Power Shell Self Pwn

// PowerShell Self-Pwn // https://www.proofpoint.com/us/blog/threat-insight/clipboard-compromise-powershell-self-pwn // The Proofpoint blog outlines a social engineering tactic where threat actors deceive users into copying and pasting malicious PowerShell scripts, causing malware infections. Groups like TA571 use fake error messages to prompt script execution, delivering malware such as DarkGate and NetSupport. Despite needing significant user interaction, the attack's success hinges on sophisticated social engineering. I have developed a custom detection PowerShell Self-Pwn KQL to identify such scenarios and assist SecOps in isolating affected devices. let NaiveUser = IdentityInfo | where isempty(AssignedRoles) // Non Technical Naive Users ;P | summarize arg_max(Timestamp, *) by AccountUpn | distinct AccountUpn; let UserEPPSExec = DeviceEvents | where ActionType == @"GetClipboardData" // Execute PowerShell command from clipboard paste | where InitiatingProcessFileName == @"powershell.exe" | join NaiveUser on $left.InitiatingProcessAccountUpn == $right.AccountUpn | distinct DeviceName; DeviceProcessEvents | where InitiatingProcessFileName has "powershell.exe" and InitiatingProcessCommandLine has "-EncodedCommand" | where AccountName != "system" and AccountName !="local service" and AccountName !="administrator" | where DeviceName has_any(UserEPPSExec) // User execute a encoded powershell command to evade detection //

Explanation

This KQL (Kusto Query Language) script is designed to detect a specific type of social engineering attack involving PowerShell scripts. Here's a simplified breakdown of what the query does:

Identify Naive Users:
- The query first identifies users who are likely non-technical or naive by checking for users without any assigned roles. These users are considered more susceptible to social engineering attacks.
Detect Clipboard-Based PowerShell Execution:
- It looks for events where PowerShell commands are executed from the clipboard. This is done by filtering for events where the action type is "GetClipboardData" and the initiating process is "powershell.exe".
- It then joins this data with the list of naive users to find devices where these users have executed PowerShell commands from the clipboard.
Identify Encoded PowerShell Commands:
- The query further filters for PowerShell commands that are encoded, which is a technique often used to evade detection.
- It excludes system accounts like "system", "local service", and "administrator" to focus on regular user accounts.
- Finally, it checks if these encoded commands were executed on devices identified in the previous step.

Overall, this query helps security operations teams detect and isolate devices where naive users might have been tricked into executing malicious PowerShell scripts, potentially leading to malware infections.

Details

Steven Lim

Released: December 17, 2024

Tables

IdentityInfoDeviceEventsDeviceProcessEvents

Keywords

IdentityInfoDeviceEventsDeviceProcessEventsAccountUpnDeviceNameAccountNameTimestampInitiatingProcessFileNameInitiatingProcessCommandLineActionType

Operators

let|whereisemptysummarizearg_maxbydistinct==joinon$left.$right.has!=!="has_any

KQL Search