072. Here's How Adversaries Abuse PowerShell to Steal Authentication Material
Hello everyone! Let's keep looking at PowerShell abuse examples observed in-the-wild. I hope you have ScriptBlock events (Event ID 4104) from Powershell-Operational Event Logs, as we're going to look inside malicious scripts this time.
Recently Outpost24 blogged about EncryptHub, and I spotted a very interesting PowerShell script responsible for stealing sensitive data. Let's look at the script from detection perspective.
For example, the adversary attempts to collect Telegram data:
$processname = "telegram"
$pathtele = "$env:userprofile\AppData\Roaming\Telegram Desktop\tdata"
It means we can hunt for Telegram data paths in the ScriptBlock:
event_type: "ScriptExecutionWin"
AND
script_text: "Telegram Desktop" AND "tdata"
Another example is collecting crypto wallets data:
"Armory" = Join-Path $env:appdata "\Armory\*.wallet"
"Atomic" = Join-Path $env:appdata "\Atomic\Local Storage\leveldb"
"Bitcoin" = Join-Path $env:appdata "\Bitcoin\wallets"
"Binance" = Join-Path $env:appdata "\Binance\Wallet\*.*"
"Bytecoin" = Join-Path $env:appdata "\bytecoin\*.wallet"
"Coinomi" = Join-Path $env:localappdata "\Coinomi\Coinomi\wallets"
"Dash" = Join-Path $env:appdata "\DashCore\wallets"
"Electrum" = Join-Path $env:appdata "\Electrum\wallets"
"Ethereum" = Join-Path $env:appdata "\Ethereum\keystore"
"Exodus" = Join-Path $env:appdata "\Exodus\exodus.wallet"
"Guarda" = Join-Path $env:appdata "\Guarda\Local Storage\leveldb"
Here we can use various wallet names to build our detection, for example:
event_type: "ScriptExecutionWin"
AND
script_text: "Armory" OR "Atomic" OR "Bitcoin" OR "Binance" OR "bytecoin" OR "Coinomy" OR "DashCore" OR "Electrum" OR "Ethereum" OR "Exodus" OR "Guarda"
The script contains lots of interesting data, so you can check it and think about other detection opportunities.
See you tomorrow!
Comments
Post a Comment