Technology cybersecurity
SECUINFRA FALCON TEAM
SECUINFRA FALCON TEAM

@SI_FalconTeam

5 Tweets 3 reads May 21, 2023
Twitter
Proof of Concept: #Malware Delivery via #appx/#msix packages.
In our test case we needed administrative permissions to install the package with putty.exe as our test payload.
Thread โฌ‡๏ธ
1/4 ๐Ÿงต
Proof of Concept: #Malware Delivery via #appx/#msix packages. In our test case we needed administrat...
Proof of Concept: #Malware Delivery via #appx/#msix packages. In our test case we needed administrat...
We did test it first with a #Wannacry #Ransomware binary, but Windows Defender caught the payload and that didn't look so nice on a screenshot ๐Ÿ˜…
2/4 ๐Ÿงต
We did test it first with a #Wannacry #Ransomware binary, but Windows Defender caught the payload an...
Our .appx demo package is based off of a in-the-wild sample of #Magniber #Ransomware that was signed with a stolen signature (Jan 2022). With this change in Windows 11 it is now possible to install unsigned appx packages (given required perms).
3/4 ๐Ÿงต
Detection opportunities:
- Execution out of C:\Program Files\WindowsApps\
- Looking for the special OID documented by Microsoft here: learn.microsoft.com
We are going to publish our #Yara rules for this tomorrow, stay tuned.
4/4 ๐Ÿงต
Create an unsigned MSIX package for testing - MSIX
learn.microsoft.com/en-us/windows/โ€ฆ

Create an unsigned MSIX package for testing - MSIX

This topic describes how to create and install an unsigned MSIX package
cc @decalage2 @cyb3rops @malwrhunterteam @vxunderground

Categories

Technology cybersecurity

Some tweets missing

Loading suggestions...