2024-10-30 // Dylan Evans
Cryptominer Activity via PowerShell Script Execution and PrintUI Abuse
Defender XDRDetects cryptomining activity using PowerShell scripts with hardcoded IDs (e.g., `x123456.vbs`) or exploiting print management utilities like `printui.exe` in Windows System32.
Cryptomining via PowerShell Scripts and PrintUI Abuse
Overview
This detection identifies cryptomining operations by detecting suspicious PowerShell scripts with hardcoded identifiers (e.g., x123456.vbs) or malicious use of Windows print management utilities (printui.exe/dll) in the System32 folder—a common tactic for stealthy lateral movement and resource exploitation.
Query
DeviceProcessEvents
| where Timestamp > ago(7d)
| where (ProcessCommandLine matches regex @"[xX]\d{6}\.vbs" and ProcessCommandLine has "wscript") or (InitiatingProcessFileName =~ "wscript.exe" and ProcessCommandLine matches regex @"[xX]\d{6}\.bat")
| union (DeviceFileEvents | where Timestamp > ago(7d) | where FolderPath =~ @"C:\Windows \System32\" | where FileName in ("printui.exe", "printui.dll"))
| summarize FirstSeen = min(Timestamp), LastSeen = max(Timestamp), ActionType = make_set(ActionType), CommandLine = make_set(ProcessCommandLine), FileNames = make_set(FileName) by DeviceId, DeviceName
| where array_length(ActionType) >= 2
Logic Explanation
The query combines two detection vectors:
- PowerShell Script Execution: Detects processes running
wscript.exewith command lines containing hardcoded alphanumeric IDs (e.g.,x123456.vbs) or.batfiles executed via PowerShell. - PrintUI Abuse: Identifies suspicious file operations in the
C:\Windows \System32folder targetingprintui.exe/dll, a common vector for privilege escalation and cryptomining.
The union operation merges these events, followed by aggregation to surface multi-action detections (e.g., both process execution and file access) across devices. The threshold array_length(ActionType) >= 2 ensures only high-confidence cases are flagged.
Tuning Notes
- False Positives: Legitimate scripts may occasionally use
wscript.exeorprintui.dllfor system tasks (e.g., printer management). Filter out known benign processes by adding exclusions to theFileName/ProcessCommandLinechecks.- Suggestion: Exclude
printui.exeif it’s part of a corporate print stack (e.g., viaDeviceNameorInitiatingProcessFileNamechecks).
- Suggestion: Exclude
- False Negatives: Malicious scripts may evade detection by obfuscating IDs (e.g., base64 encoding). Expand regex to include variations like
[a-zA-Z0-9]{6}\.vbs.- Suggestion: Add
ProcessCommandLine has "wscript.exe"as a secondary filter for PowerShell-based execution.
- Suggestion: Add