{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/powershell/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Intune Management Extension","Azure AD Connect Health Agent","Windows Defender Advanced Threat Protection"],"_cs_severities":["low"],"_cs_tags":["defense-evasion","powershell","obfuscation"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eAttackers frequently employ PowerShell obfuscation techniques to evade detection and hinder analysis. These techniques involve encoding, encrypting, or compressing PowerShell scripts to mask their true intent. This detection identifies PowerShell script blocks exhibiting high entropy and non-uniform character distributions, statistical characteristics often associated with obfuscated content. The rule specifically targets script blocks longer than 1000 characters with entropy bits \u0026gt;= 5.5 and surprisal standard deviation \u0026gt; 0.7. This detection is designed to highlight potentially malicious PowerShell activity that warrants further investigation by security analysts and incident responders. This rule was created by Elastic and last updated on May 4, 2026.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a system (e.g., via phishing or exploit).\u003c/li\u003e\n\u003cli\u003eThe attacker leverages PowerShell, a built-in Windows scripting language, to execute malicious commands.\u003c/li\u003e\n\u003cli\u003eThe attacker uses obfuscation techniques (encoding, encryption, compression) to disguise the PowerShell script\u0026rsquo;s true intent.\u003c/li\u003e\n\u003cli\u003eThe obfuscated script is executed, bypassing basic signature-based detections.\u003c/li\u003e\n\u003cli\u003eThe script may download and execute additional payloads or establish persistence.\u003c/li\u003e\n\u003cli\u003eThe script performs malicious actions such as data exfiltration, lateral movement, or system compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack using obfuscated PowerShell can lead to various negative impacts, including data breaches, system compromise, and disruption of services. The low severity reflects the need for further analysis to confirm malicious intent, given potential false positives from legitimate encoded scripts. While the exact number of affected systems and sectors is unknown, the widespread use of PowerShell makes this a potentially significant threat across many organizations.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable PowerShell Script Block Logging to generate the necessary events (4104) as outlined in the setup instructions: \u003ca href=\"https://ela.st/powershell-logging-setup\"\u003ehttps://ela.st/powershell-logging-setup\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM and tune the thresholds (\u003ccode\u003epowershell.file.script_block_length\u003c/code\u003e, \u003ccode\u003epowershell.file.script_block_entropy_bits\u003c/code\u003e, \u003ccode\u003epowershell.file.script_block_surprisal_stdev\u003c/code\u003e) based on your environment\u0026rsquo;s baseline.\u003c/li\u003e\n\u003cli\u003eInvestigate alerts generated by the Sigma rule, focusing on execution context (\u003ccode\u003euser.name\u003c/code\u003e, \u003ccode\u003ehost.name\u003c/code\u003e), script provenance (\u003ccode\u003efile.path\u003c/code\u003e), and reconstructed script content (\u003ccode\u003epowershell.file.script_block_text\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eReview the investigation guide within the rule\u0026rsquo;s \u003ccode\u003enote\u003c/code\u003e section for detailed triage and analysis steps.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-04T14:49:36Z","date_published":"2026-05-04T14:49:36Z","id":"/briefs/2026-06-high-entropy-powershell/","summary":"This detection identifies potentially obfuscated PowerShell scripts based on high entropy and non-uniform character distributions, often used by attackers to evade signature-based detections and hinder analysis.","title":"Potential PowerShell Obfuscated Script via High Entropy","url":"https://feed.craftedsignal.io/briefs/2026-06-high-entropy-powershell/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","Microsoft Defender XDR","Sysmon","Crowdstrike","SentinelOne Cloud Funnel","Elastic Endgame"],"_cs_severities":["medium"],"_cs_tags":["powershell","malware","execution"],"_cs_type":"advisory","_cs_vendors":["Elastic","Microsoft","Crowdstrike","SentinelOne"],"content_html":"\u003cp\u003eThis detection rule identifies the execution of PowerShell with suspicious argument values on Windows systems. This behavior is frequently associated with malware installation and other malicious activities. PowerShell is a powerful scripting language, and adversaries often exploit its capabilities to execute malicious scripts, download payloads, and obfuscate commands. The rule focuses on detecting patterns such as encoded commands, suspicious downloads (e.g., using WebClient or Invoke-WebRequest), and various obfuscation techniques used to evade detection. The rule is designed to work with various data sources, including Elastic Defend, Windows Security Event Logs, Sysmon, and third-party EDR solutions like CrowdStrike, Microsoft Defender XDR, and SentinelOne, enhancing its applicability across different environments.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows system (e.g., through phishing or exploiting a vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker uses PowerShell to download a malicious payload from a remote server using commands like \u003ccode\u003eDownloadFile\u003c/code\u003e or \u003ccode\u003eDownloadString\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe downloaded payload is often encoded or obfuscated to evade detection. Common techniques include Base64 encoding, character manipulation, and compression.\u003c/li\u003e\n\u003cli\u003ePowerShell is then used to decode or deobfuscate the payload using methods like \u003ccode\u003e[Convert]::FromBase64String\u003c/code\u003e or \u003ccode\u003e[char[]](...) -join ''\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe deobfuscated payload is executed directly in memory using techniques like \u003ccode\u003eiex\u003c/code\u003e (Invoke-Expression) or \u003ccode\u003eReflection.Assembly.Load\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe executed payload performs malicious actions, such as installing malware, establishing persistence, or exfiltrating data.\u003c/li\u003e\n\u003cli\u003eThe attacker may use techniques like \u003ccode\u003eWebClient\u003c/code\u003e to download files from a remote URL.\u003c/li\u003e\n\u003cli\u003eCommands like \u003ccode\u003enslookup -q=txt\u003c/code\u003e are used for command and control.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to malware installation, data theft, system compromise, and further propagation of the attack within the network. The detection of suspicious PowerShell arguments helps to identify and prevent these malicious activities before significant damage can occur. Without proper detection, attackers can maintain persistence, escalate privileges, and compromise sensitive data. The rule helps defenders identify and respond to these threats quickly, minimizing the impact of potential attacks.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rules provided in this brief to your SIEM to detect suspicious PowerShell activity.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging with command line arguments to ensure the necessary data is captured for the Sigma rules to function effectively.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rules to determine the legitimacy of the PowerShell activity and take appropriate remediation steps.\u003c/li\u003e\n\u003cli\u003eContinuously tune the Sigma rules based on your environment to reduce false positives and improve detection accuracy.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-04T14:17:05Z","date_published":"2026-05-04T14:17:05Z","id":"/briefs/2024-09-susp-powershell-args/","summary":"This rule identifies the execution of PowerShell with suspicious argument values, often observed during malware installation, by detecting unusual PowerShell arguments indicative of abuse, focusing on patterns like encoded commands, suspicious downloads, and obfuscation techniques.","title":"Suspicious Windows PowerShell Arguments Detected","url":"https://feed.craftedsignal.io/briefs/2024-09-susp-powershell-args/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.8,"id":"CVE-2026-26143"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["cve-2026-26143","powershell","input-validation","bypass-uac","windows"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-26143 describes a vulnerability in Microsoft PowerShell stemming from improper input validation. This flaw could allow a local, unauthorized attacker to bypass security features implemented within PowerShell. The vulnerability has a CVSS v3.1 score of 7.8, indicating a high severity. Successful exploitation could lead to significant compromise of the affected system. The vulnerability was reported to Microsoft and assigned CVE-2026-26143. Defenders should prioritize patching affected systems to mitigate the risk. The affected versions of PowerShell are not explicitly stated in the source material, therefore all installations of PowerShell on Windows should be considered potentially vulnerable.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains local access to a Windows system. This could be through existing malware, physical access, or other initial access vectors.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious PowerShell command or script designed to exploit the input validation vulnerability (CVE-2026-26143).\u003c/li\u003e\n\u003cli\u003eThe attacker executes the malicious PowerShell command, bypassing intended security controls due to the input validation flaw.\u003c/li\u003e\n\u003cli\u003ePowerShell processes the crafted input, failing to properly sanitize or validate it.\u003c/li\u003e\n\u003cli\u003eThe bypassed security feature allows the attacker to perform actions that would normally be restricted, such as elevated privileges.\u003c/li\u003e\n\u003cli\u003eAttacker leverages the bypassed security feature to execute unauthorized code or modify system configurations.\u003c/li\u003e\n\u003cli\u003eThe attacker can now maintain persistence via registry keys (T1547.001) or scheduled tasks (T1053.005).\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective, which could include data exfiltration, system compromise, or further lateral movement within the network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-26143 can allow a local attacker to bypass security features within Microsoft PowerShell, potentially leading to arbitrary code execution with elevated privileges. This vulnerability could lead to a full system compromise. The number of potential victims is substantial, as PowerShell is a standard component of Windows operating systems. Systems lacking the security patch are vulnerable.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the security update provided by Microsoft for CVE-2026-26143 to remediate the improper input validation vulnerability.\u003c/li\u003e\n\u003cli\u003eImplement the Sigma rule \u0026ldquo;Detect Suspicious PowerShell Input Validation Bypass\u0026rdquo; to identify potential exploitation attempts in your environment.\u003c/li\u003e\n\u003cli\u003eMonitor PowerShell execution logs for suspicious command-line arguments and script content, which could indicate an attempt to exploit this vulnerability.\u003c/li\u003e\n\u003cli\u003eRestrict local user access to reduce the attack surface and limit the potential for local exploitation.\u003c/li\u003e\n\u003cli\u003eEnable PowerShell logging and auditing to capture detailed information about PowerShell activity, which can aid in detecting and investigating suspicious behavior.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-15T12:00:00Z","date_published":"2026-04-15T12:00:00Z","id":"/briefs/2026-04-powershell-input-validation-bypass/","summary":"An improper input validation vulnerability (CVE-2026-26143) in Microsoft PowerShell allows an unauthorized local attacker to bypass security features.","title":"Microsoft PowerShell Improper Input Validation Vulnerability (CVE-2026-26143)","url":"https://feed.craftedsignal.io/briefs/2026-04-powershell-input-validation-bypass/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows"],"_cs_severities":["medium"],"_cs_tags":["command-and-control","execution","lateral-movement","powershell"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003ePowercat is a PowerShell script that functions similarly to the traditional Netcat utility, allowing for network communication using TCP and UDP. Attackers can use Powercat to establish reverse shells, transfer files, and perform port scanning within a compromised environment. This activity is often employed during post-exploitation phases to maintain access and propagate further into the network. Defenders should be aware of PowerShell scripts invoking Powercat, especially in environments…\u003c/p\u003e\n","date_modified":"2024-11-04T14:27:00Z","date_published":"2024-11-04T14:27:00Z","id":"/briefs/2024-11-powercat-detection/","summary":"Adversaries may leverage Powercat, a PowerShell implementation of Netcat, to establish command and control channels or perform lateral movement within a compromised network.","title":"Powercat PowerShell Implementation Detection","url":"https://feed.craftedsignal.io/briefs/2024-11-powercat-detection/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows"],"_cs_severities":["high"],"_cs_tags":["credential-access","pass-the-hash","ntlm-relay","powershell"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis detection identifies PowerShell scripts containing artifacts indicative of NTLM relay or pass-the-hash (PtH) attacks. These techniques allow attackers to authenticate to systems without needing plaintext passwords, enabling lateral movement and privilege escalation. The rule focuses on identifying specific byte sequences and strings within PowerShell script blocks that suggest NTLM/SMB negotiation and credential access attempts. This detection helps defenders identify and respond to potential credential theft and abuse within their Windows environments. The rule is based on observed techniques used in various publicly available tools such as Invoke-TheHash, Check-LocalAdminHash, and PoshC2.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows system through various means such as phishing or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker executes a PowerShell script on the compromised system. This script could be directly executed or obfuscated to evade initial detection.\u003c/li\u003e\n\u003cli\u003eThe PowerShell script attempts to perform NTLM relay or pass-the-hash attacks by utilizing specific byte sequences related to NTLM/SMB negotiation, such as \u003ccode\u003eNTLMSSPNegotiate\u003c/code\u003e or \u003ccode\u003e0x4e,0x54,0x4c,0x4d,0x53,0x53,0x50\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe script may utilize tools like Invoke-WMIExec or Invoke-SMBExec to execute commands on remote systems using the stolen credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to authenticate to other systems on the network using the relayed credentials or password hashes.\u003c/li\u003e\n\u003cli\u003eSuccessful authentication allows the attacker to move laterally, accessing sensitive data or escalating privileges on other systems.\u003c/li\u003e\n\u003cli\u003eThe attacker may deploy additional payloads or establish persistence mechanisms for continued access.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful pass-the-hash or NTLM relay attack can grant an attacker unauthorized access to sensitive systems and data within the network. This can lead to data breaches, financial loss, or disruption of critical services. The impact could range from compromising a few systems to gaining domain administrator privileges, depending on the attacker\u0026rsquo;s goals and the network\u0026rsquo;s security posture. Organizations can experience significant financial and reputational damage due to data breaches and service disruptions.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable PowerShell Script Block Logging to capture the necessary data for this detection. Refer to the setup instructions in the rule documentation for configuration details.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetecting Potential PowerShell Pass-the-Hash/Relay Scripts\u003c/code\u003e to your SIEM and tune it based on your environment.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by this rule to determine the scope and impact of the potential attack. Refer to the triage and analysis section in the rule documentation for guidance on investigation steps.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation and access controls to limit the impact of lateral movement.\u003c/li\u003e\n\u003cli\u003eMonitor authentication events (event codes 4624, 4625, 4648) for suspicious activity, such as NTLM authentication from unexpected source IPs or to unusual target systems, as described in the rule\u0026rsquo;s investigation notes.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-07-03T12:00:00Z","date_published":"2024-07-03T12:00:00Z","id":"/briefs/2024-07-powershell-pth-relay/","summary":"This rule detects PowerShell scripts associated with NTLM relay or pass-the-hash tooling and SMB/NTLM negotiation artifacts, indicating potential credential access and lateral movement attempts by attackers.","title":"Detecting Potential PowerShell Pass-the-Hash/Relay Scripts","url":"https://feed.craftedsignal.io/briefs/2024-07-powershell-pth-relay/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Veeam Backup"],"_cs_severities":["medium"],"_cs_tags":["credential-access","veeam","powershell"],"_cs_type":"advisory","_cs_vendors":["Veeam"],"content_html":"\u003cp\u003eThis detection identifies potential credential compromise attempts targeting Veeam Backup software. Attackers may attempt to load the Veeam.Backup.Common.dll library through unauthorized processes, such as PowerShell or unsigned executables, to decrypt and misuse stored credentials. These credentials can then be used to target backups, potentially leading to destructive operations like ransomware attacks. The rule focuses on flagging untrusted or unsigned processes loading the Veeam library, providing an indicator of possible malicious activity. The detection logic specifically looks for scenarios where PowerShell or other unusual processes load the Veeam backup library, which deviates from typical administrative or backup-related operations. This activity warrants further investigation to determine if it\u0026rsquo;s part of a credential access attempt.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows system through unspecified means.\u003c/li\u003e\n\u003cli\u003eThe attacker uses PowerShell (powershell.exe, pwsh.exe, powershell_ise.exe) or another unsigned process to execute malicious commands.\u003c/li\u003e\n\u003cli\u003eThe malicious process attempts to load the Veeam.Backup.Common.dll library.\u003c/li\u003e\n\u003cli\u003eThe Veeam.Backup.Common.dll library is loaded into the process memory.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the loaded library to decrypt stored Veeam credentials.\u003c/li\u003e\n\u003cli\u003eUsing the decrypted credentials, the attacker gains access to Veeam backups.\u003c/li\u003e\n\u003cli\u003eThe attacker may then encrypt, delete, or exfiltrate the backups, leading to data loss or ransomware attacks.\u003c/li\u003e\n\u003cli\u003eThe attacker pivots to other systems using the compromised credentials, further expanding the attack.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to gain access to sensitive Veeam backup data. This can lead to data exfiltration, data encryption, or complete data loss. The impact includes potential ransomware attacks, significant business disruption, and financial losses due to recovery efforts and downtime. The compromise of Veeam backups can severely impact an organization\u0026rsquo;s ability to recover from incidents, making it a critical target for attackers.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Veeam Backup Library Loaded by Unusual Process\u0026rdquo; to your SIEM to detect suspicious DLL loads (rule.name).\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on the process details and execution history to determine legitimacy (rule.description).\u003c/li\u003e\n\u003cli\u003eEnable process creation and library load logging to capture the necessary events for the Sigma rule to function correctly.\u003c/li\u003e\n\u003cli\u003eReview and enforce code signing policies to prevent unsigned processes from loading critical libraries like Veeam.Backup.Common.dll.\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication for Veeam accounts to mitigate the impact of credential compromise.