Powershell

From MgmtWiki
Revision as of 17:43, 13 February 2025 by Tom (talk | contribs) (Problems=)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Full Title or Meme

A scripting language that allows the execution of an .NET method from the command line.

Problems

North Korean Exploit

2025-02-13 Microsoft Threat Intelligence has observed North Korean state actor Emerald Sleet (also known as Kimsuky and VELVET CHOLLIMA) using a new tactic in targeted attacks: tricking targets into running PowerShell as an administrator and then pasting and running code provided by the threat actor.

To execute this tactic, the threat actor masquerades as a South Korean government official and over time builds rapport with a target before sending a spear-phishing email. To read the PDF file attached to the email, the target is lured to click a URL with instructions to register their device. The registration link has instructions to open PowerShell as an administrator and paste code provided by Emerald Sleet. If the target runs the code as an administrator, the code downloads and installs a browser-based remote desktop tool, downloads a certificate file with a hardcoded PIN from a remote server, and then sends a web request to a remote server to register the victim device using the downloaded certificate and PIN. This allows the threat actor to access the device and carry out data exfiltration.

While we have only observed the threat actor using this tactic in limited attacks since January 2025, this shift is indicative of a new approach to compromising their traditional espionage targets. Emerald Sleet is known to primarily target individuals working in international affairs, with a special focus on those whose work relates to Northeast Asia, as well as non-government organizations, government agencies and services, and media in North America, South America, Europe, and East Asia.

Microsoft directly notifies customers who have been targeted or compromised by nation-state actor activity, providing them with the necessary information to secure their accounts. Microsoft Defender XDR detects this Emerald Sleet activity. In addition to investing in advanced anti-phishing solutions, Microsoft recommends training end-users about phishing and the dangers of clicking URLs in unsolicited messages and employing attack surface reduction rules to prevent common attack techniques like using malicious scripts.

References

Retrieved from "http://tcwiki.azurewebsites.net/index.php?title=Powershell&oldid=22885"