From 7ac3d19cc8f8e0bc8e80e4c8e82aee5c0250b782 Mon Sep 17 00:00:00 2001
From: pe3zx <pe3zx@users.noreply.github.com>
Date: Sat, 28 Jul 2018 10:41:12 +0000
Subject: [PATCH] Add: Chasing Adversaries with Autoruns - evading techniques
 and countermeasures

---
 README.md | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/README.md b/README.md
index 5b3dcb1..4dae604 100644
--- a/README.md
+++ b/README.md
@@ -485,6 +485,12 @@ _return-to-libc techniques_
 
 #### Post Exploitation Platform: Windows
 
+- [Chasing Adversaries with Autoruns – evading techniques and countermeasures](https://blogs.technet.microsoft.com/motiba/2017/11/04/chasing-adversaries-with-autoruns-evading-techniques-and-countermeasures/)
+    - **Nested commands technique**: chain multiple commands with `&`, `&&`, `||`
+    - **Abusing legitimate executables**: using legitimate executables to execute intended commands e.g.
+        - `Rundll32.exe`: `rundll32.exe shell32.dll,ShellExec_RunDLL notepad.exe`
+        - Program Compatibility Assistant (pcalua): `pcalua.exe -a calc.exe`
+        - `SyncAppvPublishingServer.vbs` or `SyncAppvPublishingServer.exe`: `SyncAppvPublishingServer.exe "n; Start-Process notepad.exe"`
 - [Evading Microsoft’s AutoRuns](https://blog.conscioushacker.io/index.php/2017/10/25/evading-microsofts-autoruns/)
     - **Extension search order hijacking**: Manipulate extension search order which `.COM` has been looked for first before `.EXE` by making the actual `.EXE` disappeared and place dummy `.COM` with the same name as `.EXE` on the same directory
     - **PowerShell injection vulnerability**: Use `SyncAppvPublishingServer.exe` to execute powershell cmdlet e.g. `SyncAppvPublishingServer.exe ".; Start-Process calc.exe`