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-05-03T14:22:00Z","date_published":"2024-05-03T14:22:00Z","id":"/briefs/2024-05-veeam-credential-access/","summary":"Detects potential credential decryption operations by PowerShell or unsigned processes using the Veeam.Backup.Common.dll library, indicating potential credential access attempts to target backups as part of destructive operations.","title":"Veeam Backup Library Loaded by Unusual Process","url":"https://feed.craftedsignal.io/briefs/2024-05-veeam-credential-access/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["M365 Defender","Elastic Defend"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","powershell","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","Crowdstrike","SentinelOne"],"content_html":"\u003cp\u003eAttackers can try to cover their tracks by clearing the PowerShell console history on Windows systems. PowerShell offers multiple ways to log commands, including the built-in history and the command history managed by the PSReadLine module. This activity is often part of post-compromise behavior aimed at evading detection and forensic analysis. This rule detects the execution of specific commands that clear the built-in PowerShell logs or delete the \u003ccode\u003eConsoleHost_history.txt\u003c/code\u003e file. The rule focuses on PowerShell activity and covers scenarios where commands like Clear-History, Remove-Item, rm, and Set-PSReadlineOption are used to manipulate command history.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial access is gained through an unspecified method, potentially exploiting a vulnerability or using stolen credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker executes PowerShell (powershell.exe, pwsh.exe, or powershell_ise.exe) to perform reconnaissance and other malicious activities.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to clear the PowerShell command history using the \u003ccode\u003eClear-History\u003c/code\u003e cmdlet.\u003c/li\u003e\n\u003cli\u003eAlternatively, the attacker attempts to remove the \u003ccode\u003eConsoleHost_history.txt\u003c/code\u003e file using \u003ccode\u003eRemove-Item\u003c/code\u003e or \u003ccode\u003erm\u003c/code\u003e, which stores the PSReadLine command history.\u003c/li\u003e\n\u003cli\u003eAnother method involves using the \u003ccode\u003eSet-PSReadlineOption\u003c/code\u003e cmdlet with the \u003ccode\u003eSaveNothing\u003c/code\u003e parameter to prevent the saving of future command history.\u003c/li\u003e\n\u003cli\u003eThe attacker may leverage other tools and techniques to further obscure their activities and maintain persistence on the compromised system.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to move laterally to other systems within the network to increase their impact.\u003c/li\u003e\n\u003cli\u003eThe final objective is data exfiltration, deployment of ransomware, or other malicious activities, all while attempting to evade detection by clearing logs and command history.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful clearing of console history hinders forensic investigations and incident response efforts. If command history is cleared, administrators will have difficulty reconstructing the attacker\u0026rsquo;s actions and identifying the extent of the compromise. This can lead to prolonged incident response times, increased damage, and potential for further exploitation of the compromised systems.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Clearing PowerShell History\u003c/code\u003e to your SIEM to detect the use of \u003ccode\u003eClear-History\u003c/code\u003e cmdlet, potentially indicating an attempt to remove command history.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Removal of PowerShell History File\u003c/code\u003e to detect the use of \u003ccode\u003eRemove-Item\u003c/code\u003e or \u003ccode\u003erm\u003c/code\u003e command against the PowerShell history file.\u003c/li\u003e\n\u003cli\u003eEnable PowerShell logging and auditing policies to ensure adequate visibility into PowerShell activity as described in the \u003ca href=\"https://ela.st/audit-process-creation\"\u003esetup instructions\u003c/a\u003e to improve detection capabilities.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-30T12:00:00Z","date_published":"2024-01-30T12:00:00Z","id":"/briefs/2024-01-30-clearing-console-history/","summary":"Adversaries may clear the command history of a compromised account to conceal the actions undertaken during an intrusion on a Windows system.","title":"Windows Console History Clearing","url":"https://feed.craftedsignal.io/briefs/2024-01-30-clearing-console-history/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["PowerShell"],"_cs_severities":["high"],"_cs_tags":["credential-access","kerberos","powershell","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis threat brief focuses on detecting PowerShell scripts designed to extract Kerberos tickets from memory. Attackers use these scripts to gain unauthorized access to credentials, which can then be leveraged for lateral movement within a network. The scripts achieve this by interacting with the Local Security Authority (LSA) and accessing Kerberos authentication packages. The observed PowerShell scripts utilize specific Kerberos ticket message types or dynamic Kerberos package lookup to enumerate and retrieve tickets. This behavior is often associated with post-exploitation activity, where attackers are attempting to escalate privileges or move laterally within a compromised environment. Defenders should monitor PowerShell activity for these patterns, as successful Kerberos ticket dumping can lead to significant security breaches. The scripts are not associated with any specific campaign or version.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows system (e.g., through phishing or exploiting a vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker executes a PowerShell script.\u003c/li\u003e\n\u003cli\u003eThe PowerShell script uses \u003ccode\u003eLsaCallAuthenticationPackage\u003c/code\u003e to interact with the LSA.\u003c/li\u003e\n\u003cli\u003eThe script attempts to retrieve Kerberos tickets by using functions like \u003ccode\u003eKerbRetrieveEncodedTicketMessage\u003c/code\u003e, \u003ccode\u003eKerbQueryTicketCacheMessage\u003c/code\u003e, \u003ccode\u003eKerbQueryTicketCacheExMessage\u003c/code\u003e, or \u003ccode\u003eKerbRetrieveTicketMessage\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eAlternatively, the script uses \u003ccode\u003eLsaLookupAuthenticationPackage\u003c/code\u003e to dynamically locate the Kerberos package.\u003c/li\u003e\n\u003cli\u003eThe script may then decrypt the ticket data using \u003ccode\u003eKerbDecryptDataMessage\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe script may attempt to serialize or export the extracted tickets to a file.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the dumped Kerberos tickets to impersonate users or services, gaining unauthorized access to resources and facilitating lateral movement.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to steal Kerberos tickets from memory. The attacker can then use these tickets to impersonate legitimate users or services, enabling them to move laterally within the network, access sensitive data, and potentially compromise critical systems. The impact includes unauthorized access to resources, data breaches, and potentially a complete compromise of the targeted Windows domain.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable PowerShell Script Block Logging to capture the malicious script content (as mentioned in the \u0026ldquo;Setup\u0026rdquo; section).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;PowerShell Kerberos Ticket Dump\u0026rdquo; to detect scripts exhibiting Kerberos ticket dumping behavior.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts triggered by the Sigma rule, focusing on the reconstructed script block content and process lineage as outlined in the \u0026ldquo;Triage and analysis\u0026rdquo; section.\u003c/li\u003e\n\u003cli\u003eMonitor for file creation events related to ticket material exports (e.g., \u0026ldquo;.kirbi\u0026rdquo; files) to identify potential ticket dumping activity.\u003c/li\u003e\n\u003cli\u003eReview authentication events (event codes 4624, 4625, 4648) to identify suspicious logins originating from compromised systems.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-26T12:00:00Z","date_published":"2024-01-26T12:00:00Z","id":"/briefs/2024-01-26-powershell-kerberos-dump/","summary":"Detection of PowerShell scripts attempting to dump Kerberos tickets from memory by accessing LSA authentication packages, potentially leading to credential access and lateral movement.","title":"PowerShell Kerberos Ticket Dumping via LSA Authentication Package Access","url":"https://feed.craftedsignal.io/briefs/2024-01-26-powershell-kerberos-dump/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows Defender Advanced Threat Protection"],"_cs_severities":["high"],"_cs_tags":["process injection","powershell","defense evasion"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis detection focuses on identifying PowerShell scripts that combine specific Win32 API calls, often used in process injection and in-memory payload execution techniques. Attackers use PowerShell, a ubiquitous scripting language in Windows environments, to inject malicious code into other processes, bypassing traditional security controls. The rule specifically targets API combinations related to memory allocation (VirtualAlloc, VirtualAllocEx), memory protection (VirtualProtect), process access (OpenProcess), dynamic library loading (LdrLoadDll, LoadLibrary), and thread manipulation (CreateRemoteThread, NtCreateThreadEx). The rule excludes script activity originating from within Microsoft Defender Advanced Threat Protection directories, reducing false positives. This technique is valuable to attackers seeking to evade detection and execute malicious code stealthily. The detection logic is based on observing specific API combinations, commonly seen in tools like Empire.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows system, possibly through phishing or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker uses PowerShell to execute a malicious script.\u003c/li\u003e\n\u003cli\u003eThe PowerShell script uses \u003ccode\u003eOpenProcess\u003c/code\u003e to gain access to a target process.\u003c/li\u003e\n\u003cli\u003eThe script then uses \u003ccode\u003eVirtualAllocEx\u003c/code\u003e to allocate memory within the target process.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eWriteProcessMemory\u003c/code\u003e is used to write malicious code into the allocated memory.\u003c/li\u003e\n\u003cli\u003eThe script uses \u003ccode\u003eCreateRemoteThread\u003c/code\u003e or \u003ccode\u003eNtCreateThreadEx\u003c/code\u003e to create a new thread within the target process, pointing to the injected code.\u003c/li\u003e\n\u003cli\u003eThe injected code executes within the context of the target process.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective, such as credential dumping or establishing persistence.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful process injection allows attackers to execute arbitrary code within the context of another process, often a legitimate one. This can lead to credential theft, privilege escalation, data exfiltration, or the deployment of ransomware. The impact is significant, as it allows attackers to bypass security controls and operate stealthily. While the number of victims is unknown, the widespread use of PowerShell makes this a potentially widespread threat. Successful attacks can compromise sensitive data, disrupt business operations, and damage an organization\u0026rsquo;s reputation.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable PowerShell Script Block Logging to capture the necessary events (4104) for this detection to function as described in the setup instructions \u003ca href=\"https://ela.st/powershell-logging-setup\"\u003ehttps://ela.st/powershell-logging-setup\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rules to your SIEM to detect suspicious PowerShell scripts indicative of process injection. Tune the rules based on your environment\u0026rsquo;s baseline activity.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by these rules, focusing on the reconstructed script content, target process, and execution context. Refer to the investigation guide section for triage steps.\u003c/li\u003e\n\u003cli\u003eImplement application control policies to restrict the execution of unauthorized PowerShell scripts.\u003c/li\u003e\n\u003cli\u003eMonitor PowerShell execution for suspicious API calls related to process injection, as described in the rule\u0026rsquo;s \u003ccode\u003equery\u003c/code\u003e.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-24T10:00:00Z","date_published":"2024-01-24T10:00:00Z","id":"/briefs/2024-01-24-posh-process-injection/","summary":"This detection identifies PowerShell scripts leveraging Win32 APIs for memory allocation, process access, and thread creation, indicative of potential process injection or in-memory payload execution on Windows systems.","title":"Potential Process Injection via PowerShell","url":"https://feed.craftedsignal.io/briefs/2024-01-24-posh-process-injection/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["defense-evasion","amsi","powershell","windows"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThis detection identifies PowerShell scripts that attempt to circumvent the Antimalware Scan Interface (AMSI), a security feature in Windows designed to prevent the execution of malicious scripts and code. Attackers use AMSI bypass techniques to disable real-time scanning and execute malicious PowerShell code without detection. The bypasses often involve manipulating AMSI\u0026rsquo;s internal state or patching its scanning routines. This allows attackers to deliver and execute payloads undetected, leading to potential system compromise. This technique is actively used by various threat actors to evade defenses.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to the system, typically through phishing or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker executes a PowerShell script.\u003c/li\u003e\n\u003cli\u003eThe PowerShell script contains code designed to bypass AMSI, such as manipulating the AmsiScanBuffer function or unmanaged code injection.\u003c/li\u003e\n\u003cli\u003eThe AMSI bypass is executed, disabling real-time scanning of PowerShell scripts.\u003c/li\u003e\n\u003cli\u003eThe attacker then executes a malicious payload within the same PowerShell session, which is no longer subject to AMSI scanning.\u003c/li\u003e\n\u003cli\u003eThe malicious payload performs actions such as downloading additional malware, establishing persistence, or exfiltrating data.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the compromised system for further lateral movement or to achieve their objectives, such as data theft or ransomware deployment.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful AMSI bypass can lead to the execution of arbitrary code on the affected system, potentially resulting in data breaches, system compromise, and the installation of malware. Because AMSI is a core component of Windows security, its bypass represents a significant security risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable PowerShell Script Block Logging to capture the contents of PowerShell scripts, which is essential for this detection to function effectively (reference: Setup section).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Potential Antimalware Scan Interface Bypass via PowerShell\u0026rdquo; to detect scripts containing known AMSI bypass techniques (reference: rules section below).\u003c/li\u003e\n\u003cli\u003eInvestigate alerts generated by the Sigma rule, focusing on the script content and the context in which it was executed to identify potential malicious activity (reference: note section).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-09T16:23:00Z","date_published":"2024-01-09T16:23:00Z","id":"/briefs/2024-01-amsi-bypass-powershell/","summary":"This rule detects PowerShell scripts that attempt to bypass the Antimalware Scan Interface (AMSI) in order to disable scanning and execute malicious PowerShell code undetected.","title":"Potential Antimalware Scan Interface Bypass via PowerShell","url":"https://feed.craftedsignal.io/briefs/2024-01-amsi-bypass-powershell/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["PowerShell"],"_cs_severities":["high"],"_cs_tags":["discovery","powershell","share-enumeration","lateral-movement","ransomware"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis detection identifies PowerShell scripts utilizing ShareFinder functions (Invoke-ShareFinder/Invoke-ShareFinderThreaded) or native Windows API calls for share enumeration. These techniques are commonly used by attackers to map accessible network shares within an environment. This reconnaissance is often a precursor to data collection, lateral movement, or the deployment of ransomware. The activity is detected via script block logging, and focuses on identifying specific function calls and API usage within the PowerShell script content. Defenders should be aware of this activity, particularly when performed by unexpected users or on unusual systems, as it may indicate malicious reconnaissance within the network. The references indicate that this activity can lead to corporate insurance policy exfiltration or Conti ransomware deployment.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows system, potentially through phishing or compromised credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker executes a PowerShell script, either directly or through a fileless execution method.\u003c/li\u003e\n\u003cli\u003eThe PowerShell script utilizes ShareFinder functions (Invoke-ShareFinder, Invoke-ShareFinderThreaded) or Windows share enumeration APIs (NetShareEnum, NetApiBufferFree) to discover network shares.\u003c/li\u003e\n\u003cli\u003eThe script identifies accessible network shares by leveraging API calls and parsing the results for share names (shi1_netname) and remarks (shi1_remark).\u003c/li\u003e\n\u003cli\u003eThe attacker analyzes the identified shares to determine those that are accessible and contain valuable data.\u003c/li\u003e\n\u003cli\u003eThe attacker may then attempt to access these shares using compromised credentials or exploiting existing vulnerabilities.\u003c/li\u003e\n\u003cli\u003eOnce access is gained, the attacker may collect sensitive data from the shares, move laterally to other systems, or deploy ransomware.\u003c/li\u003e\n\u003cli\u003eThe ultimate goal is data exfiltration, system compromise, or financial gain through ransomware.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this reconnaissance technique can lead to significant data breaches, lateral movement within the network, and potential ransomware deployment. Organizations that fail to detect and prevent share enumeration may suffer financial losses, reputational damage, and operational disruption. The referenced \u0026ldquo;Stolen Images\u0026rdquo; campaign led to Conti ransomware deployment, and the \u0026ldquo;Hunting for corporate insurance policies\u0026rdquo; post highlights data exfiltration.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable PowerShell script block logging to capture the necessary events for detection (as referenced in the rule setup).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;PowerShell Share Enumeration Script via Invoke-ShareFinder\u0026rdquo; to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;PowerShell Share Enumeration via NetShareEnum API\u0026rdquo; to detect share enumeration using native Windows APIs.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by these rules, focusing on the PowerShell launch context and the scope of the share discovery (see triage steps in the original rule).\u003c/li\u003e\n\u003cli\u003eReview and restrict PowerShell execution policies to prevent unauthorized script execution, especially from user-writable locations.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-09T15:00:00Z","date_published":"2024-01-09T15:00:00Z","id":"/briefs/2024-01-09-powershell-share-enumeration/","summary":"Detection of PowerShell scripts employing ShareFinder functions or Windows share enumeration APIs to discover accessible network shares for reconnaissance, lateral movement, or ransomware deployment.","title":"PowerShell Share Enumeration via ShareFinder or Native APIs","url":"https://feed.craftedsignal.io/briefs/2024-01-09-powershell-share-enumeration/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows"],"_cs_severities":["high"],"_cs_tags":["credential-access","powershell","ninjacopy"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eInvoke-NinjaCopy is a PowerShell script used to perform direct volume file access, enabling attackers to bypass traditional file access controls. This technique allows reading locked system files, such as the NTDS.dit or registry hives, which are essential for credential dumping. The script, often incorporated into post-exploitation frameworks like Empire, leverages stealth functions to minimize detection. Defenders need to monitor PowerShell script block content for the presence of Invoke-NinjaCopy or related \u0026ldquo;Stealth*\u0026rdquo; functions to identify potential credential access attempts. This activity is typically observed in Windows environments where attackers attempt to escalate privileges or move laterally within a network. The use of NinjaCopy allows attackers to grab sensitive data without being blocked by standard security measures.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows system, potentially through phishing or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker executes a PowerShell script, either directly or through a command-line interface.