{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/ninjacopy/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows"],"_cs_severities":["high"],"_cs_tags":["credential-access","powershell","ninjacopy"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eInvoke-NinjaCopy is a PowerShell script used to perform direct volume file access, enabling attackers to bypass traditional file access controls. This technique allows reading locked system files, such as the NTDS.dit or registry hives, which are essential for credential dumping. The script, often incorporated into post-exploitation frameworks like Empire, leverages stealth functions to minimize detection. Defenders need to monitor PowerShell script block content for the presence of Invoke-NinjaCopy or related \u0026ldquo;Stealth*\u0026rdquo; functions to identify potential credential access attempts. This activity is typically observed in Windows environments where attackers attempt to escalate privileges or move laterally within a network. The use of NinjaCopy allows attackers to grab sensitive data without being blocked by standard security measures.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows system, potentially through phishing or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker executes a PowerShell script, either directly or through a command-line interface.\u003c/li\u003e\n\u003cli\u003eThe PowerShell script contains the Invoke-NinjaCopy function or related StealthReadFile, StealthOpenFile functions.\u003c/li\u003e\n\u003cli\u003eThe script utilizes the StealthOpenFile function to directly access the volume where the target file resides (e.g., NTDS.dit).\u003c/li\u003e\n\u003cli\u003eStealthReadFile is used to read the contents of the target file, bypassing standard file access controls.\u003c/li\u003e\n\u003cli\u003eThe script copies the contents of the NTDS.dit or registry hives to a temporary location.\u003c/li\u003e\n\u003cli\u003eThe attacker dumps credentials from the copied NTDS.dit file using tools like secretsdump.py or other credential harvesting tools.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the harvested credentials to escalate privileges or move laterally within the network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to the compromise of domain credentials, granting the attacker access to sensitive information and systems. Credential dumping from NTDS.dit or registry hives can expose user accounts, service accounts, and other privileged credentials. The impact ranges from data breaches and financial losses to complete network compromise and disruption of services. If successful, attackers may gain persistent access and control over critical infrastructure, potentially affecting thousands of users and systems.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable PowerShell Script Block Logging and monitor event ID 4104 for script content containing \u003ccode\u003eInvoke-NinjaCopy\u003c/code\u003e, \u003ccode\u003eStealthReadFile\u003c/code\u003e, \u003ccode\u003eStealthOpenFile\u003c/code\u003e, \u003ccode\u003eStealthCloseFileDelegate\u003c/code\u003e as described in the Overview.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;PowerShell Invoke-NinjaCopy script\u0026rdquo; to your SIEM and tune the rule for false positives in your environment.\u003c/li\u003e\n\u003cli\u003eInvestigate any PowerShell processes with command-line arguments that contain the identified keywords to identify potential attacker activity as outlined in the Attack Chain.\u003c/li\u003e\n\u003cli\u003eImplement strict access controls on sensitive files like \u003ccode\u003eNTDS.dit\u003c/code\u003e and registry hives to limit the impact of successful credential access attempts.\u003c/li\u003e\n\u003cli\u003eReview PowerShell execution policies to prevent the execution of unsigned or untrusted scripts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-09T14:27:00Z","date_published":"2024-01-09T14:27:00Z","id":"/briefs/2024-01-09-invoke-ninjacopy/","summary":"The Invoke-NinjaCopy PowerShell script is used by attackers to directly access volume files, such as NTDS.dit or registry hives, for credential dumping.","title":"PowerShell Invoke-NinjaCopy Script Detection","url":"https://feed.craftedsignal.io/briefs/2024-01-09-invoke-ninjacopy/"}],"language":"en","title":"CraftedSignal Threat Feed — Ninjacopy","version":"https://jsonfeed.org/version/1.1"}