PE Injectionx64

Migrator.exe -->CreateProcess CMD.exe<--Fibs.exe<-- InjectShellcode-->C2 Callback
 
Sensors picked up a new PEx64 injector that maps an .exe into the memory space of a legitimate process. We had some problems getting it working with our shellcode injector which injects a Covenant C2 Grunt into itself but managed to get it working with the system binary cmd.exe. While providing better OpSec when compared to spawning a random process with a sketchy location path, a better legitimate process can be found (cmd made network connection to xxx.xxx.x.x – not great). No Detections on the MDE stack (BlockMode Auto-Remediation Group). We will share the resources we used for this attack after some upcoming client work.
 
PE-Injection Info (MITER): https://attack.mitre.org/techniques/T1055/002/
 
#cyberthreatintelligence #infosec #cybersecurity #informationsecurity #threatintelligence #networksecurity #sec #security #tools #offensivesecurity #pentesting #redteam #blueteam