\u003c/li\u003e\n\u003cli\u003eThe PowerShell script contains the Invoke-NinjaCopy function or related StealthReadFile, StealthOpenFile functions.\u003c/li\u003e\n\u003cli\u003eThe script utilizes the StealthOpenFile function to directly access the volume where the target file resides (e.g., NTDS.dit).\u003c/li\u003e\n\u003cli\u003eStealthReadFile is used to read the contents of the target file, bypassing standard file access controls.\u003c/li\u003e\n\u003cli\u003eThe script copies the contents of the NTDS.dit or registry hives to a temporary location.\u003c/li\u003e\n\u003cli\u003eThe attacker dumps credentials from the copied NTDS.dit file using tools like secretsdump.py or other credential harvesting tools.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the harvested credentials to escalate privileges or move laterally within the network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to the compromise of domain credentials, granting the attacker access to sensitive information and systems. Credential dumping from NTDS.dit or registry hives can expose user accounts, service accounts, and other privileged credentials. The impact ranges from data breaches and financial losses to complete network compromise and disruption of services. If successful, attackers may gain persistent access and control over critical infrastructure, potentially affecting thousands of users and systems.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable PowerShell Script Block Logging and monitor event ID 4104 for script content containing \u003ccode\u003eInvoke-NinjaCopy\u003c/code\u003e, \u003ccode\u003eStealthReadFile\u003c/code\u003e, \u003ccode\u003eStealthOpenFile\u003c/code\u003e, \u003ccode\u003eStealthCloseFileDelegate\u003c/code\u003e as described in the Overview.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;PowerShell Invoke-NinjaCopy script\u0026rdquo; to your SIEM and tune the rule for false positives in your environment.\u003c/li\u003e\n\u003cli\u003eInvestigate any PowerShell processes with command-line arguments that contain the identified keywords to identify potential attacker activity as outlined in the Attack Chain.\u003c/li\u003e\n\u003cli\u003eImplement strict access controls on sensitive files like \u003ccode\u003eNTDS.dit\u003c/code\u003e and registry hives to limit the impact of successful credential access attempts.\u003c/li\u003e\n\u003cli\u003eReview PowerShell execution policies to prevent the execution of unsigned or untrusted scripts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-09T14:27:00Z","date_published":"2024-01-09T14:27:00Z","id":"/briefs/2024-01-09-invoke-ninjacopy/","summary":"The Invoke-NinjaCopy PowerShell script is used by attackers to directly access volume files, such as NTDS.dit or registry hives, for credential dumping.","title":"PowerShell Invoke-NinjaCopy Script Detection","url":"https://feed.craftedsignal.io/briefs/2024-01-09-invoke-ninjacopy/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Defender XDR","Cloud Endpoint","AutomationManagerAgent"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","powershell","registry"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Trend Micro","N-able"],"content_html":"\u003cp\u003eAttackers frequently disable PowerShell Script Block Logging to evade detection and hide malicious activities on compromised systems. By modifying the \u003ccode\u003eEnableScriptBlockLogging\u003c/code\u003e registry value to \u0026lsquo;0\u0026rsquo; or \u0026lsquo;0x00000000\u0026rsquo;, adversaries can significantly reduce the visibility into their PowerShell-based attacks. This technique is particularly effective when followed by script-driven activity, making it harder for security teams to identify and respond to threats. This behavior has been observed across multiple environments, including those utilizing endpoint detection and response solutions such as Elastic Defend, Microsoft Defender XDR, SentinelOne, and CrowdStrike. The rule was last updated on 2026-05-04 and is designed to detect these specific registry modifications.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access:\u003c/strong\u003e An attacker gains initial access to a Windows system, possibly through phishing or exploitation of a vulnerability.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation:\u003c/strong\u003e The attacker may attempt to escalate privileges to gain necessary permissions to modify the registry.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDefense Evasion:\u003c/strong\u003e The attacker modifies the registry to disable PowerShell Script Block Logging by setting \u003ccode\u003eHKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\\EnableScriptBlockLogging\u003c/code\u003e to 0 or 0x00000000 using \u003ccode\u003ereg.exe\u003c/code\u003e or PowerShell itself.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eExecution:\u003c/strong\u003e The attacker executes malicious PowerShell scripts, leveraging the disabled logging to avoid detection. These scripts may be used for reconnaissance, lateral movement, or data exfiltration.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePersistence:\u003c/strong\u003e The attacker establishes persistence using various techniques, such as creating scheduled tasks or modifying registry keys to ensure continued access to the system.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCommand and Control:\u003c/strong\u003e The attacker establishes a command and control channel to communicate with the compromised system and issue further instructions.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement:\u003c/strong\u003e The attacker moves laterally to other systems on the network, compromising additional assets.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eImpact:\u003c/strong\u003e The attacker achieves their final objective, such as data theft, ransomware deployment, or disruption of services.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful disabling of PowerShell Script Block Logging can severely hinder incident response efforts, allowing attackers to operate undetected for extended periods. Organizations may experience data breaches, financial losses, and reputational damage. The impact can be widespread as attackers leverage compromised systems for lateral movement and further exploitation. The loss of PowerShell logging can blind security teams, making it difficult to reconstruct attacker actions and contain the breach.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003ePowerShell_Script_Block_Logging_Disabled\u003c/code\u003e to your SIEM to detect registry modifications that disable PowerShell Script Block Logging.\u003c/li\u003e\n\u003cli\u003eMonitor registry events for changes to the \u003ccode\u003eEnableScriptBlockLogging\u003c/code\u003e value, focusing on events with \u003ccode\u003eregistry.data.strings\u003c/code\u003e set to \u0026ldquo;0\u0026rdquo; or \u0026ldquo;0x00000000\u0026rdquo; (see rule \u003ccode\u003ePowerShell_Script_Block_Logging_Disabled\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eEnable Sysmon registry event logging to capture the necessary data for the Sigma rules to function effectively (see references).\u003c/li\u003e\n\u003cli\u003eReview and harden PowerShell execution policies to prevent unauthorized script execution (related to tactic TA0005).\u003c/li\u003e\n\u003cli\u003eImplement strict access controls to limit who can modify registry settings related to PowerShell logging (related to tactic TA0005).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-09T10:00:00Z","date_published":"2024-01-09T10:00:00Z","id":"/briefs/2024-01-09-disable-powershell-scriptblock-logging/","summary":"Attackers may disable PowerShell Script Block Logging by modifying the registry to conceal their activities on the host and evade detection by setting the `EnableScriptBlockLogging` registry value to 0, impacting security monitoring and incident response capabilities.","title":"PowerShell Script Block Logging Disabled via Registry Modification","url":"https://feed.craftedsignal.io/briefs/2024-01-09-disable-powershell-scriptblock-logging/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows Defender"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","powershell","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eAttackers commonly attempt to disable or weaken Windows Defender to evade detection and facilitate malicious activities. This involves using PowerShell commands like \u003ccode\u003eSet-MpPreference\u003c/code\u003e or \u003ccode\u003eAdd-MpPreference\u003c/code\u003e to modify Defender\u0026rsquo;s configuration. Adversaries may also utilize base64 encoding to obfuscate these commands, bypassing simple command-line inspection. This activity typically occurs post-compromise, as part of a broader attack chain, and allows for the deployment of malware or other malicious tools without interference from the built-in antivirus. Detection of these techniques is crucial for maintaining the integrity of the system and preventing further damage. The scope of this threat includes any Windows environment where PowerShell is enabled and Windows Defender is used as the primary antivirus solution.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial access is achieved through an existing compromise (e.g., phishing, exploit).\u003c/li\u003e\n\u003cli\u003eThe attacker gains a foothold on the system and escalates privileges if necessary.\u003c/li\u003e\n\u003cli\u003ePowerShell is launched, either directly or through a parent process like \u003ccode\u003ecmd.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker uses \u003ccode\u003eSet-MpPreference\u003c/code\u003e or \u003ccode\u003eAdd-MpPreference\u003c/code\u003e with parameters like \u003ccode\u003e-DisableRealtimeMonitoring\u003c/code\u003e, \u003ccode\u003e-DisableIOAVProtection\u003c/code\u003e, \u003ccode\u003e-DisableBehaviorMonitoring\u003c/code\u003e, or \u003ccode\u003e-DisableBlockAtFirstSeen\u003c/code\u003e to weaken Defender.\u003c/li\u003e\n\u003cli\u003eAlternatively, the attacker crafts a base64-encoded PowerShell command that performs the same actions.\u003c/li\u003e\n\u003cli\u003eThe encoded command is executed using the \u003ccode\u003e-EncodedCommand\u003c/code\u003e or \u003ccode\u003e-enc\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eWindows Defender\u0026rsquo;s security settings are modified, reducing its effectiveness.\u003c/li\u003e\n\u003cli\u003eThe attacker proceeds with deploying malware, exfiltrating data, or other malicious objectives.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful execution of these commands results in a weakened or disabled Windows Defender, leaving the system vulnerable to malware infections and other threats. This can lead to data breaches, system compromise, and financial loss. The impact is especially significant in environments where Windows Defender is the primary security solution. While the number of victims is unknown, the technique is widely applicable across Windows environments.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor process creation events for PowerShell executions (\u003ccode\u003epowershell.exe\u003c/code\u003e, \u003ccode\u003epwsh.exe\u003c/code\u003e) with command-line arguments related to disabling Windows Defender using the Sigma rule \u0026ldquo;Detect Suspicious PowerShell Encoded Commands\u0026rdquo;.\u003c/li\u003e\n\u003cli\u003eEnable PowerShell script block logging to capture the full content of executed scripts, which can reveal base64-encoded commands (reference: references - \u003ca href=\"https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2019-ps)\"\u003ehttps://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2019-ps)\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Disabling Windows Defender Security Settings via PowerShell\u0026rdquo; to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eInvestigate any instances of \u003ccode\u003eSet-MpPreference\u003c/code\u003e or \u003ccode\u003eAdd-MpPreference\u003c/code\u003e commands with arguments disabling real-time monitoring, IOAV protection, behavior monitoring, or block-at-first-seen features.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-09T10:00:00Z","date_published":"2024-01-09T10:00:00Z","id":"/briefs/2024-01-09-disable-defender-powershell/","summary":"Attackers use PowerShell commands, including base64-encoded variants, to disable or weaken Windows Defender settings, impairing defenses on compromised systems.","title":"Disabling Windows Defender Security Settings via PowerShell","url":"https://feed.craftedsignal.io/briefs/2024-01-09-disable-defender-powershell/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","SentinelOne Cloud Funnel","PowerShell"],"_cs_severities":["medium"],"_cs_tags":["lateral-movement","powershell","remoting"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","SentinelOne"],"content_html":"\u003cp\u003eThis detection identifies potential lateral movement through the exploitation of Windows PowerShell remoting. PowerShell remoting is a feature that enables administrators and attackers to execute commands on remote Windows systems. The detection focuses on identifying incoming network connections on ports 5985 (HTTP) and 5986 (HTTPS), the default ports used for PowerShell Remoting, followed by the execution of processes spawned by \u003ccode\u003ewsmprovhost.exe\u003c/code\u003e, the Windows Remote Management process host. This activity, when originating from unexpected sources, may indicate unauthorized access and lateral movement within a network. The rule is designed to detect suspicious activity by monitoring network traffic and process execution, flagging potential unauthorized remote executions, and enabling security teams to respond swiftly.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a network, possibly through phishing or exploiting a vulnerability on an internet-facing system.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages PowerShell remoting to initiate a connection to a target system on ports 5985 or 5986.\u003c/li\u003e\n\u003cli\u003eThe target system accepts the incoming PowerShell Remoting connection.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003ewsmprovhost.exe\u003c/code\u003e process is launched on the target system to facilitate the remote PowerShell session.\u003c/li\u003e\n\u003cli\u003eThe attacker executes commands remotely, spawning child processes from \u003ccode\u003ewsmprovhost.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to escalate privileges or move laterally to other systems within the network using the remote PowerShell session.\u003c/li\u003e\n\u003cli\u003eThe attacker uses tools such as \u003ccode\u003enet.exe\u003c/code\u003e or \u003ccode\u003ePsExec\u003c/code\u003e over the remote PowerShell session to further propagate.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective, such as data exfiltration or deploying ransomware, by leveraging the established remote session.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of PowerShell Remoting for lateral movement can lead to widespread compromise within an organization. An attacker could gain control over multiple systems, potentially leading to data breaches, system outages, or ransomware deployment. The number of affected systems could range from a few critical servers to a significant portion of the network, depending on the attacker\u0026rsquo;s objectives and the organization\u0026rsquo;s security posture. The impact could include financial losses, reputational damage, and disruption of business operations.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eIncoming Execution via PowerShell Remoting\u003c/code\u003e to your SIEM to detect suspicious PowerShell remoting activity and tune for your environment.\u003c/li\u003e\n\u003cli\u003eMonitor network connections to ports 5985 and 5986, and investigate any unauthorized or unexpected traffic using the \u003ccode\u003enetwork_connection\u003c/code\u003e log source.\u003c/li\u003e\n\u003cli\u003eInvestigate processes spawned by \u003ccode\u003ewsmprovhost.exe\u003c/code\u003e for unusual or malicious activity using the \u003ccode\u003eprocess_creation\u003c/code\u003e log source.\u003c/li\u003e\n\u003cli\u003eWhitelist authorized administrative IP addresses or user accounts that frequently perform remote management tasks, as mentioned in the false positives analysis.\u003c/li\u003e\n\u003cli\u003eReview and document automated scripts or scheduled tasks that use PowerShell Remoting for system maintenance, then create exceptions for their specific process names or execution paths.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T18:53:23Z","date_published":"2024-01-03T18:53:23Z","id":"/briefs/2024-01-03-powershell-remoting/","summary":"This rule identifies remote execution via Windows PowerShell remoting, which allows a user to run any Windows PowerShell command on one or more remote computers, potentially indicating lateral movement.","title":"Incoming Execution via PowerShell Remoting","url":"https://feed.craftedsignal.io/briefs/2024-01-03-powershell-remoting/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["PowerShell","Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud"],"_cs_severities":["high"],"_cs_tags":["process-injection","powershell","pinvoke","defense-evasion"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Splunk"],"content_html":"\u003cp\u003eThis detection identifies PowerShell scripts leveraging the P/Invoke (Platform Invoke) technology to perform process injection. P/Invoke allows managed code (like PowerShell) to call unmanaged functions exported from DLLs, including critical Windows API functions. Attackers use this to inject malicious code into legitimate processes for evasion and persistence. The detection focuses on identifying specific API chains commonly used in process injection techniques, such as allocating memory in a target process (VirtualAlloc), writing malicious code into the allocated memory (WriteProcessMemory), and executing the injected code (CreateRemoteThread). This activity is often associated with malware deployment, privilege escalation, and defense evasion. The detection logic is designed to identify these API chains either at the compile phase using Add-Type or during the execution phase, alerting on suspicious PowerShell behavior.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains initial access to the system, potentially through phishing or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003ePowerShell is invoked to execute a malicious script.\u003c/li\u003e\n\u003cli\u003eThe PowerShell script uses Add-Type and DllImport to declare external functions from Windows DLLs, including kernel32.dll and ntdll.dll.\u003c/li\u003e\n\u003cli\u003eThe script uses functions such as OpenProcess to gain a handle to a target process.\u003c/li\u003e\n\u003cli\u003eVirtualAllocEx is called to allocate memory within the target process.\u003c/li\u003e\n\u003cli\u003eWriteProcessMemory is used to write malicious code into the allocated memory region of the target process.\u003c/li\u003e\n\u003cli\u003eCreateRemoteThread is called to create a new thread within the target process, pointing to the injected code.\u003c/li\u003e\n\u003cli\u003eThe injected code executes within the context of the target process, achieving code execution and potential privilege escalation.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful process injection allows attackers to execute arbitrary code within the context of a trusted process, bypassing security controls and potentially gaining elevated privileges. This can lead to data theft, system compromise, or further propagation within the network. The use of PowerShell and P/Invoke makes detection more challenging, as the activity can blend in with legitimate system administration tasks. A successful attack could lead to the deployment of a VIP Keylogger or other malware, as noted in the provided references.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable PowerShell Script Block Logging (Event ID 4104) to provide the necessary data for detection (data_source).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003ePowerShell PInvoke Process Injection\u003c/code\u003e to your SIEM and tune the rule to your environment (rules).\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on the specific API chains identified in the \u003ccode\u003edetection\u003c/code\u003e section of the rule.\u003c/li\u003e\n\u003cli\u003eReview PowerShell execution policies and restrict the execution of unsigned scripts to reduce the attack surface.