You are browsing the archive for Incident Response.

Mindmap software as an attack vector

November 19, 2019 in Compromise Detection, Incident Response, Malware Analysis

Looks like mindmap software could be used to deliver bad stuff; interaction is still required, but could be an interesting attack vector especially that it’s a popular type of software in a corp. environment:

Xmind

FreeMind

MindView

MindManager

The latter allows attaching actual binary files as well, but an attempt to launch them will end up with the following dialog box shown:

Too much % makes Event Viewer drunk

January 27, 2019 in Anti-*, Anti-Forensics, Forensic Analysis, Incident Response, Malware Analysis

Update:

After I posted it Daniel Bohannon provided a link to his earlier research (March 2018) where he described the very same problem. He has some interesting examples so please have a look!

Old Post:

This is a short post about a funny side effect of using the % sign and how these are being interpreted by Windows Events Log Viewer.

When you use this character as a part of a file name, or as a Registry data the program will assume these % signs are referring to actual parameters and will resolve them into actual strings.

I know it doesn’t make any sense, so let’s do a test.

Name your program %1.exe. Run it. This is what the Viewer will show:

Now try to add this Registry value:

reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Foo /t reg_sz /d test%1%2%3%4%5%6%7%8%9%10%100

The result? Very strange details:

What about naming the program %1%2%3.exe?

Look at the image and the command line. One is: C:\Test\2019-01-27 22:28:29.601{670b5bbc-308d-5c4e-0000-00105f407c03}.exe, and the other “C:\Test\Incorrect function.The system cannot find the file specified.The system cannot find the path specified..exe”.

Only the viewer is fooled, because the actual data is logged properly (although there is an inconsistency in the way %s are doubled in command line) — one just needs to go to Details tab and see what it really shows:

That’s it. Yet another quirky behavior to be aware of.