007. A Curious Case of Microsoft Management Console Abuse
Hello everyone! As you know, phishing emails are still the most common way to deliver malware. Malicious attachments may include Microsoft Word documets, Microsoft Excel spreadsheets, executables with double extention, LNK files and many others.
Some time ago we observed Sticky Werewolf to use MSC files to deliver Sliver implant to the compromised system.
Windows MSC files are used in the Microsoft Management Console to manage various aspects of the operating system or create custom views of commonly accessed tools.
Despite the fact it's not very common file type used by adversaries, installation routine is quite noisy and offers defenders lots of detection and hunting opportunities, for example:
- Execution of MSC files from suspicious locations with mmc.exe (mmc.exe C:\Users\Victim\AppData\Local\Temp\17_09_2024.msc)
- Certutil abuse for decoding MSC files (certutil -decode """C:\Users\Victim\AppData\Local\Temp\17_09_2024.msc""" C:\Users\Victim\AppData\Local\xrks.t)
Have you observed any interesting files types used by adversares for malware delivery? Share it in the comments section!
See you tomorrow!
Comments
Post a Comment