Updating MSSQL Server in RTF Embedded SQLRAT JS - FIN7 (Scenario 1)

center-for-threat-informed-defense / adversary_emulation_library

An open library of adversary emulation plans designed to empower organizations to test their defenses based on real-world TTPs.

https://ctid.io/adversary-emulation

Apache License 2.0

1.61k stars 292 forks source link

Updating MSSQL Server in RTF Embedded SQLRAT JS - FIN7 (Scenario 1) #96

Closed malwareninja closed 2 years ago

malwareninja commented 2 years ago

How to modify the MSSQL server IP within the embedded sqlrat js inside that initial access RTF file? Modifying it directly inside the rtf makes the payload useless.

malwareninja commented 2 years ago

Okay, so basically we use Select Objects in Word to select the hidden text boxes and on one of the white part there is one text box that has the part of sqlrat where we can modify Server= value.