ArticleTue Apr 26, 2022

Colibri Loader's unique Persistence Technique using Get-Variable cmdlet

Swapnil
Colibri Loader's unique Persistence Technique using Get-Variable cmdlet

New Persistence Technique in Town

Recently there has been a lot of talk on Twitter regarding the Colibri Loader and its persistence mechanism, which somehow uses the Powershell's Get-Variable cmdlet. According to MSDN, Get-Variable is a Powershell cmdlet that gets the PowerShell variables in the current console.

In short, on Windows 10 or later systems, Colibri Loader drops its copy in %APPDATA%\Local\Microsoft\WindowsApps directory with the name Get-Variable.exe. It then creates a scheduled task to run Powershell in a hidden manner using powershell.exe -windowstyle hidden

To the naked eye, it looks that only Powershell is running, but this scheduled task somehow triggers Colibri Loader to run.

A novel Mechanism?

The scheduled task has nothing to do with the persistence mechanism as it is just a trigger to run Powershell. On the other hand, Powershell on startup checks for Get-Variable.exe, first in the directories provided in System Path variables and then in the directories provided in User Path variables.

Query Directory to find Get-Variable
Lookup in Path directories to find Get-Variable

When it finds the file, it is mapped and executed with parameters Name host ValueOnly. This command is used to find the automatic variable "host" to get details about the host running the Powershell executable. You can test it out on your systems by starting Powershell and running "Get-Variable -name host -ValueOnly"

Mapping of Get-Variable.exe
Mapping of Get-Variable.exe
Execution of Get-Variable with parameters
Execution of Get-Variable.exe with parameters

This execution leads to a hijack of execution by Colibri Loader as it has placed a malicious file in the Search Order. Therefore, the TTP comes under the Technique "Hijack Execution Flow: Path Interception by Search Order Hijacking" under Persistence in Mitre ATT&CK.

Regarding whether any other cmdlets can be hijacked, again, looking at the ProcMon logs, it is evident that no further cmdlet executable is being searched. Hence, the attack is limited to the Get-Variable cmdlet.

Conclusion

To detect this specific procedure, you can search for Get-Variable.exe in any of your Path directories because the attack is not just limited to the WindowsApps folder.

FourCore ATTACK can simulate different Persistent Mechanisms like these and many others to validate your detections and response capabilities. Get an accurate idea about your security posture by assessing your Prevention, Detection, and Response capabilities on our Platform.

1type %TEMP%\ryuk\af\ad_users.txt
2type %TEMP%\ryuk\af\ad_computers.txt
3type %TEMP%\ryuk\af\trustdmp.txt
4type %TEMP%\ryuk\af\subnets.txt
5type %TEMP%\ryuk\af\trustdmp.txt
6type %TEMP%\ryuk\af\domainlist.txt
7type %TEMP%\ryuk\af\dcmodes.txt
8type %TEMP%\ryuk\af\adinfo.txt
9type %TEMP%\ryuk\af\dclist.txt
10type %TEMP%\ryuk\af\computer_pwdnotereqd.txt
11type %TEMP%\ryuk\af\ad_trustdmp.txt

References

Related Reading

Blog

firedrill: an open source malware simulation harness

We have open-sourced firedrill, a malware simulation harness. Simulate attacker TTPs and validate your security controls. Download it now from GitHub.

Blog

ATT&CK + D3FEND = D.E.A.T.H

Threats targeting cyberspace are becoming more prominent and intelligent day by day. This inherently leads to a dire demand for continuous security validation and testing. By combining the power of MITRE ATT&CK and MITRE Defend, security practitioners can effectively address threats responsibly.

Guide

Breach and Attack Simulation (BAS)

Breach and Attack Simulation (BAS) as a technology, defined by Gartner, 'that allows enterprises to continually and consistently simulate the full attack cycle against enterprise infrastructure, using software agents, virtual machines, and other means..'. Over the last two decades, the crucial need to protect increasingly digitised enterprises from cyberthreats has driven international spending on cybersecurity products and services to multi-billion dollars per annum. However, adversaries are still able to breach an organisation's security defences.The problem is apparent: Security is tricky; misconfigurations and vulnerabilities are common, leading to breaches.

Guide

What is Breach and Attack Simulation (BAS)?

Breach and Attack Simulation (BAS) is a technology allowing enterprises to continually and consistently simulate the complete attack cycle against enterprise security infrastructure, using software agents, virtual machines etc. Over the last couple decades, the vital need to protect increasingly digitised enterprises from cyberthreats has driven international spending on cybersecurity to multi-billion dollars per annum. However, attackers are still able to breach an organisation's security defences.The problem is apparent: Security is tricky; misconfigurations and vulnerabilities are common, leading to breaches.