التكنولوجيا أمن المعلومات
SECUINFRA FALCON TEAM
SECUINFRA FALCON TEAM

@SI_FalconTeam

5 تغريدة 3 قراءة May 21, 2023
Twitter
Proof of Concept: #Malware Delivery via #appx/#msix packages.
In our test case we needed administrative permissions to install the package with putty.exe as our test payload.
Thread ⬇️
1/4 🧵
Proof of Concept: #Malware Delivery via #appx/#msix packages. In our test case we needed administrat...
Proof of Concept: #Malware Delivery via #appx/#msix packages. In our test case we needed administrat...
We did test it first with a #Wannacry #Ransomware binary, but Windows Defender caught the payload and that didn't look so nice on a screenshot 😅
2/4 🧵
We did test it first with a #Wannacry #Ransomware binary, but Windows Defender caught the payload an...
Our .appx demo package is based off of a in-the-wild sample of #Magniber #Ransomware that was signed with a stolen signature (Jan 2022). With this change in Windows 11 it is now possible to install unsigned appx packages (given required perms).
3/4 🧵
Detection opportunities:
- Execution out of C:\Program Files\WindowsApps\
- Looking for the special OID documented by Microsoft here: learn.microsoft.com
We are going to publish our #Yara rules for this tomorrow, stay tuned.
4/4 🧵
Create an unsigned MSIX package for testing - MSIX
learn.microsoft.com/en-us/windows/…

Create an unsigned MSIX package for testing - MSIX

This topic describes how to create and install an unsigned MSIX package
cc @decalage2 @cyb3rops @malwrhunterteam @vxunderground

التصنيفات

التكنولوجيا أمن المعلومات

لم تظهر جميع التغريدات؟

جاري تحميل الاقتراحات...