007. A Curious Case of Microsoft Management Console Abuse

Hello everyone! As you know, phishing emails are still the most common way to deliver malware. Malicious attachments may include Microsoft Word documets, Microsoft Excel spreadsheets, executables with double extention, LNK files and many others.

Some time ago we observed Sticky Werewolf to use MSC files to deliver Sliver implant to the compromised system.

Windows MSC files are used in the Microsoft Management Console to manage various aspects of the operating system or create custom views of commonly accessed tools.

Despite the fact it's not very common file type used by adversaries, installation routine is quite noisy and offers defenders lots of detection and hunting opportunities, for example:

  • Execution of MSC files from suspicious locations with mmc.exe (mmc.exe C:\Users\Victim\AppData\Local\Temp\17_09_2024.msc)
  • Certutil abuse for decoding MSC files (certutil -decode """C:\Users\Victim\AppData\Local\Temp\17_09_2024.msc""" C:\Users\Victim\AppData\Local\xrks.t)
Have you observed any interesting files types used by adversares for malware delivery? Share it in the comments section!

See you tomorrow!

Comments

Popular posts from this blog

033. Free Google Threat Intelligence Course

001. The Zeltser Challenge

012. They Want to Know Everything About Your System!