Sysmon is a cool tool and we love it. Sometimes it does not work as expected though.
It’s late so just dropping another recipe here:
You can also drop Riched32.dll in the same directory and try to ‘install’ sysmon – you will notice the EULA box is loaded incorrectly, because the side-loaded Riched32.dll DLL will take over and will execute your code.
Here’s yet another subclass of tricks one can use to distort the process tree seen by EDR and sandbox solutions.
Many Windows programs launch other internal Windows programs (native to OS). They do so carefully so they typically launch them from %SystemRoot%. Many of them use GetSystemDirectory to build a path, but there are still quite a few that rely on an environment variable – they need to use an ExpandEnvironmentStrings API to obtain the actual path.
Changing that environmental variable and copying the required files to a redirected location while replacing the target application enables us to launch a payload of choice making it look like it was executed by a signed binary.
Example:
In this old post I mentioned AtBroker. When you launch it from a command line without any arguments it will simply launch Narrator.exe.
We can:
This launches C:\Test\System32\Narrator.exe:
