Боковое движение

CCod · 08.12.2022

Возможно ли бесфайловое боковое движение с помощью mshta,rundll32,regsrv32 и тд.?Как на это реагируют антивирусы?

qGodless · 08.12.2022

CCod сказал(а):

fileless with mshta, rundll32, regsrv32

These processes require files to work with

CCod сказал(а):

How do antiviruses react to this?

It will be detected

CCod · 08.12.2022

qGodless сказал(а):

These processes require files to work with

No mshta allows u to execute scripts by url, same as rundll and regsrv aloows to execute sct files

kydoimos · 10.12.2022

Not directly. Can use methods like psexec or remote powershell to run them on another target on the network.

CCod · 11.12.2022

kydoimos сказал(а):

Not directly. Can use methods like psexec or remote powershell to run them on another target on the network.

i understand it. Im intrested if AV kills suspicious processes like rundll or mshta with url as argument

qGodless · 11.12.2022

CCod сказал(а):

if AV kills suspicious processes like rundll or mshta with url as argument

Yes it will