CYBER MONGOL
  • ASATA
  • Our Journey
  • Intelligence Engine
  • Human-Machine Teaming
  • Operator Research
  • Achievements and Media
  • Counter Intelligence
  • ASATA
  • Our Journey
  • Intelligence Engine
  • Human-Machine Teaming
  • Operator Research
  • Achievements and Media
  • Counter Intelligence
Search by typing & pressing enter

YOUR CART

4/13/2021

C# Dropper: Attack Chain Fully Executed + Detailed Blue Perspective

*C# Dropper: Attack Chain Fully Executed + Detailed Blue Perspective of the Attack Timeline (MDE BlockMode Auto Investigations)* We got the dropper almost there with only one detection on the UAC bypass which MDE wrongly classified as blocked. This itself was a bit of a battle as MDE completely blocks the stock UAC bypass from executing. The incident starts with the dropper assessing the executing process’s SID and escalating if not Administrator, dropping files to disk via ngrok (https), injecting shellcode for the first C2 callback in high integrity and then installing WMI persistence with ProcessStartTrace on WinStore.app.exe, which injects shellcode and calls back to the C2 as SYSTEM, every time the Windows store is launched. We modified and utilized the commoditized tooling found below (unmodified versions).
 
0xyg3n/UAC_Exploit: https://github.com/0xyg3n/UAC_Exploit
 
EDRGoesBrrr: https://github.com/NVISOsecurity/brown-bags/tree/main/DInvoke%20to%20defeat%20EDRs/DemoDInvokeLoader
 
donut: https://github.com/TheWover/donut
 
Covenant: https://github.com/cobbr/Covenant
 
#infosec #cybersecurity #informationsecurity #threatintelligence #networksecurity #sec #security #tools #offensivesecurity #pentesting #redteam #blueteam

Comments are closed.

    Archives

    December 2021
    November 2021
    October 2021
    July 2021
    June 2021
    May 2021
    April 2021
    March 2021
    February 2021
    January 2021
    September 2020
    August 2020
    July 2020

    Categories

    All

    RSS Feed

contact us:
© COPYRIGHT 2015. ALL RIGHTS RESERVED.