bohops Leveraging INF-SCT Fetch & Execute Techniques For Bypass, Evasion, & Persistence
Leveraging INF-SCT Fetch & Execute Techniques For Bypass, Evasion, & Persistence Over the last few weeks, I researched and tested a few interesting namespaces/methods documented on various Microsoft/MSDN sources that dealt with executing various COM scripts/scriptlets (e.g. VBscript, Jscript, etc.). In particular, I was curious to see if there were potentially new ways to invoke remote scripts (ActiveX Objects) by leveraging some of the great research already performed and documented by @subTee, @Oddvarmoe, @ItsReallyNick, @KyleHanslovan, @ChrisBisnett, and @NickTyrer. There were some interesting findings, but the one that really stood out was the discovery of LaunchINFSection, a ‘new’ method to remotely launch staged SCT files configured within INF files. In this post, we’ll discuss several known INF-SCT launch methods, introduce LaunchINFSection, and dive into use cases/defensive considerations. Additionally, we’ll reference other techniques for remote script/scriptlet execution. INF-SCT Launch Methods Methods for launching script component files (‘.sct’) via INF configuration files include InstallHinfSection (setupapi.dll), CMSTP, and LaunchINFSection (advpack.dll). Let’s dive in… Malicious INF-SCT Usage with Infected INF Files
FEATURES
EXPLORE BY TAGS
SIMILAR TOOLS
PinCTF is a tool for using Intel's Pin Tool to instrument reverse engineering binaries and count instructions.
Blazingly fast Yara queries for malware analysts with an analyst-friendly web GUI.
A static analysis tool for PE files that detects malicious behavior and provides information for manual analysis.
Code to prevent a managed .NET debugger/profiler from working.
A tool that extracts and deobfuscates strings from malware binaries using advanced static analysis techniques.
Intezer is a cloud-based malware analysis platform that detects and classifies malware using genetic code analysis.
PINNED
Proton Pass is a cross-platform password manager that provides encrypted storage, password generation, and security monitoring features with integrated 2FA and dark web monitoring capabilities.
NordVPN is a commercial VPN service that encrypts internet connections and hides IP addresses through a global network of servers, featuring integrated threat protection and multi-device support.
Fractional CISO service that helps B2B companies implement security leadership to win enterprise deals, achieve compliance, and develop strategic security programs.
Checkmarx SCA
A software composition analysis tool that identifies vulnerabilities, malicious code, and license risks in open source dependencies throughout the software development lifecycle.
Orca Security
A cloud-native application protection platform that provides agentless security monitoring, vulnerability management, and compliance capabilities across multi-cloud environments.
DryRun
A GitHub application that performs automated security code reviews by analyzing contextual security aspects of code changes during pull requests.