OK, best payload initiation vectors. Eg. DOC Macro, Excel Macro, HTA, VBS, JS, SLK, What else...?
-
-
Replying to @vysecurity
Wasn't there a flaw where the contents of a VHD file downloaded from the Internet didn't receive the Mark of the Web?
1 reply 0 retweets 0 likes -
Replying to @lacaulac @vysecurity
Royce Williams Retweeted Will Dormann
Royce Williams added,
1 reply 0 retweets 1 like -
Replying to @TychoTithonus @vysecurity
Indeed. So go ahead and put a DOC Macro, Excel Macro, HTA, VBS, JS, SLK inside of a VHD(X) file to avoid both scanning on the wire, and also any protections gained via MoTW, such as SmartScreen, Microsoft Office Protected View, etc.
1 reply 0 retweets 1 like -
Replying to @wdormann @vysecurity
I wonder what the (rough) size of the smallest viable payload-ready VHD(X) is
2 replies 0 retweets 0 likes -
Replying to @TychoTithonus @vysecurity
When I was playing around with EICAR in a VHD, I tested with as small as 1MB in size. Maybe with trickery they could be made even smaller. But I suspect that in many cases the VHD can be not too much larger than the payload itself.
2 replies 0 retweets 0 likes -
Replying to @wdormann @vysecurity
Ah, I see - just as a raw container, not as a self-contained OS instance. Interesting. So an additional component would tap the payload from within the image, and/or user prompts to do so. Iiiiinteresting.
1 reply 0 retweets 0 likes
Starting with Windows 8, a VHD or VHDX file can be double-clicked and opened in Explorer as if it were a ZIP container. At this point, you're relying on the user to not do something unwise. Without any of the MoTW-based protections.
-
-
FWIW, I wrote about this a couple months ago: https://insights.sei.cmu.edu/cert/2019/09/the-dangers-of-vhd-and-vhdx-files.html …
1 reply 0 retweets 1 like -
Replying to @wdormann @vysecurity
Oh yes, I've been forwarding that around liberally and waving my hands in front of whiteboards. Great writeup, thanks for doing it!
0 replies 0 retweets 1 like
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.