OK, best payload initiation vectors. Eg. DOC Macro, Excel Macro, HTA, VBS, JS, SLK, What else...?
-
-
Replying to @vysecurity
Wasn't there a flaw where the contents of a VHD file downloaded from the Internet didn't receive the Mark of the Web?
1 reply 0 retweets 0 likes -
Replying to @lacaulac @vysecurity
Royce Williams Retweeted Will Dormann
Royce Williams added,
1 reply 0 retweets 1 like -
Replying to @TychoTithonus @vysecurity
Indeed. So go ahead and put a DOC Macro, Excel Macro, HTA, VBS, JS, SLK inside of a VHD(X) file to avoid both scanning on the wire, and also any protections gained via MoTW, such as SmartScreen, Microsoft Office Protected View, etc.
1 reply 0 retweets 1 like -
Replying to @wdormann @vysecurity
I wonder what the (rough) size of the smallest viable payload-ready VHD(X) is
2 replies 0 retweets 0 likes -
Replying to @TychoTithonus @vysecurity
When I was playing around with EICAR in a VHD, I tested with as small as 1MB in size. Maybe with trickery they could be made even smaller. But I suspect that in many cases the VHD can be not too much larger than the payload itself.
2 replies 0 retweets 0 likes -
For example: https://www.virustotal.com/gui/file/20783d8bd6c923132066d3050f6a3b21bb55265099956699d2233ee838e82d91 …
1 reply 0 retweets 1 like -
Replying to @wdormann @vysecurity
(Hey, one engine actually detects it now!)
1 reply 0 retweets 0 likes
I blame looking at raw byte patterns within the VHD file, rather than logically parsing the VHD filesystem for its contents.
-
-
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.