CYBER MONGOL
  • ASATA
  • Our Journey
  • Intelligence Engine
  • Human-Machine Teaming
  • Operator Research
  • Achievements and Media
  • Counter Intelligence
  • ASATA
  • Our Journey
  • Intelligence Engine
  • Human-Machine Teaming
  • Operator Research
  • Achievements and Media
  • Counter Intelligence
Search by typing & pressing enter

YOUR CART

3/8/2021

Hiding Persistence in the WMI Repository & “C:\Windows\System32\spool\drivers\color Folder

In this scenario, we are working with a customer’s EDR independent of any Microsoft native or Microsoft cloud delivered security technologies. We are assuming initial access has taken place, accompanied with a download event to “C:\Windows\System32\spool\drivers\color” folder, which only requires regular user access to write to. First to fire is MS-printcolor.exe (UAC bypass) which hands execution to colorconf.cmd (batch file) that executes with high integrity. The batch file fires mofcomf.exe which registers a persistent WMI event subscription (colorwheel.mof), finally executing a SYSTEM level C2 channel anytime the WinStore.App.exe process is executed. Any day with WMI is a fun day!



#infosec #cybersecurity #informationsecurity #threatintelligence #networksecurity #sec #security #tools #offensivesecurity #pentesting #redteam #blueteam

Comments are closed.

    Archives

    December 2021
    November 2021
    October 2021
    July 2021
    June 2021
    May 2021
    April 2021
    March 2021
    February 2021
    January 2021
    September 2020
    August 2020
    July 2020

    Categories

    All

    RSS Feed

contact us:
© COPYRIGHT 2015. ALL RIGHTS RESERVED.