CYBER MONGOL
  • Our Journey
  • Counter Cyber Intelligence
  • ASATA
  • Human-Machine Teaming
  • Operator Research
  • Offensive Intelligence
  • Our Journey
  • Counter Cyber Intelligence
  • ASATA
  • Human-Machine Teaming
  • Operator Research
  • Offensive Intelligence
Search by typing & pressing enter

YOUR CART

3/8/2021

Hiding Persistence in the WMI Repository & “C:\Windows\System32\spool\drivers\color Folder

In this scenario, we are working with a customer’s EDR independent of any Microsoft native or Microsoft cloud delivered security technologies. We are assuming initial access has taken place, accompanied with a download event to “C:\Windows\System32\spool\drivers\color” folder, which only requires regular user access to write to. First to fire is MS-printcolor.exe (UAC bypass) which hands execution to colorconf.cmd (batch file) that executes with high integrity. The batch file fires mofcomf.exe which registers a persistent WMI event subscription (colorwheel.mof), finally executing a SYSTEM level C2 channel anytime the WinStore.App.exe process is executed. Any day with WMI is a fun day!



#infosec #cybersecurity #informationsecurity #threatintelligence #networksecurity #sec #security #tools #offensivesecurity #pentesting #redteam #blueteam

Comments are closed.

    Archives

    April 2021
    March 2021
    February 2021
    January 2021
    September 2020
    August 2020
    July 2020

    Categories

    All

    RSS Feed

contact us:
© COPYRIGHT 2015. ALL RIGHTS RESERVED.