You are browsing the archive for Compromise Detection.

The Wizard of X – Oppa PlugX style, Part 2

January 24, 2020 in Compromise Detection, Living off the land, LOLBins

Every once in a while I come back to have a second look at some stuff from the past. Today I had a quick look at xwizards.dll that I wrote about before and noticed that I forgot to mention one more thing.

The exported function RunWizard takes GUID as an input. If you register a DLL under a GUID of your choice you can load the DLL via xwizard.exe e.g.:

Windows Registry Editor Version 5.00




will register c:\test\test.dll under {11111111-1111-1111-1111-111111111111} GUID. All we have to do now is run:

  • xwizard RunWizard {11111111-1111-1111-1111-111111111111}

Mindmap software as an attack vector

November 19, 2019 in Compromise Detection, Incident Response, Malware Analysis

Looks like mindmap software could be used to deliver bad stuff; interaction is still required, but could be an interesting attack vector especially that it’s a popular type of software in a corp. environment:





The latter allows attaching actual binary files as well, but an attempt to launch them will end up with the following dialog box shown: