EXPLORE
Sign In
← Back to Explore
sigmahighHunting

Potential Persistence Via Powershell Search Order Hijacking - Task

Detects suspicious powershell execution via a schedule task where the command ends with an suspicious flags to hide the powershell instance instead of executeing scripts or commands. This could be a sign of persistence via PowerShell "Get-Variable" technique as seen being used in Colibri Loader

MITRE ATT&CK

T1053.005T1059.001
privilege-escalationexecutionpersistence

Detection Query

selection:
  ParentImage: C:\WINDOWS\System32\svchost.exe
  ParentCommandLine|contains|all:
    - -k netsvcs
    - -s Schedule
  CommandLine|endswith:
    - " -windowstyle hidden"
    - " -w hidden"
    - " -ep bypass"
    - " -noni"
condition: selection

Author

pH-T (Nextron Systems), Florian Roth (Nextron Systems)

Created

2022-04-08

Data Sources

windowsProcess Creation Events

Platforms

windows

References

Tags

attack.privilege-escalationattack.executionattack.persistenceattack.t1053.005attack.t1059.001
Raw Content
title: Potential Persistence Via Powershell Search Order Hijacking - Task
id: b66474aa-bd92-4333-a16c-298155b120df
related:
    - id: 6e8811ee-90ba-441e-8486-5653e68b2299
      type: similar
status: test
description: Detects suspicious powershell execution via a schedule task where the command ends with an suspicious flags to hide the powershell instance instead of executeing scripts or commands. This could be a sign of persistence via PowerShell "Get-Variable" technique as seen being used in Colibri Loader
references:
    - https://blog.malwarebytes.com/threat-intelligence/2022/04/colibri-loader-combines-task-scheduler-and-powershell-in-clever-persistence-technique/
author: pH-T (Nextron Systems), Florian Roth (Nextron Systems)
date: 2022-04-08
modified: 2023-02-03
tags:
    - attack.privilege-escalation
    - attack.execution
    - attack.persistence
    - attack.t1053.005
    - attack.t1059.001
logsource:
    product: windows
    category: process_creation
detection:
    selection:
        ParentImage: 'C:\WINDOWS\System32\svchost.exe'
        ParentCommandLine|contains|all:
            - '-k netsvcs'
            - '-s Schedule'
        CommandLine|endswith:
            - ' -windowstyle hidden'
            - ' -w hidden'
            - ' -ep bypass'
            - ' -noni'
    condition: selection
falsepositives:
    - Unknown
level: high