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T18:23:00Z","date_published":"2024-01-03T18:23:00Z","id":"/briefs/2024-01-powershell-pinvoke-process-injection/","summary":"This analytic detects PowerShell code that uses P/Invoke to call Windows API functions associated with process injection, such as VirtualAlloc, WriteProcessMemory, and CreateRemoteThread, indicating potential malicious activity.","title":"PowerShell P/Invoke Process Injection API Chain Detection","url":"https://feed.craftedsignal.io/briefs/2024-01-powershell-pinvoke-process-injection/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud"],"_cs_severities":["high"],"_cs_tags":["powershell","cryptography","malware","asyncrat","xworm","vip keylogger"],"_cs_type":"advisory","_cs_vendors":["Splunk"],"content_html":"\u003cp\u003eThis threat brief focuses on detecting suspicious PowerShell activity involving the System.Security.Cryptography namespace, excluding common hashing algorithms like SHA and MD5. The detection leverages Windows PowerShell Script Block Logging (EventCode 4104) to identify scripts using cryptographic functions. This is significant because malware often uses cryptography to decrypt or decode additional malicious payloads, which can lead to further code execution, privilege escalation, or persistence within the compromised environment. The technique is commonly used by malware families like AsyncRAT, XWorm, and VIP Keylogger. Defenders should investigate the parent process of such scripts, the decrypted data, network connections established by the script, and the user context in which the script is executed.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a system, possibly through phishing or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker executes a PowerShell script on the compromised system.\u003c/li\u003e\n\u003cli\u003eThe PowerShell script utilizes the \u003ccode\u003eSystem.Security.Cryptography\u003c/code\u003e namespace to perform cryptographic operations.\u003c/li\u003e\n\u003cli\u003eThe script decrypts or decodes a malicious payload (e.g., a second-stage executable or configuration file).\u003c/li\u003e\n\u003cli\u003eThe decrypted payload is written to disk or loaded directly into memory.\u003c/li\u003e\n\u003cli\u003eThe attacker executes the decrypted payload, potentially establishing persistence via registry keys or scheduled tasks.\u003c/li\u003e\n\u003cli\u003eThe malware leverages the established persistence mechanism for long-term access.\u003c/li\u003e\n\u003cli\u003eThe attacker performs malicious actions such as data exfiltration, lateral movement, or remote command execution.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to bypass security measures by hiding malicious code within encrypted payloads. This can lead to data theft, system compromise, and further propagation within the network. Malware families like AsyncRAT, XWorm, and VIP Keylogger use this technique to maintain persistence and perform malicious activities undetected. The impact can range from individual workstation compromise to large-scale data breaches depending on the attacker\u0026rsquo;s objectives and the compromised system\u0026rsquo;s role within the organization.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable PowerShell Script Block Logging on all endpoints to generate the necessary logs (EventCode 4104) for detection.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Suspicious PowerShell Cryptography Namespace Usage\u003c/code\u003e to your SIEM to detect the described activity.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule by examining the parent process, decrypted data, network connections, and the user executing the script.\u003c/li\u003e\n\u003cli\u003eReview and tune the Sigma rule \u003ccode\u003eDetect Suspicious PowerShell Cryptography Namespace Usage\u003c/code\u003e based on your environment\u0026rsquo;s specific needs and known-good PowerShell usage to reduce false positives.\u003c/li\u003e\n\u003cli\u003eImplement application control policies to restrict the execution of unsigned or untrusted PowerShell scripts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T18:00:00Z","date_published":"2024-01-03T18:00:00Z","id":"/briefs/2024-01-powershell-cryptography/","summary":"The analytic detects suspicious PowerShell script execution involving the cryptography namespace (excluding SHA and MD5) via EventCode 4104, often associated with malware that decrypts or decodes additional malicious payloads leading to further code execution, privilege escalation, or persistence.","title":"Suspicious PowerShell Script Using Cryptography Namespace","url":"https://feed.craftedsignal.io/briefs/2024-01-powershell-cryptography/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows Defender Advanced Threat Protection"],"_cs_severities":["high"],"_cs_tags":["defense-evasion","powershell","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis detection identifies PowerShell scripts leveraging a combination of Base64 encoding and .NET compression techniques (Deflate/GZip) to conceal malicious payloads. Attackers employ this method to bypass security measures by deobfuscating and reconstructing the payload directly in memory. This technique allows adversaries to evade detection mechanisms that rely on static analysis of script content. The rule focuses on identifying script block content exhibiting this behavior, providing defenders with visibility into potential defense evasion attempts within their Windows environments. This rule was last updated on 2026-05-04, and its initial version was created on 2021/10/19.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access through methods like phishing or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eA PowerShell script is executed on the target system, potentially through a compromised user account.\u003c/li\u003e\n\u003cli\u003eThe PowerShell script contains a Base64 encoded string representing a compressed payload.\u003c/li\u003e\n\u003cli\u003eThe script uses the \u003ccode\u003eFromBase64String\u003c/code\u003e function to decode the Base64 encoded string.\u003c/li\u003e\n\u003cli\u003eThe script decompresses the decoded data using .NET compression classes like \u003ccode\u003eSystem.IO.Compression.DeflateStream\u003c/code\u003e or \u003ccode\u003eSystem.IO.Compression.GzipStream\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe decompressed data reveals a malicious payload, such as a reverse shell or credential theft tool.\u003c/li\u003e\n\u003cli\u003eThe script executes the payload in memory, bypassing traditional file-based detection methods.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective, such as gaining persistent access, stealing data, or deploying ransomware.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to complete system compromise, data theft, and deployment of malware such as ransomware. The obfuscation techniques make detection more difficult, increasing the dwell time of attackers within the network. Windows systems are primarily affected. If Windows Defender Advanced Threat Protection is being used, this can evade its protection.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable PowerShell Script Block Logging to capture the necessary events for detection (related to the logsource in the rules below).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;PowerShell Suspicious Payload Encoded and Compressed\u0026rdquo; to your SIEM and tune it for your environment.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the rule, focusing on the reconstructed script block content.\u003c/li\u003e\n\u003cli\u003eReview PowerShell execution policies to restrict the execution of unsigned or untrusted scripts.\u003c/li\u003e\n\u003cli\u003eMonitor process telemetry for PowerShell instances and their parent processes.\u003c/li\u003e\n\u003cli\u003eRestrict PowerShell execution to trusted administrative paths where feasible.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T18:00:00Z","date_published":"2024-01-03T18:00:00Z","id":"/briefs/2024-01-powershell-compressed-payload/","summary":"Detects PowerShell scripts employing Base64 decoding combined with .NET decompression (Deflate/GZip) to deobfuscate and reconstruct malicious payloads in memory, evading traditional defenses.","title":"PowerShell Suspicious Payload Encoded and Compressed","url":"https://feed.craftedsignal.io/briefs/2024-01-powershell-compressed-payload/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows"],"_cs_severities":["high"],"_cs_tags":["defense-evasion","obfuscation","powershell"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eInvoke-Obfuscation is a PowerShell obfuscation framework used to evade detection by security products. Attackers employ this technique to disguise malicious PowerShell code, making it harder to identify through static analysis or signature-based detection. This particular technique involves passing obfuscated PowerShell code via standard input (stdin) to the PowerShell interpreter. This method is often employed during the execution of scripts, where malicious code is dynamically constructed and executed, leaving a reduced footprint on the file system. Defenders should be aware of this technique because it is frequently used by threat actors in conjunction with other tactics to compromise systems and execute malicious payloads. This brief provides actionable detection strategies focused on identifying this specific obfuscation pattern.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access through a vulnerability or other means (not covered in this brief).\u003c/li\u003e\n\u003cli\u003eThe attacker uploads a small, initial-stage script or binary to the target system.\u003c/li\u003e\n\u003cli\u003eThis script prepares the environment for PowerShell execution, potentially setting environment variables or disabling security features.\u003c/li\u003e\n\u003cli\u003eThe script then calls \u003ccode\u003epowershell.exe\u003c/code\u003e with parameters designed to accept input from stdin.\u003c/li\u003e\n\u003cli\u003eObfuscated PowerShell code generated by Invoke-Obfuscation is piped into the \u003ccode\u003epowershell.exe\u003c/code\u003e process via stdin. This code often contains commands to download, execute, or further obfuscate malicious payloads.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003epowershell.exe\u003c/code\u003e process executes the obfuscated code from stdin, bypassing some common detection rules.\u003c/li\u003e\n\u003cli\u003eThe deobfuscated code performs malicious actions such as lateral movement, data exfiltration, or persistence.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their final objective, which may include data theft, system compromise, or deployment of ransomware.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to a full compromise of the targeted system, potentially impacting other systems within the network. Obfuscation makes incident response more difficult, as identifying and analyzing the malicious code requires additional effort. Affected systems could suffer data loss, service disruption, or financial damage. The use of Invoke-Obfuscation also indicates a deliberate attempt to evade security controls, suggesting a sophisticated attacker.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Invoke-Obfuscation Via Stdin\u003c/code\u003e to your SIEM to detect obfuscated PowerShell execution via standard input based on command-line patterns.\u003c/li\u003e\n\u003cli\u003eEnable process creation logging on Windows endpoints, ensuring that command-line arguments are captured to facilitate detection of obfuscated commands.\u003c/li\u003e\n\u003cli\u003eInvestigate any process creation events where \u003ccode\u003epowershell.exe\u003c/code\u003e is executed with parameters that suggest input from stdin along with obfuscated code patterns.\u003c/li\u003e\n\u003cli\u003eImplement application control policies to restrict the execution of unauthorized PowerShell scripts, reducing the attack surface for Invoke-Obfuscation techniques.\u003c/li\u003e\n\u003cli\u003eContinuously update and refine detection rules to adapt to new obfuscation methods and variations of the Invoke-Obfuscation framework.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T15:30:00Z","date_published":"2024-01-03T15:30:00Z","id":"/briefs/2024-01-invoke-obfuscation-stdin/","summary":"This brief outlines detection strategies for adversaries leveraging Invoke-Obfuscation techniques within PowerShell scripts executed via standard input, a method commonly used to evade traditional detection mechanisms.","title":"Detection of Invoke-Obfuscation via Standard Input","url":"https://feed.craftedsignal.io/briefs/2024-01-invoke-obfuscation-stdin/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["PowerShell"],"_cs_severities":["medium"],"_cs_tags":["command-and-control","file-download","powershell","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eAttackers frequently use PowerShell, a legitimate administration tool, to download malicious payloads into compromised systems. This technique allows them to bypass traditional security measures by leveraging a trusted tool. This activity often occurs during the command and control phase, where attackers introduce additional tooling or malware for further exploitation. This rule identifies instances where PowerShell downloads executable and script files from untrusted remote destinations. It does this by correlating network and file events, specifically looking for PowerShell processes initiating network connections to non-whitelisted domains followed by the creation of executable or script files. The rule helps defenders identify and respond to potential command and control activity and malware deployment attempts.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows system, possibly through phishing or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker uses PowerShell (powershell.exe, pwsh.exe, or powershell_ise.exe) to initiate a network connection to a remote domain.\u003c/li\u003e\n\u003cli\u003eThe DNS request is made to a domain not in the allowed list (e.g., not *.microsoft.com, *.azureedge.net, etc.).\u003c/li\u003e\n\u003cli\u003ePowerShell downloads a file with an executable extension (e.g., .exe, .dll, .ps1, .bat) or a file with a MZ header.\u003c/li\u003e\n\u003cli\u003eThe downloaded file is saved to disk.\u003c/li\u003e\n\u003cli\u003eThe file is saved to a location that is not excluded by the rule, filtering out commonly used temporary directories.\u003c/li\u003e\n\u003cli\u003eThe downloaded executable or script is then executed, leading to further malicious activities.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves persistence, lateral movement, or data exfiltration depending on the downloaded payload.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack can lead to the introduction of malware, backdoors, or other malicious tools into the compromised system. This can enable attackers to perform a wide range of malicious activities, including data theft, system compromise, and further propagation within the network. The compromised system can become a beachhead for further attacks, potentially impacting numerous systems and leading to significant financial and reputational damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003ePowerShell Remote File Download\u003c/code\u003e to detect PowerShell processes downloading executable files from untrusted remote destinations by correlating network and file creation events.\u003c/li\u003e\n\u003cli\u003eEnable Elastic Defend to provide the necessary network and file event data for the rule to function correctly as noted in the \u003ca href=\"https://ela.st/install-elastic-defend\"\u003esetup instructions\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on the parent process of the PowerShell process, the reputation of the downloaded file, and any other suspicious activities on the affected host, as per the investigation guide in the rule\u0026rsquo;s \u003ccode\u003enote\u003c/code\u003e field.\u003c/li\u003e\n\u003cli\u003eReview and customize the whitelisted domains in the Sigma rule to match your organization\u0026rsquo;s specific environment and trusted external resources, as described in the \u003ccode\u003equery\u003c/code\u003e field.\u003c/li\u003e\n\u003cli\u003eBlock the identified malicious domains or IP addresses at the network perimeter to prevent further downloads.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T15:25:00Z","date_published":"2024-01-03T15:25:00Z","id":"/briefs/2024-01-remote-file-download-powershell/","summary":"Detects PowerShell being used to download executable files from untrusted remote destinations, a common technique for attackers to introduce tooling or malware into a compromised environment.","title":"Remote File Download via PowerShell","url":"https://feed.craftedsignal.io/briefs/2024-01-remote-file-download-powershell/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic License v2"],"_cs_severities":["high"],"_cs_tags":["defense-evasion","powershell","obfuscation"],"_cs_type":"advisory","_cs_vendors":["Elastic"],"content_html":"\u003cp\u003eThis detection rule identifies PowerShell scripts employing concatenated string literals within dynamic invocation constructs like \u003ccode\u003e\u0026amp;()\u003c/code\u003e or \u003ccode\u003e.()\u003c/code\u003e. This obfuscation technique allows attackers to construct commands dynamically, making it harder to detect their malicious intent based on static analysis or keyword matching. By breaking commands into smaller, concatenated strings, attackers aim to bypass traditional signature-based detections and evade AMSI (Anti-Malware Scan Interface). This technique has been observed in various campaigns where threat actors attempt to execute malicious code while minimizing the chances of detection. This activity is particularly concerning for defenders, as it highlights a common method to bypass security measures.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a system (e.g., through phishing or exploiting a vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker executes a PowerShell script on the compromised system.\u003c/li\u003e\n\u003cli\u003eThe PowerShell script uses string concatenation to build malicious commands dynamically.\u003c/li\u003e\n\u003cli\u003eDynamic invocation constructs like \u003ccode\u003e\u0026amp;()\u003c/code\u003e or \u003ccode\u003e.()\u003c/code\u003e are used to execute the concatenated commands.\u003c/li\u003e\n\u003cli\u003eThe obfuscated commands bypass keyword-based detections and AMSI.\u003c/li\u003e\n\u003cli\u003eThe attacker performs malicious activities, such as downloading additional payloads.\u003c/li\u003e\n\u003cli\u003eThe attacker executes the downloaded payloads to establish persistence or exfiltrate data.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their final objective, such as stealing sensitive information or deploying ransomware.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to complete system compromise, data theft, and potential ransomware deployment. Attackers can leverage this technique to evade security controls and execute malicious commands undetected. The impact is high because it allows attackers to bypass common defenses and maintain persistence on the system, affecting potentially hundreds or thousands of systems across an organization.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable PowerShell Script Block Logging to capture the events necessary for this detection, as indicated in the setup instructions linked in the source material.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect PowerShell Obfuscation via String Concatenation\u003c/code\u003e to your SIEM and tune for your environment to detect the use of concatenated strings in PowerShell commands.\u003c/li\u003e\n\u003cli\u003eInvestigate alerts generated by the Sigma rule, focusing on the reconstructed PowerShell commands and the processes that launched them, as outlined in the triage and analysis section of the source material.\u003c/li\u003e\n\u003cli\u003eMonitor for follow-on activities, such as child processes, file modifications, and network connections originating from PowerShell processes exhibiting obfuscation techniques.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T15:00:00Z","date_published":"2024-01-03T15:00:00Z","id":"/briefs/2024-01-posh-concat-obfuscation/","summary":"This rule detects PowerShell scripts that build commands from concatenated string literals within dynamic invocation constructs, a technique used by attackers to obscure execution intent, bypass keyword-based detections, and evade AMSI.","title":"PowerShell Obfuscation via Concatenated Dynamic Command Invocation","url":"https://feed.craftedsignal.io/briefs/2024-01-posh-concat-obfuscation/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR","Elastic Defend","SentinelOne Cloud Funnel"],"_cs_severities":["medium"],"_cs_tags":["initial-access","execution","windows","powershell","script"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","SentinelOne"],"content_html":"\u003cp\u003eThis detection identifies PowerShell execution initiated by Windows Script Host processes (cscript.exe or wscript.exe). Attackers often use Windows Script Host (WSH) to execute malicious scripts as an initial access method. These scripts can act as droppers for second-stage payloads or download tools and utilities necessary for further compromise. The rule focuses on the parent-child process relationship between WSH and PowerShell, highlighting a common technique used to bypass security controls and execute arbitrary commands on a compromised system. This activity is relevant to defenders as it represents a potential entry point for various attacks, including malware deployment and data exfiltration. The detection logic is based on process execution events observed in Windows environments and is designed to work with data from Elastic Defend, Microsoft Defender XDR, SentinelOne Cloud Funnel, and Sysmon.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe user receives a phishing email with a malicious attachment (e.g., a .vbs or .js file).