You are browsing the archive for Incident Response.

taskmgr.exe slashing numbers

July 22, 2018 in EDR, Forensic Analysis, Incident Response

If you ever launched Task Manager using some of the shortcuts e.g. CTRL+SHIFT+ESC you probably noticed that it causes taskmgr.exe to be launched with a command line argument ‘/2’.

There is a very good post on the supersuer forum that describes a number of cases. I was curious if we can find some more + thought it would be good to summarize it all in one post.

Here they are:

  • No command line arguments
    • via Windows Explorer
    • via terminal (cmd.exe, powershell, cygwin, etc.)
    • via WIN+R/Run box
    • win7 – via Control Panel: search for Task manager, Click ‘View running processes with Task Manager’
    • via any other 3rd part component that allows to launch programs e.g. Total Commander, FAR
    • via Search (in Explorer)
  • taskmgr.exe /1
    • Start non-elevated Task Manager, click ‘Show processes from all users’ button
  • taskmgr.exe /2
    • Press CTRL+SHIFT+ESC
  • taskmgr.exe /3
    • Press CTRL+ALT+DEL, click ‘Start Task Manager’
  • taskmgr.exe /4
    • Right click on the Taskbar and click ‘Start task Manager’
  • taskmgr.exe /5
    • N/A
  • taskmgr.exe /6
    • win10 – via Control Panel: search for Task manager, Click ‘View system resource usage in Task Manager’, or ‘Task manager’
  • taskmgr.exe /7
    • win10 – via Start Menu, click ‘Task Manager’
      • /7 /Startup – win10: via Msconfig, click ‘Startup’, click ‘Open Task Manager’
  • taskmgr.exe /8
    • win8(?) – N/A (guess: perhaps Start Menu, click ‘Task Manager’, but need to verify)
      • /8 /Startup – win8(?): since the command is very similar to the ‘/7 /Startup’ described above, there is a possibility that this applies to Task Manager launched via MSConfig on Win8 (I don’t have win8 at hand to test); notably, there is a reference to this command inside ‘c:\Windows\System32\hcproviders.dll’ on win10; not sure how to trigger it though
  • taskmgr.exe /9
    • N/A

Other than launching Task Manager directly one can also use LaunchTM.exe to make it launch Task Manager process via proxy (AFAIK it’s only used by winlogon.exe).

Sysmon doing lines, part 5

July 21, 2018 in Anti-*, Anti-Forensics, EDR, Forensic Analysis, Incident Response, Malware Analysis

This is a lame, cute, not-only-sysmon evasion that is not really an evasion, but more a social engineering trick – still, it may fool some junior analysts…

As I mentioned in my older post, there are tones of URL Schemes available in Win10. When you look at them, you will most likely think that anyone using them will always use the ‘start’ command, or the ‘ShellExecute*’ APIs.

And that’s the opportunity.

If you write a launcher that leverages these built-in, very well known schemes e.g. ‘ms-settings:defaultapps’ to create a dummy ‘host’ file (e.g. ‘ms-settings’) with the ADS attached to it called according to the second part of the URL Scheme (e.g. ‘defaultapps’), you will be able to launch ‘ms-settings:defaultapps’  that is actually not a protocol, but a real PE file.

Let’s have a look at an example:

copy notepad.exe ms-settings
type <yourexe> > ms-settings:defaultapps

This will create a copy of a legitimate (and signed) notepad.exe called ‘ms-settings’ and will append the ADS ‘ms-settings:defaultapps’ that is acting as an actual payload.

All you have to do is to launch it not via ShellExec, but directly via CreateProcess, and if you place the .exe in a ‘strategically named’ folder you may end up with a sysmon log like this:

Now… show me a junior analyst that won’t conclude it’s just one of the safe URL Schemes… because…  the first result for ‘ms-settings:defaultapps’ in Google is this.

They may even test it on their systems – launching ‘ms-settings:defaultapps’ from a command line will bring this innocent window:

A simple launcher that you can use for test can be downloaded from here. It simply launches ‘ms-settings:defaultapps’ ADS in its current directory.