# Valak: More than Meets the Eye

**cybereason.com/blog/valak-more-than-meets-the-eye**

Written By
Cybereason Nocturnus

May 28, 2020 | 13 minute read

**Research by: Eli Salem, Lior Rochberger and Assaf Dahan**

_[Check out a condensed, high level version of this report on our threat alerts page.](https://www.cybereason.com/threat-alert-valak)_

## Key Findings

**The Valak Malware: The Valak Malware is a sophisticated malware previously classified as a malware loader. Though it was first**
observed in late 2019, the Cybereason Nocturnus team has investigated a series of dramatic changes, an evolution of over 30 different
versions in less than six months. This research shows that Valak is more than just a loader for other malware, and can also be used
independently as an information stealer to target individuals and enterprises.
**Targeting Enterprises: More recent versions of Valak target Microsoft Exchange servers to steal enterprise mailing information and**
passwords along with the enterprise certificate. This has the potential to access critical enterprise accounts, causing damage to
organizations, brand degradation, and ultimately a loss of consumer trust.
**Targets US and Germany: This campaign is specifically targeting enterprises in the US and Germany.**
**With a Rich Modular Architecture: Valak’s basic capabilities are extended with a number of plugin components for reconnaissance and**
information stealing.
**Using Fast Development Cycles: Valak has evolved from a loader to a sophisticated, multi-stage modular malware that collects plugins**
from its C2 server to expand its capabilities. The Cybereason Nocturnus team has observed over 30 different versions in about 6 months.


-----

**es g ed o Stea t** a a s a stea t y a a e t at uses ad a ced e as e tec ques e S a d d g co po e ts t e
registry. In addition, over time the developers of Valak chose to abandon using PowerShell, which can be detected and prevented by
modern security products.

## table of contents

 Introduction

[When Valak was first discovered in late 2019, it was classified as a loader and used in multiple campaigns primarily targeting the US. It was](https://twitter.com/malware_traffic/status/1207824548021886977)
[often paired with Ursnif (aka.](https://www.cybereason.com/blog/new-ursnif-variant-turns-to-cryptocurrency-as-banks-become-more-secure) [Gozi) and](https://malpedia.caad.fkie.fraunhofer.de/details/win.gozi) [IcedID. Upon investigation by Cybereason Nocturnus in April 2020, Valak was identified as being used](https://malpedia.caad.fkie.fraunhofer.de/details/win.icedid)
in campaigns mainly targeting the US and Germany. The campaigns involved new versions, revealing that the malware authors have been
working on a better, improved version of the malware quickly. Over thirty different versions of the malware were found, revealing tremendous
improvements in a very short period of time. Valak’s key features include:

**Fileless stage: Valak’s contains a fileless stage in which it uses the registry to store different components**
**Reconnaissance: It collects user, machine, and network information from infected hosts**

**Geolocation Aware: It checks the geo-location of the victim’s machine**

**ScreenCapture: It takes screenshots of the infected machine**
**Download Secondary Payloads: It downloads additional plugins and other malware**
**Enterprise-aware: It targets administrators and enterprises networks**

**Infiltrates the Exchange Server: It collects and steal sensitive information from the Microsoft Exchange mail system, including**
credentials and the domain certificate

Among it’s improvements, the most important and interesting addition to the newer versions of Valak is a component called “PluginHost”.
_PluginHost provides communication with the C2 server and downloads additional plugins under the name “ManagedPlugin”. Among the_
plugins observed are “Systeminfo” and “Exchgrabber”, both of which appear to specifically target enterprises.

In this research, we evaluate the differences between the old and new versions of Valak and elaborate on the malware capabilities, its
infrastructure, and its connection to other malware.

## Threat Analysis

**Initial infection**

In these campaigns, the most common infection vector is via Microsoft Word documents embedded with malicious macro code. The contents
of the documents are in English and German depending on the target.

_The content of the phishing_

_documents._

Malicious macro code is used to download a DLL file with .cab extension named “U.tmp” and saved into the temp folder.

DLL file download address: “hxxp://v0rzpbu[.]com/we201o85/aio0i32p.php?l=hopo4.cab”

After downloading the DLL, the code launches the malicious DLL using “regsvr32.exe”.

_Initial infection as shown in the_

_Cybereason Defense Platform._


-----

e e ecuted, t e d ops a d au c es us g a ec ca s stage o t e a a a a e uses a a c ous Ja aSc pt e t
a random name that changes per execution. In the example below the name of the JavaScript file is “sly4.0”.

