Our newest emulation features a nifty obfuscation trick inspired by one of John Hammond's recent videos-thank you John! He does a detailed ...
Kristen Cotten
1 min. read
27 Oct 2022
Our newest emulation features a nifty obfuscation trick inspired by one of John Hammond's recent videos-thank you John! He does a detailed walkthrough on the basics of shell GLOBbing or wildcard pattern matching and how it is being leveraged by STEEP#MAVERICK to create scheduled tasks for persistence. With GLOBbing the shell tries to expand any tokens on the command line that contain unquoted GLOB characters/wildcard characters into existing path names in the file system. “?” is used to match any single character and “*” is used to match zero or more characters. There are other features, but these are the two observed in this recent example.
In STEEP#MAVERICK researchers at Securonix observed the threat actor using an invoke expression mixed with wildcard matching to hide a call to “schtasks.exe”. Just enough characters are specified amidst the wild characters so that the expression matches just one single file path. “$env:???t??r???\*2\??h???k?*” ends up being translated to “$env:SYSTEMROOT\System32\schtasks.exe”. While this is certainly clever, it is not necessarily super stealthy. It may be able to evade basic string matching detections but the actual process name and process execution are not obfuscated.
Our emulation models the original threat by executing a PowerShell script, w.ps1, that uses the above expression to make a call to schtasks.exe. As seen in the original threat, the script contains logic to determine the permission level, and create a scheduled task. The task name itself is dependent on the permission level (System vs User). Clean up steps are included after a three minute delay to remove the scheduled task and the downloaded script.
We will be releasing more content on the STEEP#MAVERICK campaign, so stay tuned!
This post discusses active research by SCYTHE and other cited third parties into an ongoing threat. The information in this post should be considered preliminary and may be updated as research continues. This information is provided “as-is” without any warranty or condition of any kind, either express or implied.