The default installation sets a Run key in the Windows registry so that the application is automatically launched every time the user logged in.It is executed every time the user opens the application.In this case, it is part of Microsoft Teams, so it is signed by Microsoft. It is an app update manager ( Squirrel), present in multiple products installation (Teams, Slack, Discord, Webex).This executable was an ideal candidate for the operation for different reasons: This means that if a malicious DLL is placed in the same directory as the binary, the next time “Update.exe” is started, the process will load this library first and make use of some exported functions. The process “Update.exe” (32bits) was spotted trying to load “ CRYPTSP.dll” from the executable directory, failing to do so as this library is located in C:\Windows\SysWOW64. To do so, the following filters were applied: Column
After that, we used Process Monitor to identify processes trying to load non-existent DLLs. In order to ease up the process, the Red Team prepared a local environment, as close as possible to the original, to carry out the appropriate tests. Cobalt Strike persistence via DLL Hijacking Finally, it details how to mimic legitimate Microsoft Teams traffic when communicating with the C&C using Cobalt Strike malleable C2 profiles. This article explains how to take advantage of this situation, making use of a Cobalt Strike payload embedded in a DLL. After exploring several options, a Microsoft Teams binary was identified as vulnerable to DLL Hijacking. In this scenario, the next step to proceed with the engagement was to infect and persist on the compromised system, towards securing remote access. Stager: obtaining the Cobalt Strike beaconĭuring a recent Red Team scenario got local admin privileges on a workstation where an EDR solution was identified.Cobalt Strike persistence via DLL Hijacking.
0 kommentar(er)
