![]() ![]() This time i tried to download an executable and Winword.exe opens with scrambled strings. %localappdata%\Microsoft\Windows\Temporary Internet Files\ %localappdata%\\Microsoft\Windows\Temporary Internet Files\Content.IE5\ %localappdata%\Microsoft\Windows\Temporary Internet Files\Content.MSO I fired up Procmon this time and look for artefacts and found the cache was stored on below 2 locations temporarily. I tried to download a remote file and it opens as Read-Only ,but i wonder is there any cache stored locally? Payload Download - No proper validation on remote files. ![]() I came to know that we can able to open a remote document as Read-Only, I focused on that feature. I focused my research towards Office binaries (winword/powerpnt/excel), My aim is to download a payload remotely via legitimate binaries by application whitelisting and execute via Office binaries. Update Added to Lolbas|Lolbin contribution.Īs a part of finding vulnerable endpoints to improve defence, I used to reckon legitimate binaries on any chance of masking for payload download/execute.
0 Comments
Leave a Reply. |