This week, we are releasing 2 TTPs:
At a high level, some of GootLoader capabilities are:
This TTP was designed to emulate GootLoader's execution and persistence capabilities. Microsoft Defender may flag some of these actions as
Are GootLoader malware procedures mitigated on this host?in Operator on each host in your environment to test if you are vulnerable.
This TTP will download a zip file and save it to
$env:localappdata. This zip file will contain a JScript file which will create two registry keys
HKCU:\SOFTWARE\Microsoft\Phone\%Username%0. These two registry keys will contain junk byte data to emulate the encoded payloads GootLoader saves in these registry locations.
Expand-Archive will unzip the zip file, and
wscript.exe is utilized to execute the JScript file to create these two registry keys. The exact PowerShell commands that GootLoader uses to load the malicious DLL reflectively and to create the scheduled task are then executed. The command to reflectively load the DLL will fail since the data saved in the registry keys are not the actual encoded malicious DLLs. The TTP will perform a conditional check to verify if the two registry keys and the scheduled task were created. Lastly, the TTP will delete all created artifacts.
wscript.exe, as this will prevent immediate execution if a victim double-clicks the malicious JScript file. Ensuring your current protections log suspicious
PowerShell.exeprocesses, along with
registry keycreation, can help identify these malicious actions.
At a high level, some of AZOrult capabilities are:
mshtaand execute it via
schtasksis used to download an encoded DLL and load it via
PowerShellmodifies registry keys to disable Windows Defender.
This TTP was designed to emulate AZOrult's persistence and defense-evasion capabilities. Microsoft Defender may flag some of these actions as
Are AZOrult malware procedures mitigated on this host?as an Administrator in Operator on each host in your environment to test if you are vulnerable.
This TTP will download a VBS script and save it to
$env:TEMP. The script configures a Run key that launches
mshta. Next, the TTP uses
schtasks to create a scheduled task for persistence. Finally, the TTP executes a VBS script used by AZOrult to disable Windows Defender via registry key modifications.
Finally, the TTP downloads a VBS script from Operator that contains
PowerShell commands to disable various Windows Defender protections.
Check out the TTP Are AZOrult malware procedures mitigated on this host?.
Thanks for reading our latest TTP Tuesday release! Please subscribe and reach out with any feedback. We love to hear from our community!
There are several ways to follow us and learn more about Prelude and our team members:
Download Prelude Operator: https://www.prelude.org/download/current
See the latest kill chain and TTP Releases: https://chains.prelude.org
See our open-source repositories: https://github.com/preludeorg
Listen to our Podcast: https://anchor.fm/preludeorg
Read our blog: https://feed.prelude.org
Watch our live streams: https://www.twitch.tv/preludeorg
Watch our pre-recorded content: https://www.youtube.com/c/preludeorg