick-escaped variables.\u003c/li\u003e\n\u003cli\u003eThe reconstructed commands perform malicious activities, such as downloading additional payloads or modifying system configurations.\u003c/li\u003e\n\u003cli\u003eThe script attempts to evade detection by AMSI and other security tools.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves persistence and control over the compromised system, potentially leading to data exfiltration or further lateral movement.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to arbitrary code execution, system compromise, and data theft. While the number of victims is unknown, PowerShell is a common attack vector on Windows environments. The sectors most affected are organizations relying on Windows infrastructure without adequate PowerShell monitoring and security controls. Failure to detect and prevent this technique allows attackers to bypass security measures and gain unauthorized access to sensitive data.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable PowerShell Script Block Logging to generate event code 4104. (Reference: Setup section)\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect PowerShell Backtick Variable Obfuscation\u003c/code\u003e to identify scripts using backtick-escaped variable expansion.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on scripts with a high \u003ccode\u003eEsql.script_block_pattern_count\u003c/code\u003e value.\u003c/li\u003e\n\u003cli\u003eMonitor for process creation events where powershell.exe executes obfuscated commands as detected by the Sigma rule \u003ccode\u003eDetect Suspicious PowerShell Encoded Commands\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eReview PowerShell logs for event code 4104 and examine \u003ccode\u003epowershell.file.script_block_text\u003c/code\u003e for suspicious patterns.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T10:00:00Z","date_published":"2024-01-02T10:00:00Z","id":"/briefs/2024-01-powershell-backtick-obfuscation/","summary":"PowerShell scripts use backtick-escaped characters inside `${}` variable expansion to reconstruct strings at runtime, enabling attackers to split keywords, hide commands, and evade static analysis and AMSI.","title":"PowerShell Obfuscation via Backtick-Escaped Variable Expansion","url":"https://feed.craftedsignal.io/briefs/2024-01-powershell-backtick-obfuscation/"}],"language":"en","title":"CraftedSignal Threat Feed — PowerShell","version":"https://jsonfeed.org/version/1.1"}