FIN7 - sql-rat exec-cmd spawning WerFault.exe

center-for-threat-informed-defense / adversary_emulation_library

An open library of adversary emulation plans designed to empower organizations to test their defenses based on real-world TTPs.

https://ctid.io/adversary-emulation

Apache License 2.0

1.68k stars 310 forks source link

FIN7 - sql-rat exec-cmd spawning WerFault.exe #97

Open malwareninja opened 2 years ago

malwareninja commented 2 years ago

Executing a MSF powershell stager through the SQL-RAT's exec-cmd is spawning WerFault.exe. This is in turn causing failure in getting a working sessions. Running the stager manually on the victim is working fine, so making sure that the stager is in working state.