You are browsing the archive for Compromise Detection.

Hiding process creation and cmd line with a long com…

March 29, 2020 in Anti-Forensics, Compromise Detection, EDR

How long is the command line buffer?

Depends on a program…

How much of command line do Sysmon, 4688 events log?

A finite amount.

‘Depends’ minus ‘finite’ == opportunity.

Re-visiting my old Sysmon demo where I’ve shown how to hide long command lines I thought that it would be interesting to check a different idea:

  • Write a program A that launches program B
  • Program A passes a very long command line to program B
  • Program B retrieves the command line and prints out last 5 characters only

The idea was to check if we can use the end of that long buffer as a covert channel for two processes to exchange some data (lame IPC)…

After testing it with 4688 and Sysmon enabled I spotted two things:

  • 4688 completely missed the process B creation
  • Sysmon log truncated the last bits of the command line (these 5 characters!!!) with ellipsis.

The pic below shows how 4688 log looks like:

  • We can see the invocation of the program A (first event 4688), followed by conhost.exe and then Program B is not logged at all.
  • Then we see program termination – Program A, Program B, and conhost.exe.

Sysmon logged a long command line, but the last bits are truncated and replaced by the ellipsis:

This is the invocation of ProgramB that I used (via CreateProcess):

 buffer dw 'p','r','o','g','r','a','m','B',' '
 dw 32698 dup(0FABEh)
 dw 'h','e','l','l','o'
 dw 0

and this is what ProgramB shows:

The Wizard of X – Oppa PlugX style, Part 2

January 24, 2020 in Compromise Detection, Living off the land, LOLBins

Every once in a while I come back to have a second look at some stuff from the past. Today I had a quick look at xwizards.dll that I wrote about before and noticed that I forgot to mention one more thing.

The exported function RunWizard takes GUID as an input. If you register a DLL under a GUID of your choice you can load the DLL via xwizard.exe e.g.:

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID]
"CLBVersion"=dword:00000012

[HKEY_CLASSES_ROOT\CLSID\{11111111-1111-1111-1111-111111111111}]
@="foobar"

[HKEY_CLASSES_ROOT\CLSID\{11111111-1111-1111-1111-111111111111}\InprocServer32]
@="C:\\test\\test.dll"
"ThreadingModel"="Both"

will register c:\test\test.dll under {11111111-1111-1111-1111-111111111111} GUID. All we have to do now is run:

  • xwizard RunWizard {11111111-1111-1111-1111-111111111111}