{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/tabexpansion/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud"],"_cs_severities":["medium"],"_cs_tags":["powershell","tabexpansion","bypass","endpoint"],"_cs_type":"advisory","_cs_vendors":["Splunk"],"content_html":"\u003cp\u003eThis alert detects specific indicators associated with the execution of the \u003ccode\u003eTabExpansion\u003c/code\u003e internal function in PowerShell. Direct calls to this function are not normal and can be indicative of malicious activity such as TabShell. This technique can bypass PowerShell\u0026rsquo;s restricted language mode. By exploiting PowerShell internals, attackers can use directory traversal in conjunction with the \u003ccode\u003eTabExpansion\u003c/code\u003e function to load arbitrary PowerShell functions, even within a sandboxed environment. While legitimate use of \u003ccode\u003eTabExpansion\u003c/code\u003e is rare, it\u0026rsquo;s crucial for defenders to understand that direct calls to this function can be a sign of malicious activity attempting to circumvent security restrictions within PowerShell.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to the system. This step is not specified in the source, but is a prerequisite.\u003c/li\u003e\n\u003cli\u003eThe attacker executes a PowerShell script.\u003c/li\u003e\n\u003cli\u003eThe PowerShell script directly calls the \u003ccode\u003eTabExpansion\u003c/code\u003e internal function.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eTabExpansion\u003c/code\u003e function, when called directly, attempts to resolve paths or commands based on partial input.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious payload, using directory traversal to point to a malicious PowerShell script location.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eTabExpansion\u003c/code\u003e function resolves the crafted path, effectively bypassing intended restrictions.\u003c/li\u003e\n\u003cli\u003eThe malicious PowerShell script is loaded and executed within the current PowerShell session, even if sandboxed.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves arbitrary code execution and potentially escalates privileges.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can allow an attacker to bypass PowerShell\u0026rsquo;s security restrictions, including constrained language mode. This could lead to arbitrary code execution, privilege escalation, and potentially complete system compromise. The impact is significant, as it allows malicious actors to execute code within an environment that is supposed to be restricted and secure.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable PowerShell Script Block Logging (Event ID 4104) to capture the necessary telemetry to detect this activity.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eSuspicious PowerShell TabExpansion Call\u003c/code\u003e to your SIEM and tune for your environment to reduce false positives.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the \u003ccode\u003eSuspicious PowerShell TabExpansion Call\u003c/code\u003e rule to determine if the activity is legitimate or malicious.\u003c/li\u003e\n\u003cli\u003eFilter alerts generated by the \u003ccode\u003eSuspicious PowerShell TabExpansion Call\u003c/code\u003e rule if direct calls originate from trusted administrative or development activities, as noted in the \u0026ldquo;known_false_positives\u0026rdquo; section of the source.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T17:21:00Z","date_published":"2024-01-03T17:21:00Z","id":"/briefs/2024-01-03-powershell-tabexpansion/","summary":"This detection identifies PowerShell scripts that directly call the TabExpansion internal function, which is uncommon and may indicate malicious activity, such as TabShell, potentially bypassing sandboxes by loading PowerShell functions via directory traversal.","title":"Suspicious PowerShell TabExpansion Direct Call","url":"https://feed.craftedsignal.io/briefs/2024-01-03-powershell-tabexpansion/"}],"language":"en","title":"CraftedSignal Threat Feed — Tabexpansion","version":"https://jsonfeed.org/version/1.1"}