{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/dell-technologies-inc./","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend"],"_cs_severities":["medium"],"_cs_tags":["powershell","execution","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Lenovo","PDQ.com Corporation","Dell Technologies Inc.","Chocolatey Software, Inc","Docker Inc"],"content_html":"\u003cp\u003eAttackers can leverage the PowerShell engine without directly executing \u003ccode\u003epowershell.exe\u003c/code\u003e. This technique, often referred to as \u0026ldquo;PowerShell without PowerShell,\u0026rdquo; involves using the underlying System.Management.Automation namespace. This approach allows attackers to bypass application allowlisting and PowerShell security features, operating more stealthily within a compromised environment. This technique makes detection more challenging, as standard PowerShell execution logs might not capture the activity. The activity is detected by monitoring which processes load the System.Management.Automation.dll or System.Management.Automation.ni.dll libraries. This activity can legitimately happen where vendors have their own PowerShell implementations that are shipped with some products.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows system through various means, such as exploiting a vulnerability or using compromised credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker deploys a custom tool or script on the target system. This tool is designed to interact with the System.Management.Automation namespace directly.\u003c/li\u003e\n\u003cli\u003eThe custom tool loads the \u003ccode\u003eSystem.Management.Automation.dll\u003c/code\u003e or \u003ccode\u003eSystem.Management.Automation.ni.dll\u003c/code\u003e library into its process space.\u003c/li\u003e\n\u003cli\u003eThe tool uses the loaded PowerShell engine to execute malicious commands or scripts without invoking \u003ccode\u003epowershell.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker performs reconnaissance activities, such as gathering system information or network configurations, using PowerShell commands.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to move laterally within the network, leveraging the PowerShell engine to execute commands on other systems.\u003c/li\u003e\n\u003cli\u003eThe attacker installs malware or backdoors using the PowerShell engine to maintain persistence within the compromised environment.\u003c/li\u003e\n\u003cli\u003eThe attacker exfiltrates sensitive data or causes damage to the system, completing the objectives of the attack.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack leveraging \u0026ldquo;PowerShell without PowerShell\u0026rdquo; can lead to significant compromise of Windows systems. Attackers can bypass traditional security measures, potentially leading to data theft, system disruption, or the installation of persistent malware. The technique\u0026rsquo;s stealthy nature can prolong the time to detection, increasing the potential for widespread damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eSuspicious PowerShell Engine ImageLoad\u003c/code\u003e to your SIEM to detect when the \u003ccode\u003eSystem.Management.Automation.dll\u003c/code\u003e or \u003ccode\u003eSystem.Management.Automation.ni.dll\u003c/code\u003e libraries are loaded by unexpected processes.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on the process execution chain (parent process tree) for unknown processes.\u003c/li\u003e\n\u003cli\u003eImplement endpoint detection and response (EDR) solutions like Elastic Defend to provide visibility into process behavior and library loading events, activating the \u003ccode\u003eprocess_creation\u003c/code\u003e and \u003ccode\u003eimage_load\u003c/code\u003e log sources.\u003c/li\u003e\n\u003cli\u003eReview and tune exclusions to the Sigma rule based on legitimate vendor applications to reduce false positives.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T14:00:00Z","date_published":"2024-01-03T14:00:00Z","id":"/briefs/2024-01-suspicious-powershell-imageload/","summary":"This rule identifies instances where the PowerShell engine is loaded by processes other than powershell.exe, potentially indicating attackers attempting to use PowerShell functionality stealthily by using the underlying System.Management.Automation namespace and bypassing PowerShell security features.","title":"Suspicious PowerShell Engine ImageLoad","url":"https://feed.craftedsignal.io/briefs/2024-01-suspicious-powershell-imageload/"}],"language":"en","title":"CraftedSignal Threat Feed — Dell Technologies Inc.","version":"https://jsonfeed.org/version/1.1"}