\u003c/li\u003e\n\u003cli\u003eThe user opens the attachment, which is processed by either wscript.exe or cscript.exe.\u003c/li\u003e\n\u003cli\u003eThe scripting engine executes the embedded malicious code.\u003c/li\u003e\n\u003cli\u003eThe script downloads a PowerShell script from a remote server or contains an embedded, obfuscated PowerShell command.\u003c/li\u003e\n\u003cli\u003eThe script uses wscript.exe or cscript.exe to launch powershell.exe to execute the downloaded or embedded PowerShell script.\u003c/li\u003e\n\u003cli\u003ePowerShell executes, performing malicious actions such as downloading additional payloads, modifying system settings, or establishing persistence.\u003c/li\u003e\n\u003cli\u003ePowerShell attempts to connect to external command-and-control servers to receive further instructions.\u003c/li\u003e\n\u003cli\u003eThe attacker gains initial access to the system and can proceed with lateral movement, data exfiltration, or other malicious activities.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to initial access, allowing attackers to deploy malware, steal sensitive information, or perform other malicious activities. The impact can range from data breaches and financial losses to reputational damage. The severity depends on the attacker\u0026rsquo;s objectives and the level of access they gain. The number of affected systems depends on the scope of the phishing campaign or other initial access methods used to deliver the malicious script.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon process creation logging to capture the necessary event data for the rules below.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules in this brief to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eInvestigate process execution chains where cscript.exe or wscript.exe spawn powershell.exe using the provided Sigma rules.\u003c/li\u003e\n\u003cli\u003eImplement email security measures to block phishing emails with script attachments.\u003c/li\u003e\n\u003cli\u003eMonitor network connections originating from PowerShell processes for suspicious outbound traffic.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T14:30:00Z","date_published":"2024-01-03T14:30:00Z","id":"/briefs/2024-01-script-powershell-execution/","summary":"Detection of PowerShell processes launched by cscript.exe or wscript.exe, indicative of potential malicious initial access or execution attempts.","title":"Suspicious PowerShell Execution via Windows Script Host","url":"https://feed.craftedsignal.io/briefs/2024-01-script-powershell-execution/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend"],"_cs_severities":["medium"],"_cs_tags":["powershell","execution","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Lenovo","PDQ.com Corporation","Dell Technologies Inc.","Chocolatey Software, Inc","Docker Inc"],"content_html":"\u003cp\u003eAttackers can leverage the PowerShell engine without directly executing \u003ccode\u003epowershell.exe\u003c/code\u003e. This technique, often referred to as \u0026ldquo;PowerShell without PowerShell,\u0026rdquo; involves using the underlying System.Management.Automation namespace. This approach allows attackers to bypass application allowlisting and PowerShell security features, operating more stealthily within a compromised environment. This technique makes detection more challenging, as standard PowerShell execution logs might not capture the activity. The activity is detected by monitoring which processes load the System.Management.Automation.dll or System.Management.Automation.ni.dll libraries. This activity can legitimately happen where vendors have their own PowerShell implementations that are shipped with some products.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows system through various means, such as exploiting a vulnerability or using compromised credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker deploys a custom tool or script on the target system. This tool is designed to interact with the System.Management.Automation namespace directly.\u003c/li\u003e\n\u003cli\u003eThe custom tool loads the \u003ccode\u003eSystem.Management.Automation.dll\u003c/code\u003e or \u003ccode\u003eSystem.Management.Automation.ni.dll\u003c/code\u003e library into its process space.\u003c/li\u003e\n\u003cli\u003eThe tool uses the loaded PowerShell engine to execute malicious commands or scripts without invoking \u003ccode\u003epowershell.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker performs reconnaissance activities, such as gathering system information or network configurations, using PowerShell commands.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to move laterally within the network, leveraging the PowerShell engine to execute commands on other systems.\u003c/li\u003e\n\u003cli\u003eThe attacker installs malware or backdoors using the PowerShell engine to maintain persistence within the compromised environment.\u003c/li\u003e\n\u003cli\u003eThe attacker exfiltrates sensitive data or causes damage to the system, completing the objectives of the attack.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack leveraging \u0026ldquo;PowerShell without PowerShell\u0026rdquo; can lead to significant compromise of Windows systems. Attackers can bypass traditional security measures, potentially leading to data theft, system disruption, or the installation of persistent malware. The technique\u0026rsquo;s stealthy nature can prolong the time to detection, increasing the potential for widespread damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eSuspicious PowerShell Engine ImageLoad\u003c/code\u003e to your SIEM to detect when the \u003ccode\u003eSystem.Management.Automation.dll\u003c/code\u003e or \u003ccode\u003eSystem.Management.Automation.ni.dll\u003c/code\u003e libraries are loaded by unexpected processes.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on the process execution chain (parent process tree) for unknown processes.\u003c/li\u003e\n\u003cli\u003eImplement endpoint detection and response (EDR) solutions like Elastic Defend to provide visibility into process behavior and library loading events, activating the \u003ccode\u003eprocess_creation\u003c/code\u003e and \u003ccode\u003eimage_load\u003c/code\u003e log sources.\u003c/li\u003e\n\u003cli\u003eReview and tune exclusions to the Sigma rule based on legitimate vendor applications to reduce false positives.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T14:00:00Z","date_published":"2024-01-03T14:00:00Z","id":"/briefs/2024-01-suspicious-powershell-imageload/","summary":"This rule identifies instances where the PowerShell engine is loaded by processes other than powershell.exe, potentially indicating attackers attempting to use PowerShell functionality stealthily by using the underlying System.Management.Automation namespace and bypassing PowerShell security features.","title":"Suspicious PowerShell Engine ImageLoad","url":"https://feed.craftedsignal.io/briefs/2024-01-suspicious-powershell-imageload/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR","CrowdStrike","SentinelOne Cloud Funnel","Elastic Defend"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","powershell","firewall","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Crowdstrike","SentinelOne"],"content_html":"\u003cp\u003eAttackers often attempt to disable or modify system firewalls to evade network restrictions and facilitate lateral movement within a compromised environment. The Windows Firewall, a built-in component, provides host-based traffic filtering. Disabling it allows unrestricted communication, aiding command and control activities and hindering detection efforts. This activity is commonly achieved through PowerShell, leveraging cmdlets like \u003ccode\u003eSet-NetFirewallProfile\u003c/code\u003e. The rule focuses on detecting the use of this specific cmdlet to disable the Windows Firewall, alerting defenders to potential defense evasion attempts. This technique is valuable to attackers across various attack vectors, especially after initial access has been established.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial Access: An attacker gains initial access through methods such as phishing or exploiting a vulnerability in a network-facing application.\u003c/li\u003e\n\u003cli\u003ePrivilege Escalation (if necessary): The attacker escalates privileges to gain the necessary permissions to modify firewall settings.\u003c/li\u003e\n\u003cli\u003ePowerShell Execution: The attacker executes PowerShell, either through an interactive session or a script.\u003c/li\u003e\n\u003cli\u003eDisable Firewall Profile: The attacker uses the \u003ccode\u003eSet-NetFirewallProfile\u003c/code\u003e cmdlet with parameters such as \u003ccode\u003e-Enabled False\u003c/code\u003e to disable the firewall for all, public, domain, or private profiles.\u003c/li\u003e\n\u003cli\u003eNetwork Reconnaissance: With the firewall disabled, the attacker performs network reconnaissance to identify valuable assets and potential lateral movement paths.\u003c/li\u003e\n\u003cli\u003eLateral Movement: The attacker moves laterally to other systems on the network, exploiting trust relationships or vulnerabilities.\u003c/li\u003e\n\u003cli\u003eCommand and Control: The attacker establishes command and control channels to communicate with compromised systems and exfiltrate sensitive data.\u003c/li\u003e\n\u003cli\u003eData Exfiltration or Further Exploitation: The attacker exfiltrates sensitive data or continues to exploit the environment based on their objectives.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful disabling of the Windows Firewall can lead to unrestricted lateral movement within a network, allowing attackers to compromise additional systems and exfiltrate sensitive data. This can result in data breaches, financial losses, and reputational damage. While the source does not specify the number of affected organizations, any environment relying on Windows Firewall for network segmentation is at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM to detect the use of \u003ccode\u003eSet-NetFirewallProfile\u003c/code\u003e with the \u003ccode\u003e-Enabled False\u003c/code\u003e parameter (see Sigma rule below).\u003c/li\u003e\n\u003cli\u003eEnable process creation logging on Windows endpoints to capture PowerShell executions (reference the logsource in the Sigma rule).\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule to determine the legitimacy of the firewall modification activity.\u003c/li\u003e\n\u003cli\u003eReview and enforce the principle of least privilege to limit the number of users with permissions to modify firewall settings.\u003c/li\u003e\n\u003cli\u003eConsider implementing additional network segmentation and monitoring controls to detect and prevent lateral movement even if the Windows Firewall is disabled.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-powershell-firewall-disable/","summary":"Attackers may disable the Windows firewall or its rules using the `Set-NetFirewallProfile` PowerShell cmdlet to enable lateral movement and command and control activity.","title":"Windows Firewall Disabled via PowerShell","url":"https://feed.craftedsignal.io/briefs/2024-01-powershell-firewall-disable/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR","Elastic Defend","CrowdStrike","SentinelOne Cloud Funnel"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","powershell","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","CrowdStrike","SentinelOne","Elastic"],"content_html":"\u003cp\u003eAttackers may attempt to evade detection by modifying Windows Defender\u0026rsquo;s configuration to exclude specific files, folders, or processes from scanning. This is often achieved by using PowerShell commands to add exclusions. The tactic allows malware to operate without being detected by the built-in antivirus solution. Observed as early as 2018 with Trickbot disabling Windows Defender, this technique remains relevant today. This activity can be performed using \u003ccode\u003eAdd-MpPreference\u003c/code\u003e or \u003ccode\u003eSet-MpPreference\u003c/code\u003e commands in PowerShell, specifying exclusions by path or process name. Detecting these modifications is critical for maintaining the integrity of endpoint security. The scope of targeting ranges from individual workstations to entire networks.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to the system via an undisclosed method.\u003c/li\u003e\n\u003cli\u003eThe attacker executes PowerShell with administrative privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the \u003ccode\u003eAdd-MpPreference\u003c/code\u003e or \u003ccode\u003eSet-MpPreference\u003c/code\u003e cmdlet to add an exclusion.\u003c/li\u003e\n\u003cli\u003eThe exclusion specifies a file path, folder, or process that should be ignored by Windows Defender.\u003c/li\u003e\n\u003cli\u003eWindows Defender is reconfigured to ignore the specified item.\u003c/li\u003e\n\u003cli\u003eThe attacker deploys or executes malware in the excluded location.\u003c/li\u003e\n\u003cli\u003eThe malware operates without interference from Windows Defender.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their final objective, such as data theft or lateral movement.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to operate undetected on compromised systems, leading to potential data breaches, lateral movement within the network, and deployment of ransomware. While the exact number of victims is unknown, this technique is widely used by various threat actors, impacting organizations across various sectors. The lack of detection can lead to prolonged periods of compromise, increasing the potential damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Windows Defender Exclusions Added via PowerShell\u0026rdquo; to your SIEM to detect suspicious PowerShell commands used to add exclusions.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging with command line auditing to capture the necessary event data for the Sigma rule.\u003c/li\u003e\n\u003cli\u003eRegularly review Windows Defender exclusion lists to identify any unauthorized or suspicious entries.\u003c/li\u003e\n\u003cli\u003eInvestigate any PowerShell process that uses \u003ccode\u003eAdd-MpPreference\u003c/code\u003e or \u003ccode\u003eSet-MpPreference\u003c/code\u003e with exclusion parameters, as identified by the provided Sigma rule.\u003c/li\u003e\n\u003cli\u003eMonitor for processes and file modifications within excluded directories.\u003c/li\u003e\n\u003cli\u003eConfigure alerts to notify security teams when new Windows Defender exclusions are added.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-defender-exclusion-powershell/","summary":"Adversaries may attempt to bypass Windows Defender's capabilities by using PowerShell to add exclusions for folders or processes, and this activity can be detected by monitoring PowerShell command lines that use `Add-MpPreference` or `Set-MpPreference` with exclusion parameters.","title":"Windows Defender Exclusions Added via PowerShell","url":"https://feed.craftedsignal.io/briefs/2024-01-defender-exclusion-powershell/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows"],"_cs_severities":["high"],"_cs_tags":["defense-evasion","token-obfuscation","powershell"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eAttackers are increasingly using PowerShell token obfuscation techniques to bypass security measures. This involves manipulating PowerShell command syntax to make it harder for security tools to identify malicious code. This technique leverages Invoke-Obfuscation, a known framework for obfuscating PowerShell scripts. This method allows malicious actors to disguise commands, such as downloading and executing arbitrary code, making traditional signature-based detections less effective. The use of token obfuscation highlights the need for more sophisticated detection strategies that focus on identifying anomalous behavior rather than relying solely on static code analysis. The scope of this threat is broad, as it can be incorporated into various attack vectors, from initial access to lateral movement.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial Access: The attacker gains initial access through an undisclosed method (e.g., phishing, exploit).\u003c/li\u003e\n\u003cli\u003ePowerShell Execution: The attacker initiates a PowerShell process (powershell.exe).\u003c/li\u003e\n\u003cli\u003eToken Obfuscation: The attacker employs token obfuscation techniques, such as inserting backticks (\u003ccode\u003e), using string concatenation, or manipulating environment variables, to disguise malicious commands. Examples from the source include \u003c/code\u003eIN\u003ccode\u003eV\u003c/code\u003eo\u003ccode\u003eKe-eXp\u003c/code\u003eResSIOn\u003ccode\u003eand\u003c/code\u003e${e\u003ccode\u003eNv:pATh}\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eCommand Obfuscation: The obfuscated PowerShell command is executed, masking the intent of the command.\u003c/li\u003e\n\u003cli\u003ePayload Download: The obfuscated command may download a malicious payload from a remote server using methods such as \u003ccode\u003e(New-Object Net.WebClient).DownloadString\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eCode Execution: The downloaded payload is executed, potentially leading to further compromise of the system.\u003c/li\u003e\n\u003cli\u003ePersistence: The attacker may establish persistence through various methods.\u003c/li\u003e\n\u003cli\u003eLateral Movement/Exfiltration: Depending on the attacker\u0026rsquo;s objectives, they may move laterally within the network or exfiltrate sensitive data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation using PowerShell token obfuscation can lead to complete system compromise, data theft, and disruption of services. The obfuscation techniques make it difficult for traditional security tools to detect and prevent the attack. The number of victims and sectors targeted is currently unknown, but the potential impact is significant due to the widespread use of PowerShell in enterprise environments.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Powershell Token Obfuscation with Backticks\u0026rdquo; to identify PowerShell commands containing backtick-obfuscated tokens in \u003ccode\u003eprocess_creation\u003c/code\u003e logs.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Powershell Token Obfuscation with String Concatenation\u0026rdquo; to identify PowerShell commands using string concatenation to obfuscate tokens in \u003ccode\u003eprocess_creation\u003c/code\u003e logs.\u003c/li\u003e\n\u003cli\u003eMonitor \u003ccode\u003eprocess_creation\u003c/code\u003e logs for PowerShell processes executing commands with environment variable manipulation, as described in the Sigma rules provided.\u003c/li\u003e\n\u003cli\u003eInvestigate any PowerShell processes that exhibit obfuscation techniques to determine if they are malicious.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-powershell-token-obfuscation/","summary":"Adversaries employ token obfuscation techniques within PowerShell commands to evade detection by security tools, leveraging methods such as character insertion, string concatenation, and environment variable manipulation to mask their malicious intent.","title":"PowerShell Token Obfuscation via Process Creation","url":"https://feed.craftedsignal.io/briefs/2024-01-powershell-token-obfuscation/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Endpoint Security","Octopus Deploy"],"_cs_severities":["medium"],"_cs_tags":["powershell","encryption","defense-evasion","windows"],"_cs_type":"advisory","_cs_vendors":["Elastic","Octopus Deploy"],"content_html":"\u003cp\u003eThis threat brief focuses on the detection of PowerShell scripts utilizing .NET cryptography APIs for file encryption or decryption. Attackers often leverage these capabilities to encrypt data for impact, potentially leading to data exfiltration or ransomware deployment, or to decrypt staged payloads, circumventing traditional security measures. Defenders should be aware of PowerShell scripts employing symmetric cryptography classes (AES/Rijndael, SymmetricAlgorithm), key derivation helpers (PasswordDeriveBytes, Rfc2898DeriveBytes), explicit cipher configurations (CipherMode, PaddingMode), and functions that generate encryptors/decryptors. Identifying such scripts is crucial for preventing both data compromise and the execution of malicious payloads. This detection specifically targets Windows systems where PowerShell is commonly used for both legitimate administration and malicious activities.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains initial access to the target system (e.g., via compromised credentials or a phishing attack).\u003c/li\u003e\n\u003cli\u003eAttacker uploads or stages a PowerShell script containing encryption/decryption capabilities.\u003c/li\u003e\n\u003cli\u003eThe PowerShell script utilizes .NET cryptography APIs (e.g., \u003ccode\u003eAESManaged\u003c/code\u003e, \u003ccode\u003eRijndaelManaged\u003c/code\u003e, \u003ccode\u003ePasswordDeriveBytes\u003c/code\u003e, \u003ccode\u003eRfc2898DeriveBytes\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe script configures the cipher using \u003ccode\u003eCipherMode\u003c/code\u003e and \u003ccode\u003ePaddingMode\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe script invokes \u003ccode\u003e.CreateEncryptor()\u003c/code\u003e or \u003ccode\u003e.CreateDecryptor()\u003c/code\u003e methods to initialize the cryptographic operation.