TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Huntress

From PowerShell to Payload: An Analysis of Weaponized Malware | Huntress

2021-05-04 · Read original ↗

ATT&CK techniques detected

17 predictions
T1055.001Dynamic-link Library Injection
99%
“the shellcode! following that, we see one more call to run the waitforsingleobject win32 api function. this will “ block ” execution and patiently wait for the shellcode to finish executing. you can see it includes the $ t6y variable ( which is the new thread running the shellcod…”
T1059.001PowerShell
99%
“with the parameters and arguments that follow. in our “ weaponized ” analogy, we can call these beginning pieces of the payload, the trigger. the trigger the / b argument to cmd. exe means “ start the application without creating a new window ” so our hacker is trying to hide. / …”
T1059.001PowerShell
99%
“gzip data is compressed, archived data, practically the same as a. zip archive you might see as a file on your computer. thankfully, we can perform the inverse operation on that large chunk of data to better understand what it is doing. but first, let ’ s wrap up the analysis on …”
T1059.001PowerShell
99%
“##d. exe ” program. cmd. exe is the default command - line interpreter for windows operating systems, but it is an older utility that dates back to dos ( or the disk operating system ). in the world we live in now, developers and security professionals prefer to work in powershel…”
T1055.001Dynamic-link Library Injection
98%
“function tells the operating system to allocate memory. as we can see from the function parameters, it invokes this function to allocate enough memory for the length of the $ bumj byte array ( the shellcode )! the 0x3000 indicates “ reserve and commit this memory ”, and the 0x40 …”
T1059.001PowerShell
96%
“this point, we ’ ve finally made it into the string of code that is passed into powershell. this does a few checks to ensure the payload being used for the target is appropriate. the sights at the very start of the powershell syntax, we see : this if statement conditional is inte…”
T1059.001PowerShell
94%
“from powershell to payload : an analysis of weaponized malware | huntress click, boom, and your network is compromised. all a hacker needs is one successful exploit and you could have a very bad day. recently, we uncovered one artifact that we would like to break down and showcas…”
T1059.001PowerShell
92%
“now that we have a better understanding of how this works, we can zoom in on that blob of data. inside the ammunition the real substance with this launcher comes from the base64 encoded, gzip compressed blob that is extracted and executed on the fly. that is this chunk : we can p…”
T1059.001PowerShell
85%
“not very descriptive. all of these function and variable names seem to be random and obfuscated, but we can make sense of them by reading the definition of the function. the soh function takes in two parameters. it uses a technique to “ reflectively ” search for the address of wi…”
T1055.001Dynamic-link Library Injection
83%
“contained sandbox. we dove under the hood here to further understand what the hackers did and how their payload worked. learning from the offense is the best way to have a stronger defense. some mitigation tactics like enabling applocker or powershell constrained language mode wo…”
T1564.003Hidden Window
80%
“with the parameters and arguments that follow. in our “ weaponized ” analogy, we can call these beginning pieces of the payload, the trigger. the trigger the / b argument to cmd. exe means “ start the application without creating a new window ” so our hacker is trying to hide. / …”
T1059.001PowerShell
74%
“the shellcode! following that, we see one more call to run the waitforsingleobject win32 api function. this will “ block ” execution and patiently wait for the shellcode to finish executing. you can see it includes the $ t6y variable ( which is the new thread running the shellcod…”
T1059.001PowerShell
66%
“contained sandbox. we dove under the hood here to further understand what the hackers did and how their payload worked. learning from the offense is the best way to have a stronger defense. some mitigation tactics like enabling applocker or powershell constrained language mode wo…”
T1055.001Dynamic-link Library Injection
65%
“supply parameters and understand the function return values. with these two functions in place, the code now has the primitives to freely call any win32 api function it would like. next, we will see this in action. the explosive following those function definitions, this powershe…”
T1059.001PowerShell
56%
“supply parameters and understand the function return values. with these two functions in place, the code now has the primitives to freely call any win32 api function it would like. next, we will see this in action. the explosive following those function definitions, this powershe…”
T1106Native API
47%
“and move memory, or other peculiar things that we will see in the code very soon. for our own understanding, we should mentally rename this function to something like : so far, what we knew as the soh function adds a portion of this new capability. if hackers want to use this tra…”
T1059.003Windows Command Shell
30%
“from powershell to payload : an analysis of weaponized malware | huntress click, boom, and your network is compromised. all a hacker needs is one successful exploit and you could have a very bad day. recently, we uncovered one artifact that we would like to break down and showcas…”

Summary

In this blog, we look at some malicious PowerShell code breadcrumbs that one hacker left behind to unravel how they maintained access during a cyberattack.