Hello, welcome to the Tuesday, October 30th, 2018 edition of the Sandton and Storm Center's Stormcast.

My name is Johannes Ulrich, and I am recording from Denver, Colorado.

PowerShell is not just a great tool for Windows system administrators, but of course, Malver authors

also have discovered how useful it is and how it can be abused.

So then again, to fight this trend, we have a lot of tools that try to monitor what PowerShell is doing.

It appears that some Malver authors are now again trying to counter these countermeasures.

And in one example that DDA has looked at, it looks like that one way they're trying to

actually accomplish this is by just creating a renamed copy of PowerShell.

So in this example, they used a Visual Basic Macro in order to copy the complete PowerShell folder.

That way they can rename PowerShell, and then they're not no longer calling PowerShell itself,

but instead a random named binary that it turns out to be

this copy of PowerShell. As the DAE points out, it's actually a little bit questionable how

effective this strategy is. Since this is still the original legitimate PowerShell binary,

it will create all the usual log events and such that you're used to from PowerShell binary, it will create all the usual log events and such that

you're used to from PowerShell. So as a result, well, it may actually send the same alerts

or trigger the same alerts that the original copy would have sent. The other part to this

is if someone sees PowerShell running, they may actually

be not really all that suspicious, but if they're pulling up their process explorer and they're

seeing this random string of letters instead of PowerShell, this may actually raise more alerts,

not less.

So not sure how useful this technique is, but certainly something to look out for if you

all of a sudden see a copy of PowerShell running under a different name.

...