In this scenario, we are working with a customer’s EDR independent of any Microsoft native or Microsoft cloud delivered security technologies. We are assuming initial access has taken place, accompanied with a download event to “C:\Windows\System32\spool\drivers\color” folder, which only requires regular user access to write to. First to fire is MS-printcolor.exe (UAC bypass) which hands execution to colorconf.cmd (batch file) that executes with high integrity. The batch file fires mofcomf.exe which registers a persistent WMI event subscription (colorwheel.mof), finally executing a SYSTEM level C2 channel anytime the WinStore.App.exe process is executed. Any day with WMI is a fun day!
#infosec #cybersecurity #informationsecurity #threatintelligence #networksecurity #sec #security #tools #offensivesecurity #pentesting #redteam #blueteam Comments are closed.
|
Archives
April 2021
Categories |