Alex Morgan — Threat Intelligence Analyst
Key Takeaways
- Malicious PowerShell scripts were used to exploit DCOM vulnerabilities for lateral movement.
- Persistence was achieved through registry modifications and scheduled tasks.
- Indicators of compromise including specific command-line parameters were identified for proactive defense.
Executive Summary
During our investigation of a recent intrusion, we observed an elaborate attack chain that utilized malicious PowerShell scripts to gain initial access, followed by lateral movement through authenticated DCOM objects. The actor demonstrated sophistication in their use of native Windows tools for exploitation, blending seamlessly into the target environment to evade detection. The implications of this attack are significant, as the actor’s ability to maintain persistence poses ongoing risks for compromised systems.
Initial Access
The initial access vector was identified as a phishing email containing a malicious attachment masquerading as a PDF document. Upon opening, the attachment triggered a PowerShell script leveraging an embedded command that executed cmd.exe. The command subsequently spawned additional PowerShell processes. The script used the -ExecutionPolicy Bypass parameter to execute without restriction, allowing it to execute commands remotely without user interaction. Host-based logging showed an increase in PowerShell activity around this execution time.
Execution & Persistence
Our analysis revealed that the payload, executed via PowerShell, made extensive use of Windows Management Instrumentation (WMI) commands, specifically WMI Event Subscription. This persistence mechanism was facilitated by creating a WMI event consumer, ensuring that the malicious script would execute upon system startup. Furthermore, the actor modified the registry key HKLM\Software\Microsoft\Windows\CurrentVersion\Run to establish startup entries. A scheduled task was created as well, which utilized the command schtasks /create /tn
Source: Original Report