CYBER MONGOL
  • Our Journey
  • ASATA
  • Human-Machine Teaming
  • Operator Research
  • Offensive Intelligence
  • Our Journey
  • ASATA
  • Human-Machine Teaming
  • Operator Research
  • Offensive Intelligence
Search by typing & pressing enter

YOUR CART

1/22/2021 0 Comments

Initial Access Chain:  VBA-DLL-WMI-EXECUTION

Picture
Sensors ingested an interesting initial access chain that leverages a DLL load via VBS. After, the chain executes leveraging WMI to become a subprocess of svchost.exe (not from WINWORD.EXE in this case), providing a much more opsec friendly, parent-child relationship. I am looking at expanding my research by developing a macro that will covertly inject a process and establish a C2 implant connection. This was an interesting repo to help with the brainstorming for that macro.  
 
Repo:
VBA-DLL-WMI-EXECUTION/shell.cpp at master · mobdk/VBA-DLL-WMI-EXECUTION (github.com)
 
Video Demo:
​https://www.youtube.com/watch?v=0dEMQ_Iht98
 
#cyberthreatintelligence #infosec #cybersecurity #informationsecurity #threatintelligence #networksecurity #sec #security #tools #offensivesecurity #pentesting #redteam #blueteam
 
 
 
 
0 Comments



Leave a Reply.

    Archives

    March 2021
    February 2021
    January 2021

    RSS Feed

contact us:
© COPYRIGHT 2015. ALL RIGHTS RESERVED.