bohops Leveraging INF-SCT Fetch & Execute Techniques For Bypass, Evasion, & Persistence Logo

bohops Leveraging INF-SCT Fetch & Execute Techniques For Bypass, Evasion, & Persistence

0
Free
Visit Website

Leveraging INF-SCT Fetch & Execute Techniques For Bypass, Evasion, & Persistence Over the last few weeks, I researched and tested a few interesting namespaces/methods documented on various Microsoft/MSDN sources that dealt with executing various COM scripts/scriptlets (e.g. VBscript, Jscript, etc.). In particular, I was curious to see if there were potentially new ways to invoke remote scripts (ActiveX Objects) by leveraging some of the great research already performed and documented by @subTee, @Oddvarmoe, @ItsReallyNick, @KyleHanslovan, @ChrisBisnett, and @NickTyrer. There were some interesting findings, but the one that really stood out was the discovery of LaunchINFSection, a ‘new’ method to remotely launch staged SCT files configured within INF files. In this post, we’ll discuss several known INF-SCT launch methods, introduce LaunchINFSection, and dive into use cases/defensive considerations. Additionally, we’ll reference other techniques for remote script/scriptlet execution. INF-SCT Launch Methods Methods for launching script component files (‘.sct’) via INF configuration files include InstallHinfSection (setupapi.dll), CMSTP, and LaunchINFSection (advpack.dll). Let’s dive in… Malicious INF-SCT Usage with Infected INF Files

FEATURES

ALTERNATIVES

A script to detect and remove Canary Tokens with simple signature-based detections.

A tool for deep analysis of malicious files using ClamAV and YARA rules, with features like scoring suspect files, building visual tree graphs, and extracting specific patterns.

A backend agnostic debugger frontend for debugging binaries without source code access.

A tool for reverse engineering Android apk files.

A serverless, real-time, and retroactive malware detection tool that scans files with YARA rules and alerts incident response teams.

Fuzzilli is a JavaScript engine fuzzer that helps identify vulnerabilities in JavaScript engines.

DOM XSS scanner for Single Page Applications

A tool that recovers passwords from pixelized screenshots

PINNED