Message269712
It's not just Stuxnet, as at least one other Advanced Persistent Threat uses that tactic. An APT (likely Russian intelligence) recently used encoded PowerShell to break into the Democratic National Committe: https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/
From that article:
> This one-line powershell command, stored only in WMI database, establishes an encrypted connection to C2 and downloads additional powershell modules from it, executing them in memory.
(As a fun coincidence, they also used py2exe to distribute other modules, which is kinda like a separate interpreter using safe_exec) |
|
Date |
User |
Action |
Args |
2016-07-02 13:59:58 | Alexander Riccio | set | recipients:
+ Alexander Riccio, brett.cannon, theller, paul.moore, tim.golden, zach.ware, steve.dower |
2016-07-02 13:59:57 | Alexander Riccio | set | messageid: <1467467997.95.0.703208782698.issue26137@psf.upfronthosting.co.za> |
2016-07-02 13:59:57 | Alexander Riccio | link | issue26137 messages |
2016-07-02 13:59:57 | Alexander Riccio | create | |
|