5/16/2023 0 Comments Werfault exeLines 1-9: This section is used to pull data from some more registry keys (up to 700 of them) and stores this data in a string.Executes the “test” method of that DLL, located in the “Open” object class.įrom a more technical lens, here’s a line-by-line breakdown of the PowerShell script in action:.Loads the byte array into memory as a DLL using PowerShell reflection (this is a common evasion technique that avoids writing a decoded payload to disk).De-obfuscates the string and converts the result into a byte array.Loads an obfuscated string that has been stored in the registry.Ultimately, the PowerShell script achieves four main things: If you’re unfamiliar with PowerShell, that script may look a bit intimidating. We inspected the command in the suspicious key and found this, which seemed to be executing a PowerShell command stored in one user’s environment variables. In this particular case, we found multiple commands for legitimate applications contained in the RunOnce key, but there was one that looked awfully suspicious. There are also “Run” keys, which don’t get removed each time and are used both legitimately and maliciously to create persistent footholds between reboots. Typically, this is used by legitimate installation and update tools to resume an update after reboot-but not to resume after every reboot. Since this is a “RunOnce” key, it will automatically be deleted once it has executed. This key is used to automatically execute a program when a user logs into their machine. It all started with a RunOnce key, which is typically found here: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce Cobalt Strike is an undeniably powerful framework, but it's easily weaponized by malicious actors as a go-to tool for undercover attacks. with great power comes great responsibility. While the intent of Cobalt Strike is to better equip legitimate red teams and pen testers with the capabilities of sophisticated threat actors, it is often misused when in the wrong hands. Some are focused on stealth and evasion, while others are focused on the silent exfiltration of corporate data. The tool uses a modular framework comprising numerous specialized modules, each responsible for a particular function within the attack chain. And as you'll see, it goes to show the great lengths hackers will go to evade detection and compromise their targets.Ĭobalt Strike is a commercial threat-emulation and post-exploitation tool commonly used by malicious attackers and penetration testers to compromise and maintain access to networks. This particular malware sample went to great lengths to hide itself, deploying numerous evasion tactics and obfuscation techniques in order to evade detection and analysis. Little did we know, we were about to encounter Cobalt Strike malware hidden across almost 700 registry values and encased within multiple layers of fileless executables. It was clear that the key was likely malicious, but it didn’t seem like anything out of the ordinary. How deep can a rabbit hole go? Recently, we discovered a suspicious-looking run key on a victim system.
0 Comments
Leave a Reply. |