Hello, welcome to the Thursday, December 16th, 2021 edition of the Sansonet Storm Center's Stormcast.

My name is Johannes Ulrich.

And I'm recording from Jacksonville, Florida.

Looking through recent submissions to virus total, Xavier came across a pretty simple powerShell backdoor that distinguish itself by being,

well, not detected by a single and high virus tool. PowerShell back doors are, well,

daily occurrences, so you would think that Anah virus tool have a little bit of handle on them,

but if you're looking at the one that Xavier found, you can kind of see how they have a little bit of handle on them, but if you're looking at the one that Xavier found,

you can kind of see how they have a hard time with these very simple ones.

In this case, it arrives as an obfuscated string that basically just is then split and

selected characters are extracted from it, and the main payload is then actually received from a

command control server as JSON data and then executed via invoke expression. But even if

antivirus fails you here, not all is lost. Xavier is listing a couple of tricks that you can use in order to detect the network traffic

that this PowerShell backdoor generates.

First of all, it sends HTTP requests on a slightly unusual port 888888, and it sends them to a specific

IP address, not to a host name.

So the good old trick to look for any outbound connections to IP addresses that did not get returned as DNS response.

Well, that's usually suspicious and something to look at.

And then, of course, on your endpoint, having PowerShell

connect to an odd port like this should also be something that you can alert on. So Anavirus,

really sort of your first and hopefully not last layer of defense and a good combination of host-based defenses

and network defenses usually can fill the gaps

that antivirus leaves behind.

...