Docker Inc — CraftedSignal Threat Feedhttps://feed.craftedsignal.io/vendors/docker-inc/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioWed, 03 Jan 2024 14:00:00 +0000Suspicious PowerShell Engine ImageLoadhttps://feed.craftedsignal.io/briefs/2024-01-suspicious-powershell-imageload/Wed, 03 Jan 2024 14:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-suspicious-powershell-imageload/This rule identifies instances where the PowerShell engine is loaded by processes other than powershell.exe, potentially indicating attackers attempting to use PowerShell functionality stealthily by using the underlying System.Management.Automation namespace and bypassing PowerShell security features.Attackers can leverage the PowerShell engine without directly executing powershell.exe. This technique, often referred to as “PowerShell without PowerShell,” involves using the underlying System.Management.Automation namespace. This approach allows attackers to bypass application allowlisting and PowerShell security features, operating more stealthily within a compromised environment. This technique makes detection more challenging, as standard PowerShell execution logs might not capture the activity. The activity is detected by monitoring which processes load the System.Management.Automation.dll or System.Management.Automation.ni.dll libraries. This activity can legitimately happen where vendors have their own PowerShell implementations that are shipped with some products.

Attack Chain

  1. An attacker gains initial access to a Windows system through various means, such as exploiting a vulnerability or using compromised credentials.
  2. The attacker deploys a custom tool or script on the target system. This tool is designed to interact with the System.Management.Automation namespace directly.
  3. The custom tool loads the System.Management.Automation.dll or System.Management.Automation.ni.dll library into its process space.
  4. The tool uses the loaded PowerShell engine to execute malicious commands or scripts without invoking powershell.exe.
  5. The attacker performs reconnaissance activities, such as gathering system information or network configurations, using PowerShell commands.
  6. The attacker attempts to move laterally within the network, leveraging the PowerShell engine to execute commands on other systems.
  7. The attacker installs malware or backdoors using the PowerShell engine to maintain persistence within the compromised environment.
  8. The attacker exfiltrates sensitive data or causes damage to the system, completing the objectives of the attack.

Impact

A successful attack leveraging “PowerShell without PowerShell” can lead to significant compromise of Windows systems. Attackers can bypass traditional security measures, potentially leading to data theft, system disruption, or the installation of persistent malware. The technique’s stealthy nature can prolong the time to detection, increasing the potential for widespread damage.

Recommendation

  • Deploy the Sigma rule Suspicious PowerShell Engine ImageLoad to your SIEM to detect when the System.Management.Automation.dll or System.Management.Automation.ni.dll libraries are loaded by unexpected processes.
  • Investigate any alerts generated by the Sigma rule, focusing on the process execution chain (parent process tree) for unknown processes.
  • Implement endpoint detection and response (EDR) solutions like Elastic Defend to provide visibility into process behavior and library loading events, activating the process_creation and image_load log sources.
  • Review and tune exclusions to the Sigma rule based on legitimate vendor applications to reduce false positives.
]]>mediumadvisorypowershellexecutionwindows