Method 1 - WMI
MACRO invoking WMI to create a new process, which changes the execution flow from for instance winword.exe spawning cmd.exe to wmiprvse.exe spawning cmd.exe (winword.exe spawning nothing, thus bypassing standard detection rules):
During macro execution, winword.exe will load 4 WMI related modules, which is not very common and can be used to detect this technique:
- C:\Windows\System32\wbem\wmiutils.dll
- C:\Windows\System32\wbemcomn.dll
- C:\Windows\System32\wbem\wbemdisp.dll
- C:\Windows\System32\wbem\fastprox.dll
Detection with CBR EDR:
Method 2: ShellBrowserWindow / ShellBrowser COM Objects
Macro code making use of the following COM objects:
- ShellWindows (ClsID = {9BA05972-F6A8-11CF-A442-00A0C90A8F39})
- ShellBrowserWindow (ClsID = {c08afd90-f2a1-11d1-8455-00a0c91f3880})
After macro execution, it's explorer.exe that will launch/spawn cmd.exe, which is extremely difficult to spot using regular detection [winword.exe spawned powershell.exe or cmd.exe or cscript etc.]
After the COM call, svchost.exe hosting the DCOMLaunch service will spawn an instance of rundll32.exe with the command line attribute referring to ShellBrowserWindows CLSID:
We can use the above traces, to create an EDR or sysmon detection rule:
CBR:
process_name:rundll32.exe and (cmdline:*9BA05972\-F6A8\-11CF\-A442\-00A0C90A8F39* or cmdline:*c08afd90\-f2a1\-11d1\-8455\-00a0c91f3880*) and parent_name:svchost.exe
I guess I am the only one who comes here to share my very own experience guess what? I am using my laptop for almost the post 2 years.
ReplyDeleteKutools for Word Crack
AVS Audio Editor Crack
Muvizu Play Crack
Betternet VPN Premium Crack
After reviewing numerous blog posts on the site,
ReplyDeleteWe really appreciate how your blog works.
We've added it to your list of favorite sites, and we'll review it soon.
Future. Also, check out my website and let us know what you think.
You have done a great job. I appreciate your work, thank you for sharing.
CrackBins Full Version Softwares Free Download
Kutools for Word Crack
After reviewing some of the ads on your site,
ReplyDeleteWe really appreciate the way you write your blog.
We've added it to our Bookmarks website list and we'll check back soon.
Future. Also., check out my website and let us know what you think.
You did a good job and worked hard. I appreciate your work, thanks for sharing.
crackbins Full Version Softwares Free Download
Kutools for Word Crack
I guess I am the only one who came here to share my very own experience. Guess what!? I am using my laptop for almost the past 6 years, but I had no idea of solving some basic issues. I do not know how to Download Cracked Pro Softwares But thankfully, I recently visited a website named PCexe.org
ReplyDeleteAll Pro Cracked Softwares Download
Betternet VPN Premium Crack
PUBG PC Free Download Crack
Letasoft Sound Booster Crack
Latest Wondershare Recoverit Crack
IDM Crack
You'll see big lit-up signs displaying "5¢" or "25¢" or "1¢." If the on line casino is a maze , simply grab 까모벳 a waitress or attendant to be pointed in the best direction. High restrict slots, often $5 and better, are positioned in separate rooms or 'salons', with their own attendants and cashiers. Typical slot machines have solely appeared in the backdrop of Neon Town in The Song of Jigglypuff. There, one slot machine was proven to stop on two Vulpix symbols after which a Psyduck image. Slot machines in the Generation I games and Pokémon FireRed and LeafGreen consist simply of inserting coins and stopping the reels with the A button. All the slot machines on this list are hosted on licensed platforms and are certified by third-party unbiased authorities.
ReplyDelete