_The DLL dropping the_

_JavaScript file._

## Multi-stage Attack: Step-by-step Analysis of Valak

**First Stage: Gaining Initial Foothold**

_Attack flow for the first stage of_

_Valak._

The downloaded JavaScript code, “sly4.0”, contains a variable called “PRIMARY_C2” that holds multiple fake and legitimate domains,
including Google, Gmail, Avast, and Microsoft. The domain list varies between samples.


-----

_script sly4.0._

Valak creates connections to the different C2 servers in the list with two predefined URIs:

One URI is used to download an encoded file named “project.aspx” [saved as project[1].htm].

*in version 30, the file was renamed to “rpx.aspx”.

One URI is used to download an encoded file named “a.aspx” [saved as a[1].htm].

*in version 30, the file was renamed to “go.aspx”.


_Malware configuration in the_

_URI embedded in the script._

_URI embedded in the script._


Both files are decoded by the malware using Base64 and an XOR cipher. The key is a combination of a predefined string and information
collected from memory during runtime.

_Function “rot13_str” decodes a_

_string using XOR._

_The code for downloading the_

_encoded file and decoding it with the first function (rot13_str) and Base64._

_The “GetID” functions used to_

_create the XOR key and collect information about the user._

The malware sets information like the C2 server, ID, the downloaded payload, and the decoded project.aspx in a registry key under
“HKCU\Software\ApplicationContainer\Appsw64”. These keys will be used in the second stage.


-----

_Files and registry keys_

_written by Valak._

After downloading the payloads and setting the registry keys and values, Valak sets it’s persistence via a scheduled task.

_Creation of the_

_scheduled task to establish persistence._

[The scheduled task is set to launch wscript that executes JavaScript stored as an Alternative Data Stream named “Default2.ini” in the file](https://attack.mitre.org/techniques/T1096)
“Classic2Application.bz”.

_The execution of the scheduled task as shown in the Cybereason_

_Defense Platform._

The script in the ADS (“Default2.ini”) executes the content of the registry key, “HKCU\Software\ApplicationContainer\Appsw64\ServerUrl”,
which holds the contents of “project.aspx”, the second stage JavaScript file.

_Registry modifications_

_done by Valak._

## Second Stage: Fetching and Executing Secondary Payloads

In the first stage, Valak laid the foundation for the attack. In the second stage, it downloads additional modules for reconnaissance activity and
to steal sensitive information.

The two payloads (“project.aspx” and “a.aspx”) and the configuration in the registry keys are used in the second stage to perform malicious
activities.


-----

_Attackflow for the second_

_stage._

## Second Stage JS - Project.aspx

The “project.aspx”, or as we refer to it, the second stage JS, is a JavaScript file that looks very similar to the first stage JavaScript (“sly4.0”).
However, on closer inspection it contains additional functions.

The script is executed by the scheduled task used to maintain persistence, with its main goal being:

Execute Pluginhost.exe, the plugin management component.
Download and parse additional payloads from the C2.

Save the payloads as Alternate Data Streams and set scheduled tasks to run them.

_Configuration section_

_of the second stage JS._

In the second stage, the configuration file has been altered to contain a unique “Client_ID” and a different file that it will try to download called
“bounce.aspx”.

Stage 2 also contains three unique functions, “CreateExecJob”, “CreateOleExecJob” and “LaunchPlugin”.

These functions are called from the “ParseTask” function, and receive the parsed tasks from the C2.


-----

_The “ParseTask” function_

_checks the payload._

If the malware downloads a payload that starts with the word “ODTASK”, it calls “CreateOleExecJob”, which writes the payload as an ADS of
the file “C:\\Users\\Public\\PowerManagerSpm.jar” and creates a scheduled task “PerfWatson_%taskname%” to run it.

_The “CreateOleExecJob”_

_function._

If the malware receives a content start with the word “PLUGIN”, it calls “LaunchPlugin”, which executes the PluginHost.exe file using WMI with
the content as an argument.

_The “LaunchPlugin”_

_function._


-----

t e a a e ece es a co te t sta t g t t e o d _S_, t ca s C eate _ecJob,_ c tes t e co te t as a S o t e e
“C:\\Users\\Public\\PowerManagerSpm.jar” and creates a scheduled task “PowerUtility_%taskname%W” to run it.

_The “CreateExecJob”_

_function._

Our analysis reveals that this time, the payload downloaded by Valak was IcedID. However, the payload can vary, as the attackers can
download other payloads to the infected system.

[In previous infections, Valak downloaded different remote administration tools like putty.exe and](https://en.wikipedia.org/wiki/PuTTY) [NetSupport Manager.](https://en.wikipedia.org/wiki/NetSupport_Manager)

_The process tree to_

_establish persistence as seen in the Cybereason Defense Platform._

## PluginHost - a.aspx

The decoded “a.aspx” is saved in the temporary folder as %TEMP%\<ID>.bin. This file, internally named “PluginHost.exe”, is an executable
file, and will be used to manage additional components.

Valak’s Modular Plugin Architecture

## PluginHost - Plugin Management Component

The functionality of the executable “PluginHost.exe” is divided into four classes: Bot, HTTPClient, Program and Utils, which will allow it to
perform its main goal of downloading and loading additional components of the malware.

**The Bot Class:**

The bot class is responsible for reading from several registry entries set by the first stage.

GetID() reads from the registry entry “SetupServiceKey”, which holds the ID.
GetC2() reads from the registry entry “ShimV4”, which holds the C2 domain.

Both functions use the Utils class to read registry entries.


-----

_from the registry._

_function in the Utils class._

**The HTTPClient Class:**

The HTTPClient class contains two functions, post and GetPluginBytes.


_GetID() andGetC2() reading_

_The RegistryReadInfo()_


**The GetPluginBytes() function gets the C2 domain using GetC2() and adds an embedded URI. The URL is used to download an additional**
module for the plugin.

_GetPluginBytes_

_function used to download the plugin._

**The Program Class:**

The Program class contains the main function of the file main(). This function executes the function GetPluginBytes() to download the module
components with type “ManagedPlugin”. These components will be loaded reflectively to the executable’s memory and expand the plugin
capabilities.

_PluginHost’s main function_

_downloads the ManagedPlugin module._

**The Utils Class:**

The Utils class contains several maintenance functions used by the other classes.

## ManagedPlugin - Plugins Suite for Enhanced Capabilities

When referring to additional plugins, it is worth noting that in early versions of Valak the plugins were downloaded by the second stage JS via
PowerShell. More recent versions of Valak abandoned the popular yet easily detectable PowerShell downloader approach and transitioned to
PluginHost as a means of managing and downloading additional payloads. This transition indicates that the Valak authors are looking for
stealthier approaches and ways to improve their evasion techniques.

During this analysis, we discovered several different modules with the same internal name, “ManagedPlugin.dll”.

These modules are downloaded and loaded by “PluginHost.exe”.

**Systeminfo: responsible for extensive reconnaissance; targets local and domain admins**
**Exchgrabber: aims to steal Microsoft Exchange data and infiltrates the enterprises mail system**

**IPGeo: verifies the geolocation of the target**


-----

**oc** **o co ects** o at o about t e ected ac e s u g p ocesses

**Netrecon: performs network reconnaissance**

**Screencap: captures screenshots from the infected machine**

Among these components, some focus on one single, specific activity to achieve their goal and are relatively less robust than others when it
comes to capability and potential impact. This includes ipgeo, procinfo, netrecon and screencap.

_The Ipogeo module, which_

_collects information using an IP discovery service._

_The Procinfo_

_module, which collects information about the running processes._

_The Netrecon module, which_

_collects network information._

_The Screencap module,_

_which takes screenshots of the infected machine._

Below is a deep dive of “systeminfo” and “exchgrabber”, which are more advanced and complex than the aforementioned plugin
components.

**ManagedPlugin: Systeminfo, the Reconnaissance Module**

“Systeminfo” shares many similarities to “PluginHost.exe” when it comes to class names. However, unlike “PluginHost”, it contains several
reconnaissance functions that focus on gathering information about the user, the machine, and existing AV products.


-----

_The plugin components in Valak._

The module gathers information about the user and attempts to verify whether this is a local admin or a domain admin. This shows that after
infecting the machine, Valak chooses to target mainly administrators and domain admins. This indicates a propensity to target higher profile
accounts such as enterprise admins.

_The ManagedPlugin_

_(SystemInfo), which determines if the user is a local or domain admin._

The module attempts to find whether the infected machine has any security products installed using the AntivirusSoftware() function. The
information collected about installed AV programs is gathered using the WMI query “SELECT * FROM AntiVirusProduct”.

