Working with a vendor to find out why my customized rules are firing on an RDP script that someone I know uses. Word.exe was considered the parent process even though I was fairly sure it wasn't. Usually this person accesses this specific script via a shortcut on their Desktop so that they don't have to navigate through a maze of a directory structure every time they want to launch this script. So I started experimenting with a Word document to see if I could reproduce the error. I put a link to a shortcut. I didn't get an alert. So then I tried putting a link in the Word document directly to the script. I got an alert. So then, the adversary brain in me thought, if I put a macro that launches a shortcut which then launches wscript.exe, then maybe the AV/EDR won't detect and alert about this. Sure enough, this vendor didn't. Most vendors will look for a parent process of Word.exe to Wscript.exe when the script launches. They aren't looking for a middle man so to speak - in this case being a shortcut link. The vendor has been notified, so I hope to see a fix soon. Using shortcuts in an attack isn't exactly new - it's been done before - but it's just kind of a fun bypass I didn't expect.
No comments:
Post a Comment