Vault7: CIA Hacking Tools Revealed
Navigation: » Directory » AED Development Tradecraft » AED Development Tradecraft Home » Specific Tradecraft Techniques » Detecting and Bypassing Personal Security Products (PSPs)
Owner: User #71473
Comodo Recycle Bin Defeat
Comodo is a giant PITA. It can and will catch and show your entire chain of execution and a great deal of your file I/O. If you drop and run, it will show where you drop, what you run, and what you run runs. Yeah, its that bad.
However...
There is a magical place that for some reason Comodo likes to ignore. The Recycle Bin. You know, that folder of stuff users have deleted? Stuff that probably has no business executing at all, let along dropping and running other code? Yeah – they like to ignore initial execution out of that bad boy.
So, if Comodo is being a pain (i.e., working as intended), try throwing your binaries into C:\$Recycle.Bin (Win Vista/7/8) or C:\RECYCLER (XPWindows operating system (Version)). You don't even have to throw it into any of the actual user's recycle bin folders (the ones with the ginormously long SIDs as folder names), just in the root of the recycle bin itself is fine.
Please note that this is only a partial defeat. It may let you get away with initial execution, but other things you do once running could still get caught. Comodo is annoying like that. Test, test, retest, and may the force be with you.