Invocation Of Crypto-Classes From The "Cryptography" PowerShell Namespace

    Thursday, October 3, 2024 In: Threat Research Print

    Date: 10/03/2024

    Severity: Medium

    Summary

    Identifies the execution of PowerShell commands that reference classes from the "System.Security.Cryptography" namespace. This namespace offers classes for real-time encryption and decryption, which can be used, for instance, to decrypt malicious payloads for evading detection. This malware continues to be one of the top ten infections we’ve detected in our clients’ network primarily targeting the Education and Health sectors.

    Indicators of Compromise (IOC) List

    Image

    '\powershell.exe'

    '\pwsh.exe'

    OriginalFileName : 

    'PowerShell.EXE'

    'pwsh.dll'

    CommandLine

    'System.Security.Cryptography.'

    '.AesCryptoServiceProvider'

    '.DESCryptoServiceProvider'

    '.DSACryptoServiceProvider'

    '.RC2CryptoServiceProvider'

    '.Rijndael'

    '.RSACryptoServiceProvider'

    '.TripleDESCryptoServiceProvider'

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 :

    (resourcename = "Windows Security"  AND eventtype = "4688"  ) AND newprocessname In ("\\powershell.exe","\\pwsh.exe") AND winmessage In ("System.Security.Cryptography.",".AesCryptoServiceProvider",".DESCryptoServiceProvider",".DSACryptoServiceProvider",".RC2CryptoServiceProvider",".Rijndael",".RSACryptoServiceProvider",".TripleDESCryptoServiceProvider")

    Detection Query 2 :

    		technologygroup = "EDR"  AND newprocessname In ("\\powershell.exe","\\pwsh.exe") AND winmessage In ("System.Security.Cryptography.",".AesCryptoServiceProvider",".DESCryptoServiceProvider",".DSACryptoServiceProvider",".RC2CryptoServiceProvider",".Rijndael",".RSACryptoServiceProvider",".TripleDESCryptoServiceProvider")

    Detection Query 3 :

    (resourcename = "Sysmon"  AND eventtype = "1"  ) AND image In ("\powershell.exe","\pwsh.exe" ) AND originalfilename In ("PowerShell.EXE","pwsh.dll") AND commandline In ("System.Security.Cryptography.",".AesCryptoServiceProvider",".DESCryptoServiceProvider",".DSACryptoServiceProvider",".RC2CryptoServiceProvider",".Rijndael",".RSACryptoServiceProvider",".TripleDESCryptoServiceProvider")

    Detection Query 4 :

    		technologygroup = "EDR"  AND image In ("\powershell.exe","\pwsh.exe" ) AND originalfilename In ("PowerShell.EXE","pwsh.dll") AND commandline In ("System.Security.Cryptography.",".AesCryptoServiceProvider",".DESCryptoServiceProvider",".DSACryptoServiceProvider",".RC2CryptoServiceProvider",".Rijndael",".RSACryptoServiceProvider",".TripleDESCryptoServiceProvider")

    Reference:

    https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/process_creation/proc_creation_win_powershell_crypto_namespace.yml 


    Tags

    MalwareSigmaCryptographyEducationHealthcare and Public Health

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2024 by Gurucul - All rights reserved.