diff --git a/atomics/T1574.002/T1574.002.yaml b/atomics/T1574.002/T1574.002.yaml index 4d99cb114a..3412d28249 100644 --- a/atomics/T1574.002/T1574.002.yaml +++ b/atomics/T1574.002/T1574.002.yaml @@ -71,3 +71,28 @@ atomic_tests: cleanup_command: | taskkill /F /IM #{process_name} >nul 2>&1 name: command_prompt +- name: DLL Search Order Hijacking,DLL Sideloading Of KeyScramblerIE.DLL Via KeyScrambler.EXE + description: | + Various threat actors and malware have been found side loading a masqueraded "KeyScramblerIE.dll" through "KeyScrambler.exe", which can load further executables embedded in modified KeyScramblerIE.dll file. + supported_platforms: + - windows + executor: + command: |- + Write-Host 1.Downloading KeyScrambler from official website to temp directory + Invoke-WebRequest -Uri "https://download.qfxsoftware.com/download/latest/KeyScrambler_Setup.exe" -OutFile $env:Temp\KeyScrambler_Setup.exe + Write-Host 2.Installing KeyScrambler with KeyScrambler_Setup.exe from temp directory + Start-Process -FilePath $env:Temp\KeyScrambler_Setup.exe -ArgumentList /S -Wait + Write-Host 3.Copying KeyScrambler.exe to temp folder,to avoid permission issues, which calls KeyScramblerIE.dll in CWD i.e. temp + Copy-Item "C:\Program Files (x86)\KeyScrambler\KeyScrambler.exe" -Destination $env:TEMP\KeyScrambler.exe + Write-Host 4.Executing KeyScrambler.exe, you should see a popup of missing KeyScramblerIE.dll, you can close this popup + Start-Process -FilePath $env:Temp\KeyScrambler.exe + Write-Host 5.A modified KeyScramblerIE.dll can be copied to temp, which can be misused by Attacker + cleanup_command: |- + Write-Host 1.Kindly close the popup window asking for KeyScramblerIE.dll ,so that it gets deleted. + + Remove-Item -Path $env:Temp\KeyScrambler_Setup.exe + Start-Process -FilePath "C:\Program Files (x86)\KeyScrambler\Uninstall.exe" -ArgumentList /S -Wait + Remove-Item -Path $env:Temp\KeyScrambler.exe + Write-Host 2.KeyScrambler cleanup completed successfully. + name: powershell + elevation_required: true