This week, we are releasing 2 TTPs:
At a high level, some of GootLoader capabilities are:
This TTP was designed to emulate GootLoader's execution and persistence capabilities. Microsoft Defender may flag some of these actions as TrojanDownloader:PowerShell/GootKit.S!ams
Are GootLoader malware procedures mitigated on this host?
in Operator on each host in your environment to test if you are vulnerable.This TTP will download a zip file and save it to $env:localappdata
. This zip file will contain a JScript file which will create two registry keys HKCU:\SOFTWARE\Microsoft\Phone\%Username%
and HKCU:\SOFTWARE\Microsoft\Phone\%Username%0
. These two registry keys will contain junk byte data to emulate the encoded payloads GootLoader saves in these registry locations. Expand-Archive
will unzip the zip file, and wscript.exe
is utilized to execute the JScript file to create these two registry keys. The exact PowerShell commands that GootLoader uses to load the malicious DLL reflectively and to create the scheduled task are then executed. The command to reflectively load the DLL will fail since the data saved in the registry keys are not the actual encoded malicious DLLs. The TTP will perform a conditional check to verify if the two registry keys and the scheduled task were created. Lastly, the TTP will delete all created artifacts.
notepad.exe
instead of wscript.exe
, as this will prevent immediate execution if a victim double-clicks the malicious JScript file. Ensuring your current protections log suspicious wscript.exe
and PowerShell.exe
processes, along with scheduled task
and registry key
creation, can help identify these malicious actions.At a high level, some of AZOrult capabilities are:
mshta
and execute it via PowerShell
.schtasks
is used to download an encoded DLL and load it via PowerShell
.PowerShell
modifies registry keys to disable Windows Defender.This TTP was designed to emulate AZOrult's persistence and defense-evasion capabilities. Microsoft Defender may flag some of these actions as Trojan:Win32/BatTamper.A
Are AZOrult malware procedures mitigated on this host?
as an Administrator in Operator on each host in your environment to test if you are vulnerable.This TTP will download a VBS script and save it to $env:TEMP
. The script configures a Run key that launches mshta
. Next, the TTP uses schtasks
to create a scheduled task for persistence. Finally, the TTP executes a VBS script used by AZOrult to disable Windows Defender via registry key modifications.
Finally, the TTP downloads a VBS script from Operator that contains PowerShell
commands to disable various Windows Defender protections.
Check out the TTP Are AZOrult malware procedures mitigated on this host?.
Thanks for reading our latest TTP Tuesday release! Please subscribe and reach out with any feedback. We love to hear from our community!
There are several ways to follow us and learn more about Prelude and our team members:
Download Prelude Operator: https://www.prelude.org/download/current
See the latest kill chain and TTP Releases: https://chains.prelude.org
See our open-source repositories: https://github.com/preludeorg
Discord: https://discord.gg/gzUv4XNquu
Reddit: https://www.reddit.com/r/preludeorg/
Twitter: https://twitter.com/preludeorg
Listen to our Podcast: https://anchor.fm/preludeorg
Read our blog: https://feed.prelude.org
Watch our live streams: https://www.twitch.tv/preludeorg
Watch our pre-recorded content: https://www.youtube.com/c/preludeorg
David: https://twitter.com/privateducky
Alex: https://twitter.com/khyberspache
Kris: https://twitter.com/Xanthonus
Octavia: https://twitter.com/VVX7