\u003c/li\u003e\n\u003cli\u003eIf encrypting, the script iterates through target files, encrypting their content and potentially renaming or deleting originals.\u003c/li\u003e\n\u003cli\u003eIf decrypting, the script processes an encrypted payload, converting it to executable form or writing it to a new artifact.\u003c/li\u003e\n\u003cli\u003eThe attacker executes the decrypted payload or exfiltrates the encrypted data, completing their objective.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to significant data loss, system downtime, and financial damage. Data encryption for impact can render systems unusable, while the decryption of staged payloads can introduce malware into the environment. The number of victims can vary widely depending on the scope of the attack, ranging from individual workstations to entire networks. Targeted sectors may include any organization reliant on Windows-based systems, with potential consequences including operational disruption, reputational damage, and regulatory fines.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable PowerShell Script Block Logging to capture the events required for detection, specifically event ID 4104, as detailed in the \u003ca href=\"https://ela.st/powershell-logging-setup\"\u003eElastic PowerShell logging setup guide\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003ePowerShell Script with Encryption/Decryption Capabilities\u003c/code\u003e to your SIEM to detect suspicious PowerShell scripts utilizing .NET cryptography APIs.\u003c/li\u003e\n\u003cli\u003eInvestigate alerts triggered by the Sigma rule, focusing on \u003ccode\u003epowershell.file.script_block_text\u003c/code\u003e to understand the cryptographic intent and data flow.\u003c/li\u003e\n\u003cli\u003eTune the Sigma rule by adding exceptions for legitimate PowerShell scripts that use encryption, referencing the \u0026ldquo;False positive analysis\u0026rdquo; section in this brief.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-03-powershell-encryption/","summary":"PowerShell scripts employing .NET cryptography APIs are used to encrypt data for impact or decrypt payloads for defense evasion.","title":"PowerShell Script with Encryption/Decryption Capabilities","url":"https://feed.craftedsignal.io/briefs/2024-01-03-powershell-encryption/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["PowerShell"],"_cs_severities":["high"],"_cs_tags":["process-injection","powershell","pinvoke"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis brief focuses on the detection of PowerShell scripts utilizing Platform Invoke (P/Invoke) to perform process injection. P/Invoke allows managed code (PowerShell) to call native, unmanaged code (Windows API functions). Adversaries leverage this capability to inject malicious code into other processes, bypassing traditional defenses. This activity is identified through PowerShell script block logging (Event ID 4104). The detection strategy covers both the compile phase (detecting inline .NET class definitions with DllImport declarations) and the execution phase (detecting static method invocation patterns using ::MethodName syntax with execution context indicators). This ensures broad coverage, even when pre-compiled assemblies are loaded. The techniques detected cover a wide range of process injection methods, increasing the likelihood of detection against various attack vectors.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker executes a PowerShell script containing malicious code designed for process injection.\u003c/li\u003e\n\u003cli\u003eThe script uses \u003ccode\u003eAdd-Type -TypeDefinition\u003c/code\u003e to define a .NET class inline, embedding C# source code that includes \u003ccode\u003e[DllImport]\u003c/code\u003e declarations for Windows API functions.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eDllImport\u003c/code\u003e attribute specifies the native DLL (e.g., kernel32.dll, ntdll.dll) and the function name to import.\u003c/li\u003e\n\u003cli\u003eThe script declares external functions like \u003ccode\u003eVirtualAlloc\u003c/code\u003e, \u003ccode\u003eWriteProcessMemory\u003c/code\u003e, \u003ccode\u003eCreateRemoteThread\u003c/code\u003e, \u003ccode\u003eNtCreateSection\u003c/code\u003e, and \u003ccode\u003eNtMapViewOfSection\u003c/code\u003e using \u003ccode\u003eextern \u0026lt;ReturnType\u0026gt; \u0026lt;FunctionName\u0026gt;\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe script uses static method invocation (e.g., \u003ccode\u003e[IntPtr]::Zero\u003c/code\u003e, \u003ccode\u003e[Marshal]::Copy\u003c/code\u003e) to call the declared functions.\u003c/li\u003e\n\u003cli\u003eThe script allocates memory in the target process using \u003ccode\u003eVirtualAllocEx\u003c/code\u003e or \u003ccode\u003eNtAllocateVirtualMemory\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe malicious code (shellcode or DLL) is written to the allocated memory using \u003ccode\u003eWriteProcessMemory\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eA new thread is created in the target process to execute the injected code using \u003ccode\u003eCreateRemoteThread\u003c/code\u003e or \u003ccode\u003eRtlCreateUserThread\u003c/code\u003e. Alternatively, APC injection uses \u003ccode\u003eQueueUserAPC\u003c/code\u003e to queue an Asynchronous Procedure Call in the target process.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful process injection allows attackers to execute arbitrary code within the context of a legitimate process. This can lead to privilege escalation, credential theft, and persistence. Process injection can also be used to bypass security software and gain unauthorized access to sensitive data. This technique has been observed in malware campaigns associated with VIP Keylogger and similar threats, leading to data exfiltration and system compromise.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable PowerShell script block logging (Event ID 4104) to capture the necessary data for detection.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rules to your SIEM to detect malicious PowerShell scripts using P/Invoke for process injection.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rules, focusing on processes that exhibit suspicious API call patterns.\u003c/li\u003e\n\u003cli\u003eReview and tune the Sigma rules based on your environment to minimize false positives and ensure accurate detection.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-powershell-pinvoke-injection/","summary":"This brief details detection of PowerShell scripts leveraging P/Invoke API calls to perform process injection, covering techniques like self-injection, remote thread injection, APC injection, thread-context hijacking, process hollowing, section-map injection, reflective DLL loading, and DLL injection.","title":"PowerShell P/Invoke API Chain for Process Injection","url":"https://feed.craftedsignal.io/briefs/2024-01-powershell-pinvoke-injection/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["PowerShell"],"_cs_severities":["high"],"_cs_tags":["defense-evasion","powershell","obfuscation","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis detection identifies PowerShell scripts that repeatedly concatenate quoted string literals using the \u003ccode\u003e+\u003c/code\u003e operator. Attackers use this technique to obfuscate malicious commands, URLs, or tokens, thereby evading static analysis and Anti-Malware Scan Interface (AMSI). The rule focuses on scripts with a script block length greater than 500 characters to reduce false positives. Successful exploitation allows attackers to execute malicious code without detection. This behavior matters for defenders as it bypasses traditional security measures that rely on static code analysis. This rule has been in production since 2025 and was updated in April 2026.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows system through various means (e.g., phishing, exploit).\u003c/li\u003e\n\u003cli\u003eThe attacker uploads or introduces a PowerShell script containing obfuscated code via string concatenation.\u003c/li\u003e\n\u003cli\u003eThe script is executed using \u003ccode\u003epowershell.exe\u003c/code\u003e, potentially with arguments to bypass execution policies.\u003c/li\u003e\n\u003cli\u003ePowerShell interprets the script, which dynamically assembles commands by concatenating multiple string literals.\u003c/li\u003e\n\u003cli\u003eThe dynamically assembled commands execute malicious actions, such as downloading a payload from a remote server.\u003c/li\u003e\n\u003cli\u003eThe downloaded payload is saved to disk or executed directly in memory.\u003c/li\u003e\n\u003cli\u003eThe payload establishes persistence using registry keys or scheduled tasks.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective, such as data exfiltration or deploying ransomware.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful obfuscation can lead to the execution of arbitrary code, bypassing security measures, and potentially leading to system compromise. Consequences include data theft, system disruption, or ransomware deployment. The number of potential victims is broad, encompassing any Windows system running PowerShell. This technique can affect any sector.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable PowerShell Script Block Logging to capture the full script content (referenced in the rule\u0026rsquo;s \u003ccode\u003eData Source: PowerShell Logs\u003c/code\u003e tag and the \u003ccode\u003esetup\u003c/code\u003e section of the source).\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM and tune the \u003ccode\u003eEsql.script_block_pattern_count\u003c/code\u003e threshold based on your environment (see \u003ccode\u003erules\u003c/code\u003e section below).\u003c/li\u003e\n\u003cli\u003eInvestigate alerts generated by this rule, focusing on the reconstructed PowerShell script and its execution context (see \u003ccode\u003enote\u003c/code\u003e section of the source).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-posh-string-concat/","summary":"This rule detects PowerShell scripts employing string concatenation to evade static analysis and AMSI by fragmenting keywords or URLs at runtime.","title":"PowerShell Obfuscation via String Concatenation","url":"https://feed.craftedsignal.io/briefs/2024-01-posh-string-concat/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["powershell","obfuscation","defense-evasion","windows"],"_cs_type":"advisory","_cs_vendors":["Elastic"],"content_html":"\u003cp\u003eThis detection identifies PowerShell scripts employing character array reconstruction to obfuscate their contents. This technique involves building strings from \u003ccode\u003echar[]\u003c/code\u003e arrays, index lookups, or repeated \u003ccode\u003e([char]NN)+\u003c/code\u003e concatenation/join operations. Threat actors leverage this method to conceal malicious commands, URLs, or payloads, making them difficult to detect through static analysis and AMSI (Anti-Malware Scan Interface). The rule focuses on identifying scripts containing these character array manipulation patterns, enabling security teams to uncover potentially malicious PowerShell activity that would otherwise be missed. This technique is especially useful for attackers to evade detection in environments where PowerShell logging is enabled but not actively monitored for obfuscated code.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access:\u003c/strong\u003e The attacker gains initial access through various means, such as phishing emails, compromised credentials, or exploiting software vulnerabilities.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePayload Delivery:\u003c/strong\u003e The attacker delivers a PowerShell script containing obfuscated code using character array reconstruction.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eObfuscation:\u003c/strong\u003e The PowerShell script utilizes character array manipulation to construct malicious commands, URLs, or payloads dynamically.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDefense Evasion:\u003c/strong\u003e The character array reconstruction technique bypasses static analysis and AMSI, hindering traditional security measures.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eExecution:\u003c/strong\u003e The script executes the reconstructed commands, potentially downloading and executing additional payloads or performing malicious actions on the system.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePersistence:\u003c/strong\u003e The attacker may establish persistence by creating scheduled tasks or modifying registry keys to ensure the script runs automatically.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCommand and Control:\u003c/strong\u003e The script communicates with a command and control (C2) server to receive further instructions and exfiltrate sensitive data.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eImpact:\u003c/strong\u003e The attacker achieves their objective, which could include data theft, system compromise, or ransomware deployment.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to execute arbitrary code on the compromised system, potentially leading to data theft, system compromise, or ransomware deployment. The use of character array reconstruction significantly increases the likelihood of bypassing traditional security measures and successfully executing malicious actions. The severity of the impact depends on the attacker\u0026rsquo;s objectives and the level of access they gain on the compromised system.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable PowerShell script block logging to capture the necessary events for detection. Refer to the setup instructions in the rule details.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM and tune it for your environment to minimize false positives.\u003c/li\u003e\n\u003cli\u003eInvestigate alerts generated by the Sigma rule to identify potentially malicious PowerShell scripts using character array reconstruction. Focus on analyzing the reconstructed strings and the script\u0026rsquo;s overall behavior.\u003c/li\u003e\n\u003cli\u003eImplement strict PowerShell execution policies to restrict the execution of unsigned or untrusted scripts.\u003c/li\u003e\n\u003cli\u003eMonitor for suspicious process creations originating from PowerShell, such as spawning command-line interpreters or executing system utilities.\u003c/li\u003e\n\u003cli\u003eBlock known malicious domains and IP addresses associated with command and control servers.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-03-posh-char-array-obfuscation/","summary":"Detects PowerShell scripts using character array reconstruction to hide commands, URLs, or payloads, evading static analysis and AMSI.","title":"PowerShell Obfuscation via Character Array Reconstruction","url":"https://feed.craftedsignal.io/briefs/2024-01-03-posh-char-array-obfuscation/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["PowerShell"],"_cs_severities":["high"],"_cs_tags":["credential-access","powershell","minidump","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis rule detects PowerShell scripts that contain references to MiniDumpWriteDump, MiniDumpWithFullMemory, or obfuscated versions of these strings (e.g., pmuDetirWpmuDiniM). Attackers can leverage these functions to create memory dumps of processes, including sensitive processes such as LSASS, which contains cached credentials. The dumping of LSASS memory allows attackers to extract credentials for lateral movement and privilege escalation within a compromised network. The rule is designed to detect scripts utilizing these techniques, providing an early warning sign of potential credential theft attempts. The rule leverages PowerShell script block logging (event ID 4104). The original rule was created in 2021 and updated in April 2026 according to the source.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows system through various means, such as phishing, exploiting a vulnerability, or using compromised credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker executes a PowerShell script on the target system. This script may be directly executed or injected into an existing PowerShell process.\u003c/li\u003e\n\u003cli\u003eThe PowerShell script contains code that references MiniDumpWriteDump or MiniDumpWithFullMemory, or an obfuscated variant, indicating an intention to create a memory dump.\u003c/li\u003e\n\u003cli\u003eThe script identifies a target process, often LSASS (lsass.exe), or iterates through running processes to select a target.\u003c/li\u003e\n\u003cli\u003eUsing the MiniDumpWriteDump function, the script creates a memory dump of the targeted process.\u003c/li\u003e\n\u003cli\u003eThe memory dump is saved to a file on the system, potentially in a location that is easily accessible to the attacker.\u003c/li\u003e\n\u003cli\u003eThe attacker may then compress or encrypt the dump file to avoid detection and prepare it for exfiltration.\u003c/li\u003e\n\u003cli\u003eThe attacker exfiltrates the memory dump from the compromised system for offline analysis and credential extraction.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful execution of this attack can lead to the compromise of sensitive credentials stored in memory, such as domain administrator accounts. This can enable attackers to move laterally within the network, escalate privileges, and gain access to critical systems and data. The impact could include data breaches, financial losses, and reputational damage. The number of victims can vary depending on the scope of the initial compromise and the effectiveness of the attacker\u0026rsquo;s lateral movement.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable PowerShell Script Block Logging (event ID 4104) to capture the necessary events for detection. Reference: \u003ca href=\"https://atc-project.org/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md\"\u003ehttps://atc-project.org/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;PowerShell MiniDump Script\u0026rdquo; to your SIEM and tune for your environment to detect suspicious PowerShell scripts.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on the script content, target process, and output file. Use the investigation steps provided in the rule\u0026rsquo;s documentation.\u003c/li\u003e\n\u003cli\u003eMonitor for file creation events related to memory dumps (e.g., *.dmp files) and analyze these files for sensitive information.\u003c/li\u003e\n\u003cli\u003eImplement strict access controls and privilege management to limit the potential impact of credential theft.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-powershell-minidump/","summary":"This brief detects PowerShell scripts that reference MiniDumpWriteDump or full-memory minidump types, potentially used to capture process memory from credential-bearing processes like LSASS.","title":"PowerShell MiniDump Script Detection","url":"https://feed.craftedsignal.io/briefs/2024-01-powershell-minidump/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["powershell","obfuscation","defense-evasion","windows"],"_cs_type":"advisory","_cs_vendors":["Elastic"],"content_html":"\u003cp\u003eThis detection rule identifies PowerShell scripts that exhibit characteristics of obfuscation, specifically those heavily reliant on whitespace and special characters. Attackers employ these techniques to bypass security measures such as static analysis and the Antimalware Scan Interface (AMSI). The rule focuses on scripts that have a low diversity of symbols and a high ratio of whitespace and special characters, a common profile for obfuscated PowerShell code. The rule leverages PowerShell script block logging (event code 4104) to analyze script content and identify suspicious patterns, aiming to detect potentially malicious scripts attempting to conceal their true intent. This detection helps defenders identify and investigate potentially malicious PowerShell scripts before they can execute their payloads.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access through a vulnerability or social engineering.\u003c/li\u003e\n\u003cli\u003eThe attacker uploads or introduces an obfuscated PowerShell script to the target system.\u003c/li\u003e\n\u003cli\u003eThe PowerShell script is executed, bypassing initial security checks due to the obfuscation.\u003c/li\u003e\n\u003cli\u003eThe script leverages whitespace and special characters to hide malicious commands and logic.\u003c/li\u003e\n\u003cli\u003eAt runtime, the script deobfuscates itself using PowerShell functions like \u003ccode\u003eInvoke-Expression\u003c/code\u003e or \u003ccode\u003e[char]\u003c/code\u003e casting.\u003c/li\u003e\n\u003cli\u003eThe deobfuscated code executes malicious actions, such as downloading malware or modifying system settings.\u003c/li\u003e\n\u003cli\u003eThe malware establishes persistence on the system.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective, such as data exfiltration or establishing a backdoor.