SAFE Powershell bypass

PowerShell: Malwares use it without powershell.exe

Windows PowerShell (PS) is a task automation and configuration management framework from Microsoft, it’s a command line shell with its own associated scripting language. Powershell was built on DotNet Framework. PS is often used in cyber attacks to run malicious code stealthy on a target computer, but calling powershell.exe can be detected by security solutions. To avoid this, malwares can use …

Load/Inject malicious DLL using Microsoft Tools

More and more malware are relying on Microsoft tools to hide their malicious activity and damage the system. These tools can be used to bypass security products which trust Microsoft signed binary, and can be a serious alternative to rundll32 to execute malicious DLL like NotPetya or Wannacry. In this article we will see how some Microsoft tools can be used …

Hide malware through Microsoft HTML interpretors

In this article we will see how Microsoft Compiled HTML Help (CHM) and HTML Application (HTA) can be used to build a malware to compromise a system through legit Microsoft tools. A CHM file is a binary file containing a collection of HTML pages in order to provide a user guide for a tool or a software. CHM files are …

DDE Attacks, a new way to spread malwares using a Microsoft feature

The Dynamic Data Exchange protocol (DDE) is a built-in Microsoft feature that permits to share and exchange data between applications. This feature can be used in Microsoft Office programs to request data from another application. For malicious purpose, this feature allows an attacker to craft a document to perform malicious actions without any exploit or macro. This attack method has been …