Sensors ingested an interesting initial access chain that leverages a DLL load via VBS. After, the chain executes leveraging WMI to become a subprocess of svchost.exe (not from WINWORD.EXE in this case), providing a much more opsec friendly, parent-child relationship. I am looking at expanding my research by developing a macro that will covertly inject a process and establish a C2 implant connection. This was an interesting repo to help with the brainstorming for that macro.
Repo: VBA-DLL-WMI-EXECUTION/shell.cpp at master · mobdk/VBA-DLL-WMI-EXECUTION (github.com) Video Demo: https://www.youtube.com/watch?v=0dEMQ_Iht98 #cyberthreatintelligence #infosec #cybersecurity #informationsecurity #threatintelligence #networksecurity #sec #security #tools #offensivesecurity #pentesting #redteam #blueteam
0 Comments
Leave a Reply. |
Archives |