acw.exe – perhaps the last true Lolbin standing…

August 19, 2018 in Living off the land, LOLBins

As I mentioned I won’t be covering lolbins anymore until I find something new/interesting.

I guess an OS-native rundll32.exe replacement is kinda interesting, especially that it seems to be present by default on some Windows Server installations (e.g. 2008) and sometimes is installed by other software.

The binary in question is part of a Guided Help a.k.a. Active Content Wizard component and the .exe in question is acw.exe.

It has a nice command line argument that allows us to load and execute any DLL:

  • %systemroot%\system32\acw.exe -Extensions <dll>

Known locations of acw.exe are:

  • c:\Program Files\ACW\acw.exe
  • c:\windows\system32\acw.exe
  • c:\windows\syswow64\acw.exe

Lateral Movement using WSHController/WSHRemote objects (IWSHController and IWSHRemote interfaces)

August 18, 2018 in Anti-Forensics, Compromise Detection, Lateral Movement

Re-discovering old tricks is fun, especially in a context of learning the very desirable know-how about all the possible evasion tricks and stealth techniques that should be well known to both red and blue teams. And especially tricks that allow lateral movement.

If you are wondering why I am saying ‘re-discovering’ it is because what I am going to cover in this post has been used in the past a lot, and googling around you can find references to code as early as 1989!

I came across it while reading about various Windows interfaces and these 2 caught my attention:

(or WSHController and WSHRemote as they are referred all over the place), and immediately realized that it’s yet another, not so well-known, lateral movement technique.

After few unsuccessful tries, I made it work and am presenting to you a quick & dirty recipe so you can try to replicate it in your lab.

This is the trick in action (left side – target system, right side – attacker):

You can re-use the code pasted on Microsoft site, and adapt it to your needs (a.k.a. edit the name of the remote computer and file name of the script):

strRemoteComputer = "RASServer01"
strWorkerScript = "MapNetworkDrive.vbs"
Set objWshController = WScript.CreateObject("WshController")
Set objRemoteScript = _
objWshController.CreateScript(strWorkerScript, strRemoteComputer)
objRemoteScript.Execute

Do While Not objRemoteScript.Status = 2
   Wscript.Sleep(100)
   Wscript.Echo "Remote script not yet complete."
Loop

When you try it for the first time, you will fail.

Why?

Lots of reasons. It turns out this feature needs a bit of preparation before it can be used.

After poking around and reading what other people did to make it work, I put these ideas together:

  • Use Admin account to execute the two actions described next (wscript doesn’t return an error if it can’t write Registry keys!)
  • Run the following command on both server and client (some sites suggest client only, but you do need to register it on the server too!)
    • wscript -regserver
  • Ensure that the client (target machine) has the following Registry setting enabled:
    • HKLM\SOFTWARE\Microsoft\Windows Script Host\
      Settings\Remote=1 (Reg_SZ)

That’s it. Now the script should work.

If you are worrying that running the ‘wscript -regserver’ puts this trick in a catch 22 department (we need to run one process remotely first to run our script) don’t worry. The ‘wscript -regserver’ adds a bunch of Registry keys, and values – they can be as well added using remote Registry functions and this doesn’t require running processes remotely at all!

Here’s a high-level list of these keys – if you want detailed values you can grab them from a regshot session on your test lab box:

  • HKLM\SOFTWARE\Classes\CLSID\{6F201542-B482-11D2-A250-00104BD35090}
  • HKLM\SOFTWARE\Classes\Interface\{6F201541-B482-11D2-A250-00104BD35090}
  • HKLM\SOFTWARE\Classes\Interface\{83EA33C0-CD14-11D2-A252-00104BD35090}
  • HKLM\SOFTWARE\Classes\Interface\{8A9EA2C0-D348-11D2-A253-00104BD35090}
  • HKLM\SOFTWARE\Classes\TypeLib\{6F201540-B482-11D2-A250-00104BD35090}
  • HKLM\SOFTWARE\Classes\WSHRemote

From a forensic perspective you will want to pay attention to these artifacts:

  • Registry artifacts described above (Remote value + Classes entries)
  • Files created in a user temporary directory – if launched on the localhost
    • %TEMP%\wsh*.tmp
    • %TEMP%\wsh*.tmp.vbs
  • Files created in a Windows temporary directory of the target system (if launched on the remote host)
    • C:\Windows\Temp\wsh*.tmp
    • C:\Windows\Temp\wsh*.tmp.vbs
  • Presence of a process wscript.exe spawn via svchost.exe:
    • C:\WINDOWS\system32\wscript.exe -Embedding

In terms of Event Logs, the only activity I see is a number of Events logged in the Security logs:

  • 4672: Special privileges assigned to new logon.
  • 4624: An account was successfully logged on.
  • 4634: An account was logged off.

So, seeing this triplet in a short time span may be a good indicator of ongoing lateral movement using this technique.

There is also another bit. Since you can use this trick on the localhost it could be used to break the process tree (as seen by e.g. EDR solutions), and potentially evade some sandbox analysis (processes not spawn directly by the analyzed sample(s) or their child processes may be sometimes ignored unless the sandbox is aware of the evasion trick and monitors its use).