CYBER MONGOL
  • Our Journey
  • ASATA
  • Human-Machine Teaming
  • Operator Research
  • Offensive Intelligence
  • Our Journey
  • ASATA
  • Human-Machine Teaming
  • Operator Research
  • Offensive Intelligence
Search by typing & pressing enter

YOUR CART

2/18/2021

PE Injectionx64

Migrator.exe -->CreateProcess CMD.exe<--Fibs.exe<-- InjectShellcode-->C2 Callback
 
Sensors picked up a new PEx64 injector that maps an .exe into the memory space of a legitimate process. We had some problems getting it working with our shellcode injector which injects a Covenant C2 Grunt into itself but managed to get it working with the system binary cmd.exe. While providing better OpSec when compared to spawning a random process with a sketchy location path, a better legitimate process can be found (cmd made network connection to xxx.xxx.x.x – not great). No Detections on the MDE stack (BlockMode Auto-Remediation Group). We will share the resources we used for this attack after some upcoming client work.
 
PE-Injection Info (MITER): https://attack.mitre.org/techniques/T1055/002/
 
#cyberthreatintelligence #infosec #cybersecurity #informationsecurity #threatintelligence #networksecurity #sec #security #tools #offensivesecurity #pentesting #redteam #blueteam 

Comments are closed.

    Archives

    February 2021
    January 2021
    September 2020
    August 2020
    July 2020

    Categories

    All

    RSS Feed

contact us:
© COPYRIGHT 2015. ALL RIGHTS RESERVED.