034. That's How Real Adversaries Abuse PowerShell for Persistence

Hello everyone! I keep collecting interesting PowerShell abuse examples observed in-the-wild. Recently I spotted another one reading this report.


In this case the threat actors leveraged PowerShell to create a scheduled task:

"powershell" "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"regsvr32\" -Argument \"/S /i:SYNC C:\Users\<USER>\AppData\Roaming\9secur32_5.drv\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'MicrosoftEdgeUpdateTaskMachineUA{C51CED40-3F5F-4FAF-E44D-E40FBA838523}' -Description 'MicrosoftEdgeUpdateTaskMachineUA' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -ExecutionTimeLimit 0) -RunLevel Highest"

It's not uncommon persistence mechanism, but I don't often see adversaries uses those cmdlets. As you can see, the task masqueraded to look like Microsoft Edge update.

Also, the adversary uses PowerShell to check if such scheduled task exists:

"powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:SYNC C:\Users\<USER>\AppData\Roaming\9secur32_5.drv' }) { exit 0 } else { exit 1 }"

As you can see, these cmdlets present good detection and hunting opportunities!

By the way, if you want to update my PowerShell collection - you are very welcome!

See you tomorrow!

Comments

Popular posts from this blog

033. Free Google Threat Intelligence Course

001. The Zeltser Challenge

012. They Want to Know Everything About Your System!