Discover and read the best of Twitter Threads about #installutil
Most recents (2)
Always nice when a payload has robust documentation.
This one details the exact bypasses implemented.
Version control shows 2016 @Cneelis method replaced with that @_RastaMouse new new.
ππ½ "Program.cs" #InstallUtil payload with 0 VT detections btw: virustotal.com/gui/file/9193bβ¦
This one details the exact bypasses implemented.
Version control shows 2016 @Cneelis method replaced with that @_RastaMouse new new.
ππ½ "Program.cs" #InstallUtil payload with 0 VT detections btw: virustotal.com/gui/file/9193bβ¦
@Cneelis @_RastaMouse Uploaded 4 hours ago. (π)
0/60 static detections is *sorta* expected - it'd be interesting to see how security tech performs when this is loaded by #InstallUtil - should be caught then.
Anyway, great payload comments! [more pictured]
0/60 static detections is *sorta* expected - it'd be interesting to see how security tech performs when this is loaded by #InstallUtil - should be caught then.
Anyway, great payload comments! [more pictured]
The #InstallUtil payload is contained within a parent archive βPSByPassCLM-master.zipβ
#DFIR tip: look out for β-masterβ in your file names & PDB paths. Youβre often one last hop away from Githubtribution π
πThis one belonged @padovah4ck 2018 project: github.com/padovah4ck/PSBβ¦
#DFIR tip: look out for β-masterβ in your file names & PDB paths. Youβre often one last hop away from Githubtribution π
πThis one belonged @padovah4ck 2018 project: github.com/padovah4ck/PSBβ¦
#InstallUtil payloads are still very popular for code execution and app whitelisting bypass.
Here's a fresh sample with a #GRUNT payload: "compliancesignature.cs"
MD5: f55c0c165f30df6d92fbb50bf7688dc5
virustotal.com/gui/file/1db94β¦
0/59 static detections.
So I'll share some rules!
ππ
Here's a fresh sample with a #GRUNT payload: "compliancesignature.cs"
MD5: f55c0c165f30df6d92fbb50bf7688dc5
virustotal.com/gui/file/1db94β¦
0/59 static detections.
So I'll share some rules!
ππ
Identify suspicious #InstallUtil code execution payloads with a syntax-based #Yara rule (gist.github.com/itsreallynick/β¦) from this thread () on a *pretty damn similar* sample π§
Also look closely at both samples' embedded PE information (Original/InternalName) π
Also look closely at both samples' embedded PE information (Original/InternalName) π
