Suspicious PowerShell Engine ImageLoad

hello@craftedsignal.io — Wed, 03 Jan 2024 14:00:00 +0000

Attackers can leverage the PowerShell engine without directly executing powershell.exe. This technique, often referred to as “PowerShell without PowerShell,” involves using the underlying System.Management.Automation namespace. This approach allows attackers to bypass application allowlisting and PowerShell security features, operating more stealthily within a compromised environment. This technique makes detection more challenging, as standard PowerShell execution logs might not capture the activity. The activity is detected by monitoring which processes load the System.Management.Automation.dll or System.Management.Automation.ni.dll libraries. This activity can legitimately happen where vendors have their own PowerShell implementations that are shipped with some products.

Attack Chain

An attacker gains initial access to a Windows system through various means, such as exploiting a vulnerability or using compromised credentials.
The attacker deploys a custom tool or script on the target system. This tool is designed to interact with the System.Management.Automation namespace directly.
The custom tool loads the System.Management.Automation.dll or System.Management.Automation.ni.dll library into its process space.
The tool uses the loaded PowerShell engine to execute malicious commands or scripts without invoking powershell.exe.
The attacker performs reconnaissance activities, such as gathering system information or network configurations, using PowerShell commands.
The attacker attempts to move laterally within the network, leveraging the PowerShell engine to execute commands on other systems.
The attacker installs malware or backdoors using the PowerShell engine to maintain persistence within the compromised environment.
The attacker exfiltrates sensitive data or causes damage to the system, completing the objectives of the attack.

Impact

A successful attack leveraging “PowerShell without PowerShell” can lead to significant compromise of Windows systems. Attackers can bypass traditional security measures, potentially leading to data theft, system disruption, or the installation of persistent malware. The technique’s stealthy nature can prolong the time to detection, increasing the potential for widespread damage.

Recommendation

Deploy the Sigma rule Suspicious PowerShell Engine ImageLoad to your SIEM to detect when the System.Management.Automation.dll or System.Management.Automation.ni.dll libraries are loaded by unexpected processes.
Investigate any alerts generated by the Sigma rule, focusing on the process execution chain (parent process tree) for unknown processes.
Implement endpoint detection and response (EDR) solutions like Elastic Defend to provide visibility into process behavior and library loading events, activating the process_creation and image_load log sources.
Review and tune exclusions to the Sigma rule based on legitimate vendor applications to reduce false positives.

Startup or Run Key Registry Modification

hello@craftedsignal.io — Wed, 03 Jan 2024 12:00:00 +0000

Attackers often modify registry run keys to achieve persistence on a system. By adding entries to these keys, they ensure that a malicious program executes automatically whenever a user logs in. This technique allows the attacker to maintain access to the compromised system even after reboots or other interruptions. The programs added to these run keys execute under the context of the user account, inheriting its permissions. This activity is often difficult to distinguish from legitimate software installations or updates, requiring careful analysis to identify malicious intent. Elastic has observed this activity and created a detection rule to identify this behavior.

Attack Chain

The attacker gains initial access to the target system.
The attacker identifies registry run key locations for persistence.
The attacker modifies a registry run key (e.g., HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run) using tools such as reg.exe.
The attacker adds a malicious executable path to the registry key.
The system is restarted, or a user logs in.
The malicious executable is launched automatically as part of the logon process.
The malicious executable establishes a connection to a command-and-control server.
The attacker gains remote access to the compromised system.

Impact

Successful exploitation allows attackers to maintain persistent access to compromised systems, enabling them to perform unauthorized activities such as data theft, lateral movement, and deployment of ransomware. While each instance may not cause immediate critical damage, the cumulative effect of multiple persistent infections across an environment can lead to significant data breaches and operational disruption. The Elastic rule attempts to minimize false positives with built-in filters for common legitimate applications and processes like ctfmon.exe, but tuning is required.

Recommendation

Deploy the Sigma rule provided below to detect suspicious modifications to registry run keys and tune it to filter out legitimate application updates.
Enable registry event logging to capture modifications made to the registry, ensuring that the Sigma rule can function correctly.
Investigate any alerts generated by the Sigma rule, examining the parent process of the process modifying the registry for suspicious activity.
Block known malicious executables and domains identified during triage to prevent further infection.
Use endpoint detection and response (EDR) solutions like Elastic Defend to gain enhanced visibility into endpoint activity and detect malicious behavior associated with persistence mechanisms.

Lenovo — CraftedSignal Threat Feed

Suspicious PowerShell Engine ImageLoad

Attack Chain

Impact

Recommendation

Startup or Run Key Registry Modification

Attack Chain

Impact

Recommendation