You are browsing the archive for EDR.

Running programs via Proxy & jumping on a EDR-bypass trampoline, Part 5

March 15, 2018 in Anti-*, EDR, Living off the land, LOLBins

Update

After I posted it bohops provided one more variant:

rundll32.exe shdocvw.dll, OpenURL [path to file.url]

Thanks!

Old Post

This is nothing new, but just documenting for the sake of documenting.

It crossed my mind to look for all the DLLs that refer to OpenURL – an API that is exported by the url.dll – which is used to launch URLs (and was a subject of the first part of the series). I quickly discovered that ieframe.dll also exports identically named function; a quick googling around followed and I noticed it was a subject to previous analysis (CVE-2016-3353) – as a result, the vulnerability that allowed remote execution of code was patched.

Still, the built-in functionality can help to launch other programs via proxy e.g. using the .url file:

[InternetShortcut]
URL=file:///c:\windows\system32\calc.exe

and running:

rundll32 ieframe.dll, OpenURL <path to local URL file>

will launch calculator.

 

Beyond good ol’ Run key, Part 73

March 15, 2018 in Anti-Forensics, Autostart (Persistence), Compromise Detection, EDR, Forensic Analysis, Incident Response, Living off the land

If you have a dvdplay.exe program on your system you can quickly do two things with it:

  • use it to disturb the process tree
  • leveraging the fact it is a signed binary – add it to any common startup place and achieve a nice, invisible persistence mechanism, possibly bypassing some security  solutions (they will just detect entries pointing to a signed binary and nothing else)

How?

The dvdplay.exe program is a simple wrapper that actually calls wmplayer.exe. But not the one you would expect.

In order to find a path to the wmplayer, it reads the following Registry key:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\wmplayer.exe
"Path"="c:\\malware\\"

So… changing that path to any path in your control, you can drop your wmplayer.exe there and voila!