Blu3_Team

BLUF: As Countercept noted, Look for children of:     Eventvwr.exe CompMgmtLauncher.exe Fodhelper.exe A quicky on some old UAC bypasses since it just came up again ITW. SBousseaden shared an Anyrun and some notes on two UAC bypasses: mscfile\shell\open\command ms-settings\shell\open\command mscfile activates from eventvwr.exe or CompMgmtLauncher.exe ms-settings activates using Fodhelper.exe They are well documented. Eventvwr has been patched but CompMgmtLauncher still works, fodhelper, I couldn't test but I assume it works the same way. Testing for the regmods are fine using an EDR but a quick and dirty method is to look for children of the three processes and filter the normal ones. References: https://twitter.com/SBousseaden/status/1143848669407588352 https://twitter.com/countercept/status/842023313467707393 https://github.com/ChaitanyaHaritash/My-Exploits/tree/master/COMPMGMTLAUNCHER_UAC_BYPASS https://enigma0x3.net/2016/08/15/fileless-...

By now most shops have a good selection of powershell rules, long command lines, netconn, keywords, obfuscation and so on so I am on the lookout for those that might not trigger anything. A recent tweet from Clearsky included an Anyrun trace (always a good source for techniques) that showed cmd echoing commands to powershell without powershell showing the command line so I dug into it a bit. From the references you can see that it isn't new. GBHackers had a good explanation - "Powershell command that ends with Dash “-“ ,that will Execute the command by using standard input (Stdin) and only the dash will appear in powershell.exe’s command line arguments." Cmd using echo  "Powershell -" Also note that while powershell is a child of cmd, it is not the one with the command arguments. Testing showed that the "| powershell -" was not in the command lines from my EDR. Detection There are a couple of ways to go about detecting this....

I get something out of twitter almost every day and it is not uncommon to see examples a few times before the realization sinks in that you are looking at a technique that needs a rule. These should fall under the ATT&CK framework as masquerading. I saw a tweet the other day that reminded me of a couple of signatures worth talking about. These misleading double extensions are not new but they never seem to go out of style. With modern EDRs it is an easy win. The malware filename ended in .xls.exe but lets expand that to include other office file types. index=edr ( doc OR docx OR xls OR xlsx OR pdf ) exe ( process_path=*.doc.exe OR process_path=*.docx.exe OR process_path=*.xls.exe OR process_path=*.xlsx.exe OR process_path=*.pdf.exe ) The sig is largely self explanatory, the tokenization allows for keyword search by breaking up the extension, and the process path stuff just anchors it all to the process name since these are pretty generic terms. Another tweet by blackor...