_ManagedPlugin (SystemInfo)_

_checks for antivirus products._

The module also collects the physical address (MAC) and the IP address of the infected machine.


-----

_The ManagedPlugin_

_(SystemInfo) collects the machine’s physical address._

Additional reconnaissance activity occurs with several other functions, including:

**NetUser - provides more information about the user**
**SystemUpTime - records the amount of time the machine is running**

**WindowsVersion - determines the Windows version**

_ManagedPlugin (SystemInfo) reconnaissance functions._

In order to exfiltrate data, the plugin uses the function “post” in the HTTPClient class. “Post” gives the plugin the ability to upload content and
exfiltrate data to the remote C2 whose domain is stored in the registry.


-----

_ManagedPlugin (SystemInfo)_

_data exfiltration function post._

Similar to “PluginHost”, “SystemInfo” uses another function called GetQuery() that builds the URL to send the information to the remote C2.
The URL is encoded using Base64 and some char replacements.

_Example of the final URL_

_created by the GetQuery function._

The core functionality of the “ManagedPlugin” module is in the “ManagedPlugin” class. The function loops endlessly and continues to execute
the reconnaissance activity and send it to the attacker.

_ManagedPlugin execution activity._


-----

**g** **g** **g** **g** **g** **p**

Exchgrabber, similar to systeminfo, shares some similarities with PluginHost when it comes to several function names like Bot, HTTPClient,
and Utils; however, it has its own differentiated capabilities.

At first glance, the module appears to solely be used to steal credentials, which can be seen in several classes and data arguments with clear
names like “Credential” and “CredentialType”.

_Exchgrabber classes._

The module handles its credential management in the class “Credential”, which includes several functions that handle the credential
management activity and data types that will hold these credentials.

One of the most interesting functions in this class is “Credential” which receives four arguments: username, password, target, and
CredentialType. It inserts these credentials into the respective module variable.

The “target” variable is used in the core ManagedPlugin function to store strings related to Microsoft Office applications.

_The ManagedPlugin_

_(Exchgrabber) Credential function._

Another interesting argument in the “credential” function is “CredentialType”. The type of credentials is determined by another part of the enum
variable called “CredentialType”, which contains each of the credentials that the module will attempt to extract.

**The credential types are sensitive information that can be extracted from the enterprise Microsoft Exchange server data, including**
**Domain Password & Domain Certificate.**

Extracting this sensitive data allows the attacker access to an inside domain user for the internal mail services of an enterprise along with
access to the domain certificate of an enterprise. With systeminfo, the attacker can identify which user is a domain administrator. This creates
a very dangerous combination of sensitive data leakage and potentially large scale cyber spying or infostealing. It also shows that the intended
target of this malware is first and foremost enterprises.


-----

_ManagedPlugin (Exchgrabber) credential types._

When inspecting the core logic behind the class MainPlugin, it’s clear how each class collaborates with others to extract data from Microsoft
Exchange and Outlook.

The module attempts to check if the extracted data is related to Microsoft Office or MS.Outlook. If so, it attempts to access the file
_“Autodiscover.xml” using the function GetFiles. “Autodiscover.xml” is a dynamically generated file that contains the data Microsoft Outlook_
needs to access the mailbox entered in the configuration wizard. The primary purpose of the Exchange Autodiscover service is to establish
[initial connections to Exchange user mailboxes. It then attempts to collect the AutoDiscover SMTP address of the dedicated exchange forest,](https://www.priasoft.com/using-a-dedicated-exchange-forest-resource-forest/)
and eventually puts all the extracted data in a variable called “text” .

_Microsoft exchange data extraction._

After collecting the sensitive data, the module compresses it using Base64. This is a new feature of this specific module within the “Utils” class.
Then, it sends the sensitive data to the attacker’s C2 with the POST function and an embedded URI.

_ManagedPlugin_

_(Exchgrabber) used for data exfiltration using a predefined URI._

## Valak’s Evolution Over Time

As of writing this report we have seen Valak change tremendously It is currently on version number 24


-----

s sect o g g ts t e ajo d e e ces bet ee t e p e ous e s o s a d e e e s o s o a a by a a y g e s o 6, e s o 9,
version 23, and version 24.

**Improvements to Payload Obfuscation**

In older versions, Valak downloads the second stage JS and uses only one obfuscation technique: Base64. The newer versions use XOR in
addition to Base64.

