{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/non-interactive/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Windows","PowerShell","Visual Studio Code","Windows Terminal"],"_cs_severities":["medium"],"_cs_tags":["powershell","execution","non-interactive"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis detection identifies instances of PowerShell (powershell.exe or pwsh.exe) being launched by parent processes typically associated with non-interactive or automated execution environments. This scenario can be indicative of malicious activity where attackers leverage PowerShell for command execution, script deployment, or lateral movement without requiring direct user interaction. This activity is often seen when adversaries attempt to bypass traditional security measures that rely on user-initiated processes. The detection specifically focuses on identifying PowerShell processes with parent processes such as explorer.exe, CompatTelRunner.exe, SetupHost.exe (during Windows updates), or processes related to VS Code or Windows Terminal, after excluding common benign scenarios.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access:\u003c/strong\u003e An attacker gains initial access to the system through an exploit, or other means (not covered in the source).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation (Optional):\u003c/strong\u003e The attacker may use exploits or other techniques to elevate privileges to gain SYSTEM or administrator rights.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eNon-Interactive Process Spawn:\u003c/strong\u003e A non-interactive process such as \u003ccode\u003eexplorer.exe\u003c/code\u003e or \u003ccode\u003eCompatTelRunner.exe\u003c/code\u003e spawns a PowerShell process (\u003ccode\u003epowershell.exe\u003c/code\u003e or \u003ccode\u003epwsh.exe\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePowerShell Execution:\u003c/strong\u003e The PowerShell process executes malicious commands or scripts, potentially downloaded from an external source or embedded within the initial exploit.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDefense Evasion:\u003c/strong\u003e PowerShell is used to disable security controls, bypass execution policies, or obfuscate malicious code.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement:\u003c/strong\u003e PowerShell is leveraged to move laterally to other systems within the network by using techniques such as WMI or SMB.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCommand and Control:\u003c/strong\u003e The compromised system connects to a command and control server using PowerShell to establish a persistent backdoor.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Exfiltration/Ransomware:\u003c/strong\u003e The attacker uses PowerShell to exfiltrate sensitive data or deploy ransomware across the network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to a wide range of malicious activities, including data theft, system compromise, and ransomware deployment. The impact can range from minor data breaches to complete network compromise, depending on the attacker's objectives and the organization's security posture. Affected systems may be rendered unusable, resulting in significant financial and reputational damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;Suspicious Non-Interactive PowerShell Process Creation\u0026quot; to your SIEM (Security Information and Event Management) to detect potential malicious PowerShell execution.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, paying close attention to the parent process and the executed PowerShell commands.\u003c/li\u003e\n\u003cli\u003eEnable and review process creation logs in Windows to provide the necessary data for the Sigma rule to function effectively.\u003c/li\u003e\n\u003cli\u003eConsider implementing PowerShell Constrained Language Mode to limit the capabilities of PowerShell and prevent malicious scripts from executing (reference the general technique of restricting PowerShell usage).\u003c/li\u003e\n\u003cli\u003eHarden endpoints to prevent initial access using standard security best practices.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T14:22:00Z","date_published":"2024-01-03T14:22:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-03-non-interactive-powershell/","summary":"Detects PowerShell processes spawned by non-interactive parent processes, potentially indicating malicious script execution or automation bypassing user interaction.","title":"Suspicious Non-Interactive PowerShell Process Creation","url":"https://feed.craftedsignal.io/briefs/2024-01-03-non-interactive-powershell/"}],"language":"en","title":"CraftedSignal Threat Feed - Non-Interactive","version":"https://jsonfeed.org/version/1.1"}