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to the execution of arbitrary code, malware installation, and potential compromise of the entire system. Obfuscation makes it difficult to detect malicious intent, allowing attackers to bypass traditional security measures. The widespread use of PowerShell in enterprise environments makes this a significant threat vector. The impact could range from minor system instability to a full-scale data breach, depending on the attacker\u0026rsquo;s objectives and the privileges of the compromised account.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable PowerShell Script Block Logging to generate the events used by this rule (e.g., 4104).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect-Potential-PowerShell-Obfuscation\u003c/code\u003e to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule \u003ccode\u003eDetect-Potential-PowerShell-Obfuscation\u003c/code\u003e for potential malicious activity.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-posh-obfuscation/","summary":"This rule detects PowerShell scripts heavily obfuscated with whitespace and special characters, often used to evade static analysis and AMSI, by identifying scripts with low symbol diversity and a high proportion of whitespace and special characters.","title":"Potential PowerShell Obfuscation via Special Character Overuse","url":"https://feed.craftedsignal.io/briefs/2024-01-posh-obfuscation/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR","Exchange Server","Elastic Defend","CrowdStrike","SentinelOne Cloud Funnel"],"_cs_severities":["medium"],"_cs_tags":["exchange","activesync","powershell","persistence"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Crowdstrike","SentinelOne","Elastic"],"content_html":"\u003cp\u003eThis detection identifies the use of the Exchange PowerShell cmdlet, \u003ccode\u003eSet-CASMailbox\u003c/code\u003e, to add a new ActiveSync allowed device. Attackers may target user email to collect sensitive information by adding unauthorized devices to a user\u0026rsquo;s allowed ActiveSync devices. The rule focuses on detecting suspicious PowerShell activity by monitoring for specific command patterns indicative of unauthorized device additions. This activity can lead to persistent access to sensitive email data, bypassing normal authentication controls. The original Elastic detection rule was created on 2020/12/15 and updated on 2026/05/04. This matters for defenders because it highlights a persistence mechanism that can be difficult to detect through traditional means.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a privileged account with Exchange management permissions.\u003c/li\u003e\n\u003cli\u003eThe attacker uses PowerShell to execute the \u003ccode\u003eSet-CASMailbox\u003c/code\u003e cmdlet.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the \u003ccode\u003eActiveSyncAllowedDeviceIDs\u003c/code\u003e attribute for a target user\u0026rsquo;s mailbox.\u003c/li\u003e\n\u003cli\u003eThe attacker adds a rogue device ID to the list of allowed devices.\u003c/li\u003e\n\u003cli\u003eThe attacker configures a mobile device with the rogue device ID to synchronize with the target mailbox.\u003c/li\u003e\n\u003cli\u003eThe attacker gains persistent access to the target user\u0026rsquo;s email, calendar, and contacts.\u003c/li\u003e\n\u003cli\u003eThe attacker exfiltrates sensitive data from the mailbox.\u003c/li\u003e\n\u003cli\u003eThe attacker maintains persistence even after password changes by continuing to synchronize via the added device.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation could lead to unauthorized access to sensitive email data, including confidential communications, financial information, and personal data. This can result in data breaches, compliance violations, and reputational damage. The scope of the impact depends on the privileges of the compromised account and the sensitivity of the data contained in the targeted mailboxes.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eActiveSyncAllowedDeviceID Added via PowerShell\u003c/code\u003e to your SIEM and tune for your environment to detect suspicious activity.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process-creation logging to capture PowerShell commands for the rule above.\u003c/li\u003e\n\u003cli\u003eReview Exchange audit logs for instances of \u003ccode\u003eSet-CASMailbox\u003c/code\u003e being used to modify \u003ccode\u003eActiveSyncAllowedDeviceIDs\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) for all accounts, especially those with Exchange management privileges.\u003c/li\u003e\n\u003cli\u003eRegularly audit ActiveSync device configurations to identify unauthorized devices.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-activesync-device-added/","summary":"The rule detects the use of the Exchange PowerShell cmdlet, Set-CASMailbox, to add a new ActiveSync allowed device, potentially allowing attackers to gain persistent access to sensitive email data by adding unauthorized devices.","title":"New ActiveSync Allowed Device Added via PowerShell","url":"https://feed.craftedsignal.io/briefs/2024-01-activesync-device-added/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows"],"_cs_severities":["high"],"_cs_tags":["defense-evasion","execution","powershell","obfuscation"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eAttackers leverage Invoke-Obfuscation, a popular PowerShell obfuscation framework, to generate highly obfuscated IEX (Invoke-Expression) commands. This technique allows them to bypass traditional signature-based detections and execute malicious payloads on targeted systems. Invoke-Obfuscation is designed to make PowerShell code difficult to read and analyze, thus hindering security analysts and automated detection systems. The obfuscation techniques include string concatenation using environment variables, character code manipulation, and other methods to mask the true intent of the script. This activity has been observed across various campaigns, typically targeting Windows environments where PowerShell is widely used. Defenders should be aware of this technique and implement robust detection mechanisms to identify and block obfuscated PowerShell execution.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial Access: An attacker gains initial access to the target system through methods such as phishing or exploiting a software vulnerability.\u003c/li\u003e\n\u003cli\u003ePayload Delivery: The attacker uploads a malicious PowerShell script or downloads it from a remote server.\u003c/li\u003e\n\u003cli\u003eObfuscation: The attacker uses Invoke-Obfuscation to obfuscate the PowerShell script, making it difficult to analyze. This can involve techniques like string concatenation using \u003ccode\u003e$PSHome\u003c/code\u003e or \u003ccode\u003e$ShellId\u003c/code\u003e, or using complex variable manipulations.\u003c/li\u003e\n\u003cli\u003eExecution: The attacker executes the obfuscated PowerShell script using \u003ccode\u003epowershell.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eIEX Invocation: The obfuscated script leverages \u003ccode\u003eIEX\u003c/code\u003e (Invoke-Expression) to dynamically execute code, further hindering detection. The obfuscated strings are deobfuscated at runtime within the IEX context.\u003c/li\u003e\n\u003cli\u003ePersistence (Optional): The attacker may establish persistence by creating scheduled tasks or modifying registry keys.\u003c/li\u003e\n\u003cli\u003eLateral Movement (Optional): The attacker may use the compromised system as a launching point for lateral movement within the network, using tools like \u003ccode\u003ePsExec\u003c/code\u003e or \u003ccode\u003eWinRM\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eObjective: The ultimate objective could be data exfiltration, ransomware deployment, or establishing a long-term foothold for espionage.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to execute arbitrary code on the compromised system, leading to various malicious activities such as data theft, system compromise, and ransomware deployment. The use of Invoke-Obfuscation makes detection more challenging, potentially allowing attackers to remain undetected for extended periods. This can result in significant financial losses, reputational damage, and operational disruption.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eInvoke-Obfuscation Obfuscated IEX Invocation\u003c/code\u003e to your SIEM to detect obfuscated IEX commands generated by Invoke-Obfuscation.\u003c/li\u003e\n\u003cli\u003eMonitor PowerShell execution logs for suspicious command-line arguments that resemble obfuscation patterns described in the Sigma rule.\u003c/li\u003e\n\u003cli\u003eImplement PowerShell Constrained Language Mode to restrict the capabilities of PowerShell and limit the effectiveness of obfuscation techniques.\u003c/li\u003e\n\u003cli\u003eEnable and review PowerShell Script Block Logging to capture the content of executed scripts, allowing for more in-depth analysis of malicious activity.\u003c/li\u003e\n\u003cli\u003eRegularly update your endpoint detection and response (EDR) solutions to ensure they have the latest signatures and behavioral detection capabilities.\u003c/li\u003e\n\u003cli\u003eEducate users about the risks of phishing and other social engineering attacks that may be used to deliver malicious PowerShell scripts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-invoke-obfuscation-iex/","summary":"Attackers use Invoke-Obfuscation, a PowerShell obfuscation framework, to generate obfuscated IEX (Invoke-Expression) commands, evading detection and executing malicious code.","title":"Invoke-Obfuscation Obfuscated IEX Invocation via PowerShell","url":"https://feed.craftedsignal.io/briefs/2024-01-invoke-obfuscation-iex/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR","Exchange","Elastic Defend"],"_cs_severities":["medium"],"_cs_tags":["collection","execution","powershell","exchange","mailbox"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","Crowdstrike","SentinelOne"],"content_html":"\u003cp\u003eAttackers may target user email to collect sensitive information. The \u003ccode\u003eNew-MailBoxExportRequest\u003c/code\u003e cmdlet is used to export the contents of a primary mailbox or archive to a .pst file. Note that this is done on a per-mailbox basis and this cmdlet is available only in on-premises Exchange. Attackers can abuse this functionality in preparation for exfiltrating contents, which is likely to contain sensitive and strategic data. This activity is typically performed using PowerShell or similar scripting tools and can be difficult to detect without specific monitoring in place. The activity may be part of a larger attack campaign targeting sensitive information.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a compromised system with sufficient privileges to access Exchange PowerShell.\u003c/li\u003e\n\u003cli\u003eThe attacker authenticates to the Exchange server using PowerShell.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the \u003ccode\u003eNew-MailboxExportRequest\u003c/code\u003e cmdlet to initiate the export of a target mailbox to a .pst file. The command may include parameters to filter specific content.\u003c/li\u003e\n\u003cli\u003eThe Exchange server processes the export request, creating a .pst file containing the mailbox data.\u003c/li\u003e\n\u003cli\u003eThe attacker retrieves the exported .pst file from the designated file path.\u003c/li\u003e\n\u003cli\u003eThe attacker may compress and archive the .pst file to reduce its size for exfiltration.\u003c/li\u003e\n\u003cli\u003eThe attacker exfiltrates the .pst file to an external location controlled by the attacker.\u003c/li\u003e\n\u003cli\u003eThe attacker analyzes the .pst file to extract sensitive information such as credentials, financial data, or intellectual property.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows the attacker to gain access to sensitive information contained within the exported mailboxes. This could lead to financial loss, reputational damage, or compromise of intellectual property. Depending on the scope of the export requests, multiple mailboxes may be compromised, impacting a large number of users. The impact is significant because email often contains highly sensitive business communications and data.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon process creation logging to monitor PowerShell execution with command-line arguments (Data Source: Sysmon).\u003c/li\u003e\n\u003cli\u003eImplement the provided Sigma rule to detect the use of \u003ccode\u003eNew-MailboxExportRequest\u003c/code\u003e cmdlet in PowerShell commands.\u003c/li\u003e\n\u003cli\u003eReview the privileges of users with the \u0026ldquo;Mailbox Import Export\u0026rdquo; privilege to ensure that the least privilege principle is being followed.\u003c/li\u003e\n\u003cli\u003eMonitor Windows Security Event Logs for PowerShell activity related to mailbox export requests (Data Source: Windows Security Event Logs).\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rules to identify potential malicious activity.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-exchange-mailbox-export/","summary":"Adversaries may use the New-MailboxExportRequest PowerShell cmdlet to export mailboxes in Exchange, potentially leading to sensitive information theft.","title":"Exchange Mailbox Export via PowerShell","url":"https://feed.craftedsignal.io/briefs/2024-01-exchange-mailbox-export/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["PowerShell"],"_cs_severities":["high"],"_cs_tags":["powershell","reflection","dotnet","memory-injection","attack.execution","attack.t1059.001"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis threat brief addresses the use of PowerShell to load .NET assemblies into memory using reflection, a technique frequently observed in advanced attacks. Threat actors, including those employing frameworks like Empire and Cobalt Strike, utilize this method to execute code directly in memory, evading traditional file-based security controls. The detection strategy focuses on PowerShell Script Block Logging (EventCode=4104), which captures the full commands executed, enabling analysis for specific reflection-related keywords. This behavior is a strong indicator of potential malicious activity, as it allows for unauthorized code execution, privilege escalation, and persistent access. Defenders should prioritize detection and response to such events to mitigate the risk of compromise. The technique allows attackers to bypass traditional defenses, execute code in memory, and potentially establish persistence within the targeted environment.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial Access: The attacker gains initial access to the system, possibly through phishing or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003ePowerShell Execution: The attacker executes PowerShell, often obfuscated or encoded, to avoid detection.\u003c/li\u003e\n\u003cli\u003eReflection Assembly Loading: The PowerShell script uses reflection techniques, such as \u003ccode\u003e[System.Reflection.Assembly]::Load()\u003c/code\u003e, to load a .NET assembly directly into memory.\u003c/li\u003e\n\u003cli\u003eBypassing Security Controls: The in-memory execution bypasses traditional security controls that scan files on disk.\u003c/li\u003e\n\u003cli\u003eMalicious Code Execution: The loaded assembly contains malicious code, which could be a payload for lateral movement, data exfiltration, or other malicious activities.\u003c/li\u003e\n\u003cli\u003ePrivilege Escalation: The malicious code may attempt to escalate privileges to gain higher-level access to the system.\u003c/li\u003e\n\u003cli\u003ePersistence: The attacker establishes persistence by creating scheduled tasks or modifying registry keys.\u003c/li\u003e\n\u003cli\u003eLateral Movement: The attacker uses the compromised system as a springboard to move laterally within the network, compromising additional systems.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to unauthorized code execution, privilege escalation, and persistent access within the environment. By loading .NET assemblies directly into memory, attackers can bypass traditional file-based security controls, making detection more challenging. This technique is often employed in advanced attacks, potentially affecting numerous systems across the network, leading to significant data breaches and system compromise. While specific victim counts are not available, the impact is considered high due to the potential for widespread damage and data loss.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable PowerShell Script Block Logging (EventCode=4104) on all endpoints to capture the full commands executed, as referenced in the description.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rules to your SIEM to detect PowerShell scripts loading .NET assemblies into memory via reflection.\u003c/li\u003e\n\u003cli\u003eInvestigate and remediate any alerts generated by the Sigma rules, prioritizing systems with high-value data or critical functions.\u003c/li\u003e\n\u003cli\u003eRegularly review and update PowerShell execution policies to restrict the execution of unsigned or untrusted scripts.\u003c/li\u003e\n\u003cli\u003eMonitor PowerShell logs for suspicious activity, such as the use of reflection techniques to load assemblies from unusual locations.\u003c/li\u003e\n\u003cli\u003eConsult the references provided, specifically the Microsoft .NET API documentation and the Palantir article on event tracing, to deepen your understanding of the attack techniques and potential mitigations.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T10:00:00Z","date_published":"2024-01-03T10:00:00Z","id":"/briefs/2024-01-03-powershell-reflection-load/","summary":"This analytic detects PowerShell scripts leveraging .NET reflection to load assemblies into memory, a technique commonly used by threat actors to bypass defenses and execute malicious code.","title":"PowerShell Loading .NET Assemblies via Reflection","url":"https://feed.craftedsignal.io/briefs/2024-01-03-powershell-reflection-load/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud"],"_cs_severities":["high"],"_cs_tags":["powershell","environment-variable","invoke-expression","execution"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eAttackers are increasingly leveraging PowerShell to execute malicious code embedded within environment variables. This method involves storing commands or encoded content in environment variables and then using \u003ccode\u003eInvoke-Expression\u003c/code\u003e (or its alias \u003ccode\u003eiex\u003c/code\u003e) to dynamically construct and execute code at runtime. This tactic is employed to evade traditional static analysis techniques and conceal the true intent of the executed code. Observed in malware loaders and stagers, including those associated with the VIP Keylogger campaign, this technique is a significant threat. Defenders should be aware of this trend and implement appropriate detection mechanisms. The focus is on identifying PowerShell scripts that combine environment variable access (\u003ccode\u003e$env:\u003c/code\u003e) with \u003ccode\u003eInvoke-Expression\u003c/code\u003e or its aliases, based on PowerShell Script Block Logging (Event ID 4104).\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to the system, possibly through phishing or exploiting a software vulnerability.\u003c/li\u003e\n\u003cli\u003ePowerShell is invoked, either directly or indirectly, via a script or another process.\u003c/li\u003e\n\u003cli\u003eThe attacker sets an environment variable containing malicious code or a command. This might involve using \u003ccode\u003e[Environment]::SetEnvironmentVariable\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eA PowerShell script is executed that reads the content of the environment variable using \u003ccode\u003e$env:\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe content read from the environment variable is passed to \u003ccode\u003eInvoke-Expression\u003c/code\u003e or its alias \u003ccode\u003eiex\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eInvoke-Expression\u003c/code\u003e dynamically executes the code, effectively bypassing static analysis.\u003c/li\u003e\n\u003cli\u003eThe executed code downloads and executes a secondary payload, such as a keylogger or a remote access tool.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective, such as stealing credentials or establishing persistent access.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to the execution of arbitrary code on the compromised system, allowing attackers to install malware, steal sensitive data, or establish a persistent foothold. The VIP Keylogger campaign, for example, demonstrates how this technique can be used to harvest user credentials. Due to the obfuscated nature of this attack, it is difficult to detect and remediate, often leading to extended dwell time for the attacker. Compromised systems can be further used as a launchpad for attacks against other systems within the network.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable PowerShell Script Block Logging (Event ID 4104) on all Windows systems to capture the de-obfuscated script blocks before execution.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rules to your SIEM to detect PowerShell scripts that access environment variables and use \u003ccode\u003eInvoke-Expression\u003c/code\u003e or its aliases. Tune these rules to your environment to reduce false positives.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by these rules to determine if malicious activity is occurring.