Security Magic

Quick Post. I was looking at several samples of MirrorBlast and have noticed that while MsiExec is not a child process of Excel, it is still being called through loaded DLLs. Some EDR products should b able to look for this behavior. Process Path containing Excel.exe with image/module dll load of msimsg.dll might prove to be an interesting way to detect this per my twitter post. https://twitter.com/luke92881/status/1446147033388273675 There are of course other DLLs such as msi.dll and msimtf.dll (and others), however the msimsg.dll is the first one that appears to be an anomoly baselines I've run. Small List of samples with this behavior: https://app.any.run/tasks/74de3a74-f590-4bd7-aca6-c8fa7cd435fe/ https://app.any.run/tasks/9175439d-8d2c-4fa6-bcd5-a24017b97656/ https://app.any.run/tasks/134bee05-bb64-4647-8845-58b12cd31dba/ UPDATE: 10/16/2021 Interesting Anti-Sandbox FUD post on Twitter: Initial Detection Opportunity in EDR. https://twitter.com/bigmacjpg/stat...