Category Archives: EDR

Beyond good ol’ Run key, Part 73

Posted on by

If you have a dvdplay.exe program on your system you can quickly do two things with it:

  • use it to disturb the process tree
  • leveraging the fact it is a signed binary – add it to any common startup place and achieve a nice, invisible persistence mechanism, possibly bypassing some security  solutions (they will just detect entries pointing to a signed binary and nothing else)

How?

The dvdplay.exe program is a simple wrapper that actually calls wmplayer.exe. But not the one you would expect.

In order to find a path to the wmplayer, it reads the following Registry key:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\wmplayer.exe
"Path"="c:\\malware\\"

So… changing that path to any path in your control, you can drop your wmplayer.exe there and voila!

Endpoint Detection and Response (EDR) solutions sheet – update

Posted on by

I finally caught up with some more updates; thanks to Atul for adding OSQuery and PolyLoygyx, and Dori for Secdo. Also fixed some formatting and did minor edits.

 

The latest EDR sheet can be found here.

The explanations of columns can be found here.

As usual, if you find anything wrong/needing some amendment, please do let me know. I’ll fix it.

Posted in EDR