You are browsing the archive for Compromise Detection.

The Wizard of X – Oppa PlugX style, Part 2

January 24, 2020 in Compromise Detection, Living off the land, LOLBins

Every once in a while I come back to have a second look at some stuff from the past. Today I had a quick look at xwizards.dll that I wrote about before and noticed that I forgot to mention one more thing.

The exported function RunWizard takes GUID as an input. If you register a DLL under a GUID of your choice you can load the DLL via xwizard.exe e.g.:

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID]
"CLBVersion"=dword:00000012

[HKEY_CLASSES_ROOT\CLSID\{11111111-1111-1111-1111-111111111111}]
@="foobar"

[HKEY_CLASSES_ROOT\CLSID\{11111111-1111-1111-1111-111111111111}\InprocServer32]
@="C:\\test\\test.dll"
"ThreadingModel"="Both"

will register c:\test\test.dll under {11111111-1111-1111-1111-111111111111} GUID. All we have to do now is run:

  • xwizard RunWizard {11111111-1111-1111-1111-111111111111}

Mindmap software as an attack vector

November 19, 2019 in Compromise Detection, Incident Response, Malware Analysis

Looks like mindmap software could be used to deliver bad stuff; interaction is still required, but could be an interesting attack vector especially that it’s a popular type of software in a corp. environment:

Xmind

FreeMind

MindView

MindManager

The latter allows attaching actual binary files as well, but an attempt to launch them will end up with the following dialog box shown: