← ~/DETECTIONS

2024-10-30 // Dylan Evans

Cryptominer Activity via PowerShell Script Execution and PrintUI Abuse

Defender XDR

Detects cryptomining activity using PowerShell scripts with hardcoded IDs (e.g., `x123456.vbs`) or exploiting print management utilities like `printui.exe` in Windows System32.

malwarecryptominingpowershelllateral-movementprivileged-escalation

Cryptomining via PowerShell Scripts and PrintUI Abuse

Overview

This detection identifies cryptomining operations by detecting suspicious PowerShell scripts with hardcoded identifiers (e.g., x123456.vbs) or malicious use of Windows print management utilities (printui.exe/dll) in the System32 folder—a common tactic for stealthy lateral movement and resource exploitation.

Query

DeviceProcessEvents
| where Timestamp > ago(7d)
| where (ProcessCommandLine matches regex @"[xX]\d{6}\.vbs" and ProcessCommandLine has "wscript") or (InitiatingProcessFileName =~ "wscript.exe" and ProcessCommandLine matches regex @"[xX]\d{6}\.bat")
| union (DeviceFileEvents | where Timestamp > ago(7d) | where FolderPath =~ @"C:\Windows \System32\" | where FileName in ("printui.exe", "printui.dll"))
| summarize FirstSeen = min(Timestamp), LastSeen = max(Timestamp), ActionType = make_set(ActionType), CommandLine = make_set(ProcessCommandLine), FileNames = make_set(FileName) by DeviceId, DeviceName
| where array_length(ActionType) >= 2

Logic Explanation

The query combines two detection vectors:

  1. PowerShell Script Execution: Detects processes running wscript.exe with command lines containing hardcoded alphanumeric IDs (e.g., x123456.vbs) or .bat files executed via PowerShell.
  2. PrintUI Abuse: Identifies suspicious file operations in the C:\Windows \System32 folder targeting printui.exe/dll, a common vector for privilege escalation and cryptomining.

The union operation merges these events, followed by aggregation to surface multi-action detections (e.g., both process execution and file access) across devices. The threshold array_length(ActionType) >= 2 ensures only high-confidence cases are flagged.

Tuning Notes

  • False Positives: Legitimate scripts may occasionally use wscript.exe or printui.dll for system tasks (e.g., printer management). Filter out known benign processes by adding exclusions to the FileName/ProcessCommandLine checks.
    • Suggestion: Exclude printui.exe if it’s part of a corporate print stack (e.g., via DeviceName or InitiatingProcessFileName checks).
  • False Negatives: Malicious scripts may evade detection by obfuscating IDs (e.g., base64 encoding). Expand regex to include variations like [a-zA-Z0-9]{6}\.vbs.
    • Suggestion: Add ProcessCommandLine has "wscript.exe" as a secondary filter for PowerShell-based execution.

References