_Code from older versions_

_of Valak that only uses Base64 decryption._

_Code from a newer_

_version of Valak that uses a more complex decryption function._

**Plugin Management Component**

The newer versions of Valak download two payloads in the first stage. The first payload is Valak’s plugin management component
(“pluginhost.exe”), and the second is the second stage JavaScript payload of Valak. In earlier versions, Valak did not include the “pluginhost”
payload.

**PowerShell Activity:**

In older versions of Valak, the second stage JS downloads additional content just like the newer versions, including“TASK” / ”ODTASK” /
”PLUGIN”. In the newer versions, Valak also downloads “PluginHost” in stage one and executes it once receiving the task “PLUGIN” in stage
two, which then downloads ManagedPlugin.dll. In the older versions, Valak uses the task “PLUGIN” in stage two to leverage PowerShell and
download “ManagedPlugin.dll” as a Base64 binary.

As mentioned previously, later versions of Valak abandon the popular yet easily detectable PowerShell downloader approach and transition to
“PluginHost” to manage and download additional payloads. This transition may indicate that Valak authors are looking to leverage stealthier
approaches and improve their evasion techniques.

_Raw data downloaded_

_from the C2._

_Decoded content of the_

_“PLUGIN” task._


-----

## a a s ast uctu e

Analyzing the different samples reveals a repetitive pattern of URIs used to connect to a “bucket” of domains, all of which are embedded in the
code.

For example, the URI used to download the “PluginHost” (a.aspx) is always built off: “a.aspx?redir=1&clientUuid=91&r_ctplGuid=” +<the
_encoded_ID>+ “&TS2=” +<random string>_

_Creation of the URI in_

_Valak’s source code._

This URI is not the only similarity across samples; Valak has several URIs that match this behavior across components.

**Valak’s Observed URI Patterns:**

**DLL Download: the DLL URI always includes “aio0i32p”**
**Second Stage: the second stage (project.aspx) always includes “?cwdTelemetry=2&regclid=”**

**Task Fetching: Tasks fetching from the C2 server always include “?dx11diag=”**

**Additional Plugins Download: “PluginHost” downloads additional plugins that always include “db.aspx?llid=”**

**Exchgrabber plugin data: the URI to exfiltrate data from the plugin includes “class4.aspx?internalService”**

Another interesting aspect of the Valak malware is that it has a shared infrastructure among almost all of it’s different versions. As the graph
below shows, most of the known domains have a connection between them, whether it be the URIs similarities, downloaded files, or connected
files.

_VirusTotal graph showing the_

_connection between the different Valak domains._

## Valak’s Relationship With Other Malware

Valak infections were initially characterized as rather unilateral, where Valak mainly downloaded other known malware like Ursnif or IcedID.
However, over the course of this investigation, it became clear that Valak’s relationship with other malware is actually multilateral.


-----

o e a p e, t e o o g et o t a c eco d g p o ded by a [a e t a c a a ys s](https://www.malware-traffic-analysis.net/2019/12/19/index.html) ust ates a ect o c a t at s t ated by U s,
which downloads IcedID and Valak, both from the same C2 server.

_Traffic - Ursnif downloading_

_IcedID and Valak._

While the nature of the partnership between each of these specific malware is not fully understood, we suspect it is based on personal ties and
[mutual trust from underground communities. Given the fact that both Ursnif and](https://www.sentinelone.com/blog/goznym-banking-malware-gang-busted/) [IcedID are considered to be part of the Russian-speaking E-](https://www.bankinfosecurity.com/repeat-trick-malware-wielding-criminals-collaborate-a-12219)
Crime ecosystem, it is possible that the authors of Valak are also part of that Russian-speaking underground community. This community is
known to keep rather close ties based on trust and reputation.

Another clue that may tie the authors behind Valak to a Russian-speaking community are traces of both Russian and Arabic (Saudi Arabia)
language settings left in the phishing documents. These language traces appear in all the samples we analyzed, an example of which is shown
below:

_Russian and Arabic keyboard traces found in a Valak phishing document._

It is important to mention that the above mentioned language traces can be easily manipulated and put there on purpose by the threat actors,
and therefore, it is not enough to determine with certainty the origin of the threat actors.

## Valak’s Evolution as an Independent Malware

Although initially downloaded as a payload of other malware, in more recent appearances of Valak, the malware appears to come as a
standalone unit in traditional phishing campaigns.

Recent campaigns target two specific geographic locations, including the US and Germany, where the content and the name of the files were
written in English and German with files masquerading as legitimate.

