I have seen lot of metasploit videos where the instructors have shown process migration. Why do they always migrate in to explorer.exe process and what's the importance of it?
Asked
Active
Viewed 2,187 times
0
-
I'd guess, without actually looking into what you're actually talking about, it's its ubiquity: almost always available, and once you're running from that you'd have more chance to access anything. – Mark Hurd Jan 15 '14 at 04:25
-
more chance to access anything ? – user3196630 Jan 15 '14 at 04:29
-
I've done some quick Google searches to try to confirm what you are talking about and this question already appears near the top of relevant searches. That suggests to me that you need to explain more. – Mark Hurd Jan 15 '14 at 04:38
-
What is _exploition_? – Cœur Jul 16 '18 at 01:52
1 Answers
1
Migrating into another process reduces the chance of getting detected. More precisely, a process with a name generated by Metasploit (typically random alphanumeric characters, e. g., YIhXxjfm.exe) looks quite suspicious in the task manager. explorer.exe is probably chosen because it most certainly is already running so one wouldn’t need to start another process and migrate into it, that might catch the victim’s attention, e. g., window pops up on the window.
Gumbo
- 643,351
- 109
- 780
- 844