034. That's How Real Adversaries Abuse PowerShell for Persistence
Hello everyone! I keep collecting interesting PowerShell abuse examples observed in-the-wild. Recently I spotted another one reading this report.
In this case the threat actors leveraged PowerShell to create a scheduled task:
"powershell" "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"regsvr32\" -Argument \"/S /i:SYNC C:\Users\<USER>\AppData\Roaming\9secur32_5.drv\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'MicrosoftEdgeUpdateTaskMachineUA{C51CED40-3F5F-4FAF-E44D-E40FBA838523}' -Description 'MicrosoftEdgeUpdateTaskMachineUA' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -ExecutionTimeLimit 0) -RunLevel Highest"
It's not uncommon persistence mechanism, but I don't often see adversaries uses those cmdlets. As you can see, the task masqueraded to look like Microsoft Edge update.
Also, the adversary uses PowerShell to check if such scheduled task exists:
"powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:SYNC C:\Users\<USER>\AppData\Roaming\9secur32_5.drv' }) { exit 0 } else { exit 1 }"
As you can see, these cmdlets present good detection and hunting opportunities!
By the way, if you want to update my PowerShell collection - you are very welcome!
See you tomorrow!
Comments
Post a Comment