{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/variable-expansion/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["windows","PowerShell"],"_cs_severities":["high"],"_cs_tags":["powershell","obfuscation","defense-evasion","variable-expansion","windows"],"_cs_type":"advisory","_cs_vendors":["Elastic","Microsoft"],"content_html":"\u003cp\u003eThis rule detects PowerShell scripts employing backtick-escaped characters within \u003ccode\u003e${}\u003c/code\u003e variable expansion, a technique used to reconstruct strings at runtime. Attackers leverage variable-expansion obfuscation to split keywords, conceal commands, and bypass static analysis and AMSI (Antimalware Scan Interface). This obfuscation method involves inserting multiple backticks between word characters inside \u003ccode\u003e${}\u003c/code\u003e blocks. Detecting this behavior is crucial as it signifies attempts to evade security measures and potentially execute malicious code on compromised systems. The rule focuses on identifying scripts with a length exceeding 500 characters to minimize false positives and targets PowerShell event code 4104.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows system, potentially through phishing or exploiting a software vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker uploads or creates a PowerShell script on the target system.\u003c/li\u003e\n\u003cli\u003eThe PowerShell script employs backtick-escaped variable expansion (e.g., \u003ccode\u003e$env:use``r``na``me\u003c/code\u003e) to obfuscate its contents.\u003c/li\u003e\n\u003cli\u003eThe obfuscated script is executed using powershell.exe.\u003c/li\u003e\n\u003cli\u003eThe script dynamically reconstructs commands and strings by evaluating the backtick-escaped variables.\u003c/li\u003e\n\u003cli\u003eThe reconstructed commands perform malicious activities, such as downloading additional payloads or modifying system configurations.\u003c/li\u003e\n\u003cli\u003eThe script attempts to evade detection by AMSI and other security tools.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves persistence and control over the compromised system, potentially leading to data exfiltration or further lateral movement.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to arbitrary code execution, system compromise, and data theft. While the number of victims is unknown, PowerShell is a common attack vector on Windows environments. The sectors most affected are organizations relying on Windows infrastructure without adequate PowerShell monitoring and security controls. Failure to detect and prevent this technique allows attackers to bypass security measures and gain unauthorized access to sensitive data.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable PowerShell Script Block Logging to generate event code 4104. (Reference: Setup section)\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect PowerShell Backtick Variable Obfuscation\u003c/code\u003e to identify scripts using backtick-escaped variable expansion.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on scripts with a high \u003ccode\u003eEsql.script_block_pattern_count\u003c/code\u003e value.\u003c/li\u003e\n\u003cli\u003eMonitor for process creation events where powershell.exe executes obfuscated commands as detected by the Sigma rule \u003ccode\u003eDetect Suspicious PowerShell Encoded Commands\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eReview PowerShell logs for event code 4104 and examine \u003ccode\u003epowershell.file.script_block_text\u003c/code\u003e for suspicious patterns.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T10:00:00Z","date_published":"2024-01-02T10:00:00Z","id":"/briefs/2024-01-powershell-backtick-obfuscation/","summary":"PowerShell scripts use backtick-escaped characters inside `${}` variable expansion to reconstruct strings at runtime, enabling attackers to split keywords, hide commands, and evade static analysis and AMSI.","title":"PowerShell Obfuscation via Backtick-Escaped Variable Expansion","url":"https://feed.craftedsignal.io/briefs/2024-01-powershell-backtick-obfuscation/"}],"language":"en","title":"CraftedSignal Threat Feed — Variable-Expansion","version":"https://jsonfeed.org/version/1.1"}