_VirusTotal screenshot with the_

_file names used in the recent campaigns._

_Content of the document targeting Germany._


-----

_Content of the document targeting the US._

Even though Valak appears to have evolved over time and has infostealer capabilities, it is clear that the threat actors behind Valak continue to
collaborate with other malware like IcedID and and Ursnif to maximize their revenue.

## Conclusion

In this research, the Cybereason Nocturnus team analyzed the emerging malware Valak. Though Valak first made its appearance at the end of
2019 and was classified as a malware loader by several security analysts, our investigation shows that Valak is more than a simple loader of
malware. It is a sophisticated modular malware packed with a myriad of reconnaissance and information stealing features.

Over the course of roughly six months, Valak’s developers made tremendous progress and released more than 30 different versions. Each
version extended the malware’s capabilities and added evasive techniques to improve its stealth. Valak has at least six plugin components that
enable attackers to obtain sensitive information from its victims.

The extended malware capabilities suggest that Valak can be used independently with or without teaming up with other malware. That being
said, it seems as though the threat actor behind Valak is collaborating with other threat actors across the E-Crime ecosystem to create an even
more dangerous piece of malware.

These malware campaigns seem to focus on targets in the US and Germany. The Cybereason Nocturnus team will continue to monitor Valak’s
progress to determine whether Valak infections will spread to other regions as the malware continues to evolve and grow popular among
cybercriminals.

## Indicators of Compromise

[Click here to download this campaign's IOCs (PDF)](https://www.cybereason.com/hubfs/Valak%20IOCs.pdf)

[Click here to download the threat alert (PDF)](https://www.cybereason.com/hubfs/Valak%20Threat%20Alert.pdf)

## MITRE ATT&CK BREAKDOWN


**Initial Access** **Execution** **Persistence** **Privilege**
**Escalation**


**Credential**
**Access**

**Credentials**
**in Files**

**Account**
**Manipulation**


**Discovery** **Collection** **Exfiltration** **C**


**Account**
**Discovery**

**File and**
**[Directory](https://attack.mitre.org/techniques/T1083)**
**Discovery**


**Spearphishing**
**Link**

**Spearphishing**
**Attachment**


**Command-Line**
**Interface**


**[Regsvr32](https://attack.mitre.org/techniques/T1117/)** **Valid**
**Accounts**


**Scheduled**
**Task**


**Scheduled**
**Task**


**Defense**
**Evasion**

**NTFS File**
**Attributes**

**Modify**
**Registry**


**Data from**
**[Information](https://attack.mitre.org/techniques/T1213)**
**Repositories**

**Data from**
**[Local](https://attack.mitre.org/techniques/T1005)**
**System**


**Automated**
**Exfiltration**

**Data**
**Compressed**


**D**
**O**


**[Scheduled Task](https://attack.mitre.org/techniques/T1053/)** **[Regsvr32](https://attack.mitre.org/techniques/T1117)** **Permission**
**[Groups](https://attack.mitre.org/techniques/T1069)**
**Discovery**

**[Scripting](https://attack.mitre.org/techniques/T1064)** **[Scripting](https://attack.mitre.org/techniques/T1064)** **Security**
**[Software](https://attack.mitre.org/techniques/T1063)**
**Discovery**


**[Data Staged](https://attack.mitre.org/techniques/T1074)** **Data**
**Encrypted**


**Email**
**Collection**


**Exfiltration**
**Over**
**[Command](https://attack.mitre.org/techniques/T1041)**
**and Control**
**Channel**


**Windows**
**[Management](https://attack.mitre.org/techniques/T1047)**
**Instrumentation**


**System**
**[Information](https://attack.mitre.org/techniques/T1082)**
**Discovery**


**[PowerShell](https://attack.mitre.org/techniques/T1086)** **System**
**Network**
**Configuration**
**Discovery**


-----

**System Time**
**Discovery**

About the Author

**Cybereason Nocturnus**

The Cybereason Nocturnus Team has brought the world’s brightest minds from the military, government intelligence, and enterprise security to
uncover emerging threats across the globe. They specialize in analyzing new attack methodologies, reverse-engineering malware, and
exposing unknown system vulnerabilities. The Cybereason Nocturnus Team was the first to release a vaccination for the 2017 NotPetya and
Bad Rabbit cyberattacks.

[All Posts by Cybereason Nocturnus](https://www.cybereason.com/blog/authors/cybereason-nocturnus)


-----