163. A Curious Case of Iediagcmd.exe Abuse
Hello everyone!
Reading Check Point's report on Stealth Falcon activities, I spotted an interesting way of abusing iediagcmd.exe.
The adversary uses malicious .url files. The URL parameter points to iediagcmd.exe. Normally this executable spawns additional processes to collect diagnostic data, including route.exe. The working folder is changed by the .url to the attacker-controlled WebDAV server, so iediagcmd.exe runs the route.exe from \\summerartcamp[.]net@ssl@443/DavWWWRoot\OSYxaOjr\route.exe (Horus Loader) instead of a legitimate one in system32 folder.
Of course, we can use it for detection, and search for iediagcmd.exe executing files from WebDAV servers, for example:
event_type: "processcreatewin"
AND
proc_p_file_path: "iediagcmd.exe"
AND
proc_file_path: "DavWWWRoot"
See you tomorrow!
Comments
Post a Comment