\u003c/li\u003e\n\u003cli\u003eMonitor PowerShell execution for suspicious environment variable access and dynamic code execution.\u003c/li\u003e\n\u003cli\u003eImplement application control to prevent the execution of unauthorized PowerShell scripts.\u003c/li\u003e\n\u003cli\u003eReview and harden PowerShell execution policies to limit the attack surface.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T10:00:00Z","date_published":"2024-01-03T10:00:00Z","id":"/briefs/2024-01-powershell-env-var-execution/","summary":"Adversaries use PowerShell to execute malicious code stored in environment variables, leveraging Invoke-Expression or its aliases to bypass static analysis and execute payloads dynamically, as seen in malware loaders and stagers like the VIP Keylogger.","title":"PowerShell Execution via Environment Variables","url":"https://feed.craftedsignal.io/briefs/2024-01-powershell-env-var-execution/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR","SentinelOne Cloud Funnel","Crowdstrike FDR"],"_cs_severities":["medium"],"_cs_tags":["persistence","powershell","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","CrowdStrike","SentinelOne"],"content_html":"\u003cp\u003ePowerShell profiles are scripts that run when PowerShell starts, customizing the user\u0026rsquo;s environment. Attackers can abuse this feature to gain persistence by modifying these profiles to execute malicious code each time a user launches PowerShell. The modification of PowerShell profiles allows the attacker to run arbitrary commands without requiring user interaction or explicit execution of malicious scripts. The targeted profile file names include \u003ccode\u003eprofile.ps1\u003c/code\u003e and \u003ccode\u003eMicrosoft.Powershell_profile.ps1\u003c/code\u003e, and the attack affects Windows systems where PowerShell is commonly used.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to the system through unspecified means.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies the location of PowerShell profile scripts, typically found in \u003ccode\u003eC:\\Users\\\u0026lt;Username\u0026gt;\\Documents\\WindowsPowerShell\\\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies an existing PowerShell profile (e.g., \u003ccode\u003eprofile.ps1\u003c/code\u003e) or creates a new one if it doesn\u0026rsquo;t exist.\u003c/li\u003e\n\u003cli\u003eThe attacker injects malicious code into the PowerShell profile. This code could download and execute additional payloads, establish a reverse shell, or perform other malicious activities.\u003c/li\u003e\n\u003cli\u003eThe attacker ensures the malicious code runs when PowerShell is launched by modifying the profile content.\u003c/li\u003e\n\u003cli\u003eWhen a user opens PowerShell, the profile script executes automatically, running the injected malicious code.\u003c/li\u003e\n\u003cli\u003eThe malicious code performs its intended actions, such as establishing persistence by creating scheduled tasks or modifying registry keys.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to maintain persistent access to compromised systems. This persistence can be used to perform various malicious activities, including data theft, lateral movement, and deployment of ransomware. The severity is medium as it requires local access or prior compromise, but can lead to significant impact if successful.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;PowerShell Profile Modification\u0026rdquo; to detect unauthorized changes to PowerShell profile scripts.\u003c/li\u003e\n\u003cli\u003eMonitor file creation and modification events in the \u003ccode\u003eC:\\Users\\*\\Documents\\WindowsPowerShell\\\u003c/code\u003e and \u003ccode\u003eC:\\Windows\\System32\\WindowsPowerShell\\\u003c/code\u003e directories for suspicious activity.\u003c/li\u003e\n\u003cli\u003eEnable PowerShell script block logging and transcription to gain visibility into the contents of PowerShell scripts being executed.\u003c/li\u003e\n\u003cli\u003eRestrict PowerShell usage to authorized personnel via Group Policy or other application control mechanisms.\u003c/li\u003e\n\u003cli\u003eRegularly audit PowerShell profiles for suspicious or unexpected code.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T18:17:05Z","date_published":"2024-01-02T18:17:05Z","id":"/briefs/2024-01-powershell-profile-persistence/","summary":"Attackers can modify PowerShell profiles to inject malicious code that executes each time PowerShell starts, establishing persistence on a Windows system.","title":"Persistence via PowerShell Profile Modification","url":"https://feed.craftedsignal.io/briefs/2024-01-powershell-profile-persistence/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud"],"_cs_severities":["high"],"_cs_tags":["powershell","wmi","reconnaissance","lateral_movement","windows"],"_cs_type":"advisory","_cs_vendors":["Splunk"],"content_html":"\u003cp\u003eThis brief focuses on detecting reconnaissance activities performed through PowerShell using WMI queries. Adversaries often use WMI to gather detailed information about a compromised system, including hardware specifications, operating system details, and installed software. This information can be used to plan further attacks, such as privilege escalation or lateral movement. This detection leverages PowerShell Script Block Logging (EventCode 4104) to identify specific WMI queries that target system information classes like \u003ccode\u003eWin32_Bios\u003c/code\u003e, \u003ccode\u003eWin32_OperatingSystem\u003c/code\u003e, \u003ccode\u003eWin32_Processor\u003c/code\u003e and others. Identifying this behavior early can help defenders disrupt attack chains before significant damage occurs. The analytic is based on the detection logic from the Splunk Security Content project as of April 2026.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to the target system, potentially through phishing or exploiting a software vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker executes a PowerShell script, either directly or via a command-line interpreter like \u003ccode\u003ecmd.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe PowerShell script uses the \u003ccode\u003eGet-WmiObject\u003c/code\u003e cmdlet or a direct WMI query with \u003ccode\u003eSELECT\u003c/code\u003e to query system information.\u003c/li\u003e\n\u003cli\u003eSpecific WMI classes are targeted, including \u003ccode\u003eWin32_Bios\u003c/code\u003e, \u003ccode\u003eWin32_OperatingSystem\u003c/code\u003e, \u003ccode\u003eWin32_Processor\u003c/code\u003e, \u003ccode\u003eWin32_ComputerSystem\u003c/code\u003e, \u003ccode\u003eWin32_PnPEntity\u003c/code\u003e, \u003ccode\u003eWin32_ShadowCopy\u003c/code\u003e, \u003ccode\u003eWin32_DiskDrive\u003c/code\u003e, \u003ccode\u003eWin32_PhysicalMemory\u003c/code\u003e, \u003ccode\u003eWin32_BaseBoard\u003c/code\u003e, and \u003ccode\u003eWin32_DisplayConfiguration\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe script collects the data returned by the WMI queries.\u003c/li\u003e\n\u003cli\u003eThe gathered information is used to profile the system and identify potential vulnerabilities or weaknesses.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the gathered information to plan subsequent stages of the attack, like lateral movement or privilege escalation.\u003c/li\u003e\n\u003cli\u003eThe attacker executes further commands based on the gathered information.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful reconnaissance can provide attackers with a comprehensive understanding of the target environment, enabling them to tailor their attacks for maximum impact. This can lead to successful privilege escalation, lateral movement, data exfiltration, or ransomware deployment. Organizations that fail to detect and prevent reconnaissance activities are at a higher risk of experiencing significant data breaches and financial losses. The Maze ransomware group, Industroyer2, and LockBit ransomware have been observed using similar reconnaissance techniques.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable PowerShell Script Block Logging on all endpoints to capture the necessary data for detection (\u003ca href=\"https://help.splunk.com/en/security-offerings/splunk-user-behavior-analytics/get-data-in/5.4.1/add-other-data-to-splunk-uba/configure-powershell-logging-to-see-powershell-anomalies-in-splunk-uba.\"\u003ePowerShell Script Block Logging 4104\u003c/a\u003e).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Suspicious WMI Reconnaissance via PowerShell\u003c/code\u003e to identify PowerShell scripts querying sensitive WMI classes.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on the user and process context to determine potential malicious intent.\u003c/li\u003e\n\u003cli\u003eReview and tune the \u003ccode\u003eRecon Using WMI Class\u003c/code\u003e detection filter (\u003ccode\u003erecon_using_wmi_class_filter\u003c/code\u003e) to reduce false positives in your environment.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-wmi-reconnaissance/","summary":"Detection of suspicious PowerShell activity using Windows Management Instrumentation (WMI) to gather system information, indicative of reconnaissance efforts by adversaries potentially leading to further exploitation or lateral movement.","title":"Suspicious PowerShell Reconnaissance via WMI Queries","url":"https://feed.craftedsignal.io/briefs/2024-01-wmi-reconnaissance/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["winlogbeat-*"],"_cs_severities":["critical"],"_cs_tags":["credential-access","mimikatz","powershell"],"_cs_type":"advisory","_cs_vendors":["Elastic"],"content_html":"\u003cp\u003eThis detection identifies PowerShell scripts containing Invoke-Mimikatz or Mimikatz commands, which are commonly used to extract sensitive information such as credentials, password stores, and certificates. The detection focuses on in-memory credential access, requiring thorough investigation and reconstruction of script context to assess the impact. The rule is designed to detect potential credential access attempts by identifying specific keywords and command patterns associated with Mimikatz usage within PowerShell script blocks. Defenders should prioritize investigations triggered by this rule due to the potential for significant compromise. The Elastic detection rule was last updated on 2026/04/24.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to the target system, potentially through phishing or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker executes a PowerShell script, either directly or through a payload.\u003c/li\u003e\n\u003cli\u003eThe PowerShell script contains obfuscated or encoded Mimikatz commands.\u003c/li\u003e\n\u003cli\u003eThe script leverages techniques to bypass AMSI (Anti-Malware Scan Interface) to avoid detection.\u003c/li\u003e\n\u003cli\u003eThe script utilizes Invoke-Mimikatz or direct Mimikatz commands to dump credentials from memory (LSASS process).\u003c/li\u003e\n\u003cli\u003eThe attacker extracts password hashes, plaintext passwords, and Kerberos tickets.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the stolen credentials to move laterally within the network.\u003c/li\u003e\n\u003cli\u003eThe final objective is to gain access to sensitive data or critical systems, leading to data exfiltration or further compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can result in the compromise of user accounts, including privileged accounts. This can lead to lateral movement within the network, access to sensitive data, and potential data exfiltration. Credential dumping via Mimikatz is a common technique used in many attacks, often leading to widespread damage and significant financial loss. The rule\u0026rsquo;s high risk score of 99 reflects the severe potential impact of this activity.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable PowerShell Script Block Logging to capture the necessary events (4104) for this detection, as specified in the \u003ca href=\"https://ela.st/powershell-logging-setup\"\u003esetup instructions\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule below to your SIEM and tune it for your environment to detect potential Mimikatz usage within PowerShell scripts.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by this rule by reconstructing the full PowerShell script block using \u003ccode\u003epowershell.file.script_block_id\u003c/code\u003e, \u003ccode\u003epowershell.sequence\u003c/code\u003e, and \u003ccode\u003epowershell.total\u003c/code\u003e as described in the rule\u0026rsquo;s notes.\u003c/li\u003e\n\u003cli\u003eMonitor for file creation events following the detection to identify potential credential dumps, archives, or exported certificates as highlighted in the rule\u0026rsquo;s notes.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-02-potential-invoke-mimikatz/","summary":"This rule detects the use of Invoke-Mimikatz or Mimikatz commands within PowerShell scripts to dump credentials, extract password stores, export certificates, or use alternate authentication material, indicating potential in-memory credential access.","title":"Potential Invoke-Mimikatz PowerShell Script","url":"https://feed.craftedsignal.io/briefs/2024-01-02-potential-invoke-mimikatz/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows Defender"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","powershell","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eAttackers frequently attempt to disable or weaken Windows Defender to facilitate the execution of malware and other malicious activities. This is often achieved through the use of PowerShell commands like \u003ccode\u003eSet-MpPreference\u003c/code\u003e and \u003ccode\u003eAdd-MpPreference\u003c/code\u003e, which can modify various Defender settings. To evade detection, adversaries may encode these commands using Base64, making it more difficult for traditional command-line inspection techniques to identify the malicious intent. This activity is a common tactic in post-exploitation scenarios, allowing attackers to operate with reduced risk of being detected by the built-in antivirus solution. Detection of this behavior is critical for identifying and responding to potential intrusions. The Elastic detection rule aims to catch both standard and encoded PowerShell commands used for this purpose.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows system through methods such as phishing or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker elevates privileges to gain necessary permissions to modify Windows Defender settings.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the \u003ccode\u003epowershell.exe\u003c/code\u003e process to execute commands.\u003c/li\u003e\n\u003cli\u003eThe attacker uses \u003ccode\u003eSet-MpPreference\u003c/code\u003e or \u003ccode\u003eAdd-MpPreference\u003c/code\u003e to disable real-time monitoring.\u003c/li\u003e\n\u003cli\u003eThe attacker may use Base64 encoding (e.g., using the \u003ccode\u003e-EncodedCommand\u003c/code\u003e parameter) to obfuscate the PowerShell commands.\u003c/li\u003e\n\u003cli\u003eThe encoded command is executed, modifying Windows Defender settings.\u003c/li\u003e\n\u003cli\u003eWindows Defender\u0026rsquo;s real-time monitoring is disabled, allowing the attacker to execute malicious payloads without immediate detection.\u003c/li\u003e\n\u003cli\u003eThe attacker proceeds with their objectives, such as deploying ransomware or exfiltrating data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful disabling of Windows Defender can lead to a significant increase in the risk of malware infection and data breach. With real-time protection disabled, the system becomes vulnerable to various threats, including ransomware, Trojans, and other malicious software. This can result in data loss, system compromise, and potential financial damages. The impact can be severe, especially if the compromised system handles sensitive information or is critical to business operations.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Disabling Windows Defender Security Settings via PowerShell\u0026rdquo; to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eEnable PowerShell Script Block Logging to gain better visibility into the commands being executed (referenced in Sysmon setup instructions).\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for PowerShell processes executing commands with \u003ccode\u003e-EncodedCommand\u003c/code\u003e or containing specific Base64 encoded strings to detect obfuscated attempts to disable Windows Defender.\u003c/li\u003e\n\u003cli\u003eInvestigate any instances of \u003ccode\u003eSet-MpPreference\u003c/code\u003e or \u003ccode\u003eAdd-MpPreference\u003c/code\u003e being used, especially if accompanied by unusual parent processes or command-line arguments.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-02-disable-defender-powershell/","summary":"Attackers use PowerShell commands like Set-MpPreference or Add-MpPreference, often with base64 encoding, to disable or weaken Windows Defender security settings in order to evade detection and execute malicious payloads.","title":"Disabling Windows Defender Security Settings via PowerShell","url":"https://feed.craftedsignal.io/briefs/2024-01-02-disable-defender-powershell/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["windows","PowerShell"],"_cs_severities":["high"],"_cs_tags":["powershell","obfuscation","defense-evasion","variable-expansion","windows"],"_cs_type":"advisory","_cs_vendors":["Elastic","Microsoft"],"content_html":"\u003cp\u003eThis rule detects PowerShell scripts employing backtick-escaped characters within \u003ccode\u003e${}\u003c/code\u003e variable expansion, a technique used to reconstruct strings at runtime. Attackers leverage variable-expansion obfuscation to split keywords, conceal commands, and bypass static analysis and AMSI (Antimalware Scan Interface). This obfuscation method involves inserting multiple backticks between word characters inside \u003ccode\u003e${}\u003c/code\u003e blocks. Detecting this behavior is crucial as it signifies attempts to evade security measures and potentially execute malicious code on compromised systems. The rule focuses on identifying scripts with a length exceeding 500 characters to minimize false positives and targets PowerShell event code 4104.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows system, potentially through phishing or exploiting a software vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker uploads or creates a PowerShell script on the target system.\u003c/li\u003e\n\u003cli\u003eThe PowerShell script employs backtick-escaped variable expansion (e.g., \u003ccode\u003e$env:use``r``na``me\u003c/code\u003e) to obfuscate its contents.\u003c/li\u003e\n\u003cli\u003eThe obfuscated script is executed using powershell.exe.\u003c/li\u003e\n\u003cli\u003eThe script dynamically reconstructs commands and strings by evaluating the backtick-escaped variables.\u003c/li\u003e\n\u003cli\u003eThe reconstructed commands perform malicious activities, such as downloading additional payloads or modifying system configurations.\u003c/li\u003e\n\u003cli\u003eThe script attempts to evade detection by AMSI and other security tools.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves persistence and control over the compromised system, potentially leading to data exfiltration or further lateral movement.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to arbitrary code execution, system compromise, and data theft. While the number of victims is unknown, PowerShell is a common attack vector on Windows environments. The sectors most affected are organizations relying on Windows infrastructure without adequate PowerShell monitoring and security controls. Failure to detect and prevent this technique allows attackers to bypass security measures and gain unauthorized access to sensitive data.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable PowerShell Script Block Logging to generate event code 4104. (Reference: Setup section)\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect PowerShell Backtick Variable Obfuscation\u003c/code\u003e to identify scripts using backtick-escaped variable expansion.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on scripts with a high \u003ccode\u003eEsql.script_block_pattern_count\u003c/code\u003e value.\u003c/li\u003e\n\u003cli\u003eMonitor for process creation events where powershell.exe executes obfuscated commands as detected by the Sigma rule \u003ccode\u003eDetect Suspicious PowerShell Encoded Commands\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eReview PowerShell logs for event code 4104 and examine \u003ccode\u003epowershell.file.script_block_text\u003c/code\u003e for suspicious patterns.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T10:00:00Z","date_published":"2024-01-02T10:00:00Z","id":"/briefs/2024-01-powershell-backtick-obfuscation/","summary":"PowerShell scripts use backtick-escaped characters inside `${}` variable expansion to reconstruct strings at runtime, enabling attackers to split keywords, hide commands, and evade static analysis and AMSI.","title":"PowerShell Obfuscation via Backtick-Escaped Variable Expansion","url":"https://feed.craftedsignal.io/briefs/2024-01-powershell-backtick-obfuscation/"}],"language":"en","title":"CraftedSignal Threat Feed — Powershell","version":"https://jsonfeed.org/version/1.1"}