name: Axios Supply Chain Renamed PowerShell Executing from ProgramData Analytic
category: 'Defense Evasion'
threatname: 'Masquerading: Rename System Utilities'
functionality: 'Endpoint Management Systems'
description: |
Detects a Windows Terminal process name (wt.exe) executing from %PROGRAMDATA% with
PowerShell-style arguments, consistent with the axios supply chain RAT delivery chain.
The malicious VBScript dropper copies powershell.exe to C:\ProgramData\wt.exe before
executing the stage-2 RAT. wt.exe is the legitimate filename for Windows Terminal
(WindowsTerminal.exe), making this an intentional naming collision to bypass
process-name-based EDR heuristics. The renamed binary is invoked with -w hidden and
-ep bypass to suppress the window and circumvent execution policy. PowerShell executing
from ProgramData is anomalous under any circumstances; PowerShell masquerading as
Windows Terminal is a strong indicator of compromise.
reference:
- https://www.huntress.com/blog/supply-chain-compromise-axios-npm-package
- https://attack.mitre.org/techniques/T1036/003/
labels:
- attack.defense_evasion
- attack.t1036.003
- attack.t1059.001
- axios
- supply_chain
- masquerading
- wt.exe
logsource:
category: process_creation
product: windows
detection:
selection_wt_from_programdata:
Image|contains: '\ProgramData\'
Image|endswith: '\wt.exe'
selection_ps_args:
CommandLine|contains:
- '-ep bypass'
- '-ExecutionPolicy bypass'
- '-ExecutionPolicy Bypass'
- '-w hidden'
- '-WindowStyle Hidden'
- '-file '
- '-EncodedCommand'
filter_legitimate_wt:
Image|startswith:
- 'C:\Program Files\WindowsApps\'
- 'C:\Windows\System32\'
condition: selection_wt_from_programdata and selection_ps_args and not filter_legitimate_wt
criticality: Critical
saveasthreat: true
violation_summary:
grouping_attribute: 'accountname'
level2_attribute: 'devicehostname'
level2_metadata_attributes:
TECHNICAL DETAILS:
The renamed binary executes the stage-2 PowerShell RAT as:
C:\ProgramData\wt.exe -w hidden -ep bypass -file %TEMP%\6202033.ps1
After execution, 6202033.ps1 deletes itself, leaving only wt.exe and system.bat.
The Huntress SOC analyst Chad Hudson identified this technique during triage:
"wt.exe is just Windows Terminal — being used as a PowerShell bypass."
Persistence created by the stage-2 RAT:
File: C:\ProgramData\system.bat (hidden, download cradle re-fetching RAT on login)
RegKey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\MicrosoftUpdate → system.bat
Artifact to hunt:
dir C:\ProgramData\wt.exe
If found — system is compromised. Do NOT clean in place. Rebuild from known-good image.
Policy building walkthrough can be found in this previous post: