{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/invoke-expression/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud"],"_cs_severities":["high"],"_cs_tags":["powershell","environment-variable","invoke-expression","execution"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eAttackers are increasingly leveraging PowerShell to execute malicious code embedded within environment variables. This method involves storing commands or encoded content in environment variables and then using \u003ccode\u003eInvoke-Expression\u003c/code\u003e (or its alias \u003ccode\u003eiex\u003c/code\u003e) to dynamically construct and execute code at runtime. This tactic is employed to evade traditional static analysis techniques and conceal the true intent of the executed code. Observed in malware loaders and stagers, including those associated with the VIP Keylogger campaign, this technique is a significant threat. Defenders should be aware of this trend and implement appropriate detection mechanisms. The focus is on identifying PowerShell scripts that combine environment variable access (\u003ccode\u003e$env:\u003c/code\u003e) with \u003ccode\u003eInvoke-Expression\u003c/code\u003e or its aliases, based on PowerShell Script Block Logging (Event ID 4104).\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to the system, possibly through phishing or exploiting a software vulnerability.\u003c/li\u003e\n\u003cli\u003ePowerShell is invoked, either directly or indirectly, via a script or another process.\u003c/li\u003e\n\u003cli\u003eThe attacker sets an environment variable containing malicious code or a command. This might involve using \u003ccode\u003e[Environment]::SetEnvironmentVariable\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eA PowerShell script is executed that reads the content of the environment variable using \u003ccode\u003e$env:\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe content read from the environment variable is passed to \u003ccode\u003eInvoke-Expression\u003c/code\u003e or its alias \u003ccode\u003eiex\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eInvoke-Expression\u003c/code\u003e dynamically executes the code, effectively bypassing static analysis.\u003c/li\u003e\n\u003cli\u003eThe executed code downloads and executes a secondary payload, such as a keylogger or a remote access tool.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective, such as stealing credentials or establishing persistent access.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to the execution of arbitrary code on the compromised system, allowing attackers to install malware, steal sensitive data, or establish a persistent foothold. The VIP Keylogger campaign, for example, demonstrates how this technique can be used to harvest user credentials. Due to the obfuscated nature of this attack, it is difficult to detect and remediate, often leading to extended dwell time for the attacker. Compromised systems can be further used as a launchpad for attacks against other systems within the network.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable PowerShell Script Block Logging (Event ID 4104) on all Windows systems to capture the de-obfuscated script blocks before execution.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rules to your SIEM to detect PowerShell scripts that access environment variables and use \u003ccode\u003eInvoke-Expression\u003c/code\u003e or its aliases. Tune these rules to your environment to reduce false positives.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by these rules to determine if malicious activity is occurring.\u003c/li\u003e\n\u003cli\u003eMonitor PowerShell execution for suspicious environment variable access and dynamic code execution.\u003c/li\u003e\n\u003cli\u003eImplement application control to prevent the execution of unauthorized PowerShell scripts.\u003c/li\u003e\n\u003cli\u003eReview and harden PowerShell execution policies to limit the attack surface.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T10:00:00Z","date_published":"2024-01-03T10:00:00Z","id":"/briefs/2024-01-powershell-env-var-execution/","summary":"Adversaries use PowerShell to execute malicious code stored in environment variables, leveraging Invoke-Expression or its aliases to bypass static analysis and execute payloads dynamically, as seen in malware loaders and stagers like the VIP Keylogger.","title":"PowerShell Execution via Environment Variables","url":"https://feed.craftedsignal.io/briefs/2024-01-powershell-env-var-execution/"}],"language":"en","title":"CraftedSignal Threat Feed — Invoke-Expression","version":"https://jsonfeed.org/version/1.1"}