CYBER MONGOL
  • ASATA
  • Our Journey
  • Intelligence Engine
  • Human-Machine Teaming
  • Operator Research
  • Achievements and Media
  • Counter Intelligence
  • ASATA
  • Our Journey
  • Intelligence Engine
  • Human-Machine Teaming
  • Operator Research
  • Achievements and Media
  • Counter Intelligence
Search by typing & pressing enter

YOUR CART

3/23/2021

Dropper to DLL Injection: Red / Blue

*Dropper to DLL Injection: Red / Blue* This is part of a larger attack-chain that I am building out and wanted to share along the way. As usual, the simulation begins right after an initial access event has transpired but before execution of the dropper. The dropper (requirements.cmd) then goes ahead and starts the rdpclip.exe process in case it’s not active, parses for the process’s PID, setup.exe injects a DLL (Covenant C2 grunt) into process rdpclip.exe and that process then reaches out to the C2. Planning to add to this – some PrivSec, impairing defenses, persistence and an obfuscated C2 infrastructure.
 
Microsoft Defender for Endpoint (EDR+BlockMode+AutomtedInvestigations) vs Dropper->Start rdpclip.exe->Find PID->DLL Injection(Implant(Medium))->rdpclip.exe->CovenantC2==Zero alerts but there is always evidence…let’s have a look.
 

 
#infosec #cybersecurity #informationsecurity #threatintelligence #networksecurity #sec #security #tools #offensivesecurity #pentesting #redteam #blueteam


Comments are closed.

    Archives

    December 2021
    November 2021
    October 2021
    July 2021
    June 2021
    May 2021
    April 2021
    March 2021
    February 2021
    January 2021
    September 2020
    August 2020
    July 2020

    Categories

    All

    RSS Feed

contact us:
© COPYRIGHT 2015. ALL RIGHTS RESERVED.