You are browsing the archive for Incident Response.

DeXRAY 2.03 update

October 7, 2017 in Batch Analysis, Compromise Detection, DeXRAY, File Formats ZOO, Forensic Analysis, Incident Response, Malware Analysis, Software Releases

Added ‘handling’ of quarantine.qtn from Symantec products on MAC.

Saying ‘handling’, because at the moment there is no good perl library for encrypted .zip files, BUT…  we really don’t need such library since the decryption is trivial. If the quarantine.qtn is found, you will get a list of files inside the container + information how to extract each file (hint: the password is… a file name 🙂

You can download it here.

The full list of supported or recognized file formats is listed below:

  • AhnLab (V3B)
  • ASquared (EQF)
  • Avast (Magic@0=’-chest- ‘)
  • Avira (QUA)
  • Baidu (QV)
  • BitDefender (BDQ)
  • BullGuard (Q)
  • CMC Antivirus (CMC)
  • Comodo <GUID> (not really; Quarantined files are not encrypted 🙂
  • ESafe (VIR)
  • ESET (NQF)
  • F-Prot (TMP) (Magic@0=’KSS’)
  • Kaspersky (KLQ)
  • Lavasoft AdAware (BDQ) /BitDefender files really/
  • Lumension LEMSS (lqf)
  • MalwareBytes Data files (DATA)
  • MalwareBytes Quarantine files (QUAR)
  • McAfee Quarantine files (BUP) /full support for OLE format/
  • Microsoft Forefront|Defender (Magic@0=0B AD|D3 45) – D3 45 C5 99 header handled
  • Panda <GUID> Zip files
  • Spybot – Search & Destroy 2 ‘recovery’
  • SUPERAntiSpyware (SDB)
  • Symantec ccSubSdk files: {GUID} files and submissions.idx
  • Symantec Quarantine Data files (QBD)
  • Symantec Quarantine files (VBN)
  • Symantec Quarantine Index files (QBI)
  • Symantec Quarantine files on MAC (quarantine.qtn)
  • TrendMicro (Magic@0=A9 AC BD A7 which is a ‘VSBX’ string ^ 0xFF)
  • QuickHeal <hash> files
  • Vipre (<GUID>_ENC2)
  • Zemana <hash> files+quarantine.db
  • Any binary file (using X-RAY scanning)

Running programs via Proxy & jumping on a EDR-bypass trampoline, Part 2

October 4, 2017 in Anti-*, EDR, Incident Response


After my post Zod contacted me with this mike-dropping link: Ultimate AppLocker ByPass List. Really lots of good stuff there! Thx Zod!

Old Post

In the first part I listed a couple of examples of programs that may be used as a proxy to launch other programs. In the meantime, subTee kicked off a very interesting thread on Twitter listing a number of signed .exe binaries that can be used as a proxy to load a DLL. Yesterday I came across a few cool posts by @0rbz_. This in return reminded me of my first post and I decided to add a few more proxy/living off the land ideas.

There is a number of signed .exe that can be used to load other .exes or .dlls and as a result – break standard EDR detection rules, or bypass some whitelisting. This may sometimes involve copying the signed binary to your folder in order to sideload your DLL (PlugX is a very good example, funnily enough – in many cases they don’t even need to bring a signed .exe and fetch one that is typically present on the system).

Here is the list:

  • AppVLP.exe – to launch .exe
    • From this Tweet by @0rbz_
    • Just run C:\Program Files\Microsoft Office\root\client\AppVLP.exe <exename>
  • pcalua.exe
    • From this Tweet by @0rbz_ and mentioned on this forum
    • Just run C:\windows\system32\pcalua.exe -a <exename>
  • odbcconf.exe – to load .dll
  • odbcad32.exe – to load .dll via GUI
    • drop c:\windows\system32\<dllfile>
    • run odbcad32.exe
    • go to Tracing Tab
    • choose Custom Trace DLL
    • hit Start Tracing Now
  • WinMail.exe – to load .dll
    • copy c:\Program Files\Windows Mail\WinMail.exe to your folder
    • name your DLL ‘msoe.dll’
    • launch one of these
      • WinMail.exe /identcatalog
      • WinMail.exe /identfileslist:foo
      • WinMail.exe /identfile:foo
  • xwizard.exe – to load .dll
    • From my previous post
    • copy c:\WINDOWS\system32\xwizard.exe to your folder
    • name your DLL ‘xwizards.dll’
    • run xwizard.exe with at least two arguments
  • java.exe – to load .dll
    • From my previous post
    • run java -agentlib:<dllname>
    • run java -agentpath:<dllname_with_dll_extension>
  • any other phantom / sideloaded dlls – to load .dll

If you know of any other tricks like this, please let me know. Thanks!

p.s. as I was about to post it, Huntress Labs just published yet another cool technique using WseClientSvc.exe passthru.exe calc.exe!