Friday, February 19, 2021

AV/EDR - Fun Shenanigans

Working with a vendor to find out why my customized rules are firing on an RDP script that someone I know uses.  Word.exe was considered the parent process even though I was fairly sure it wasn't.  Usually this person accesses this specific script via a shortcut on their Desktop so that they don't have to navigate through a maze of a directory structure every time they want to launch this script.  So I started experimenting with a Word document to see if I could reproduce the error.  I put a link to a shortcut.    I didn't get an alert.  So then I tried putting a link in the Word document directly to the script.  I got an alert.  So then, the adversary brain in me thought, if I put a macro that launches a shortcut which then launches wscript.exe, then maybe the AV/EDR won't detect and alert about this.  Sure enough, this vendor didn't.  Most vendors will look for a parent process of Word.exe to Wscript.exe when the script launches. They aren't looking for a middle man so to speak - in this case being a shortcut link.  The vendor has been notified, so I hope to see a fix soon.  Using shortcuts in an attack isn't exactly new - it's been done before - but it's just kind of a fun bypass I didn't expect.