You are browsing the archive for Incident Response.

The Wizard of X – Oppa PlugX style

July 31, 2017 in Anti-*, Compromise Detection, Forensic Analysis, Incident Response, Malware Analysis

Xwizard is an ‘Extensible wizard host process’. While I am not 100% sure what it is doing I know for certain that – whatever it is – PlugX guys would approve.

Why?

When you run it with a ‘/h’ command line parameter, you will get this info:


Something about the unusual command line parameters described there caught my eye.

After a quick inspection I discovered why. The arguments are actually… names of functions exported from xwizards.dll!

Very nice!

And even nicer is the fact the LoadLibraryEx that loads that xwizards.dll finds its conveniently in the current path…

Ouch…

So… all you have to do is copy c:\WINDOWS\system32\xwizard.exe to your folder, drop your xwizards.dll DLL there and call xwizard.exe with at least two arguments.

And the Microsoft-signed xwizards.exe will load xwizards.dll of your choice…

Running programs via Proxy & jumping on a EDR-bypass trampoline

May 1, 2017 in Anti-*, EDR, Incident Response

The parent-child process relationship is very helpful when it comes to defining detection rules and watchlists. For instance, anytime a winword.exe spawns a cmd.exe, powershell.exe, cscript.exe, wscript.exe, mshta.exe it is an obvious anomaly that may be a sign of an Office macro-based infection.

However, insert an unexpected process in-between and the rule/watchlist fails. Perhaps for this reason, it would be nice to have EDR rulesets that can refer not only to parents, but also to ancestors of the process.

Since this relationship is prone to manipulation let’s¬† have a look at a couple of possible examples:

  • rundll32 url.dll, OpenURL file://c:\windows\system32\calc.exe
  • rundll32 url.dll, OpenURLA file://c:\windows\system32\calc.exe
  • rundll32 url.dll, FileProtocolHandler calc.exe
  • rundll32 zipfldr.dll, RouteTheCall calc.exe

Running any of these commands will launch calc.exe with the rundll32.exe as a parent.

Obviously, rundll32.exe is an obvious  bad guy too. What about we copy it first?

copy c:\windows\system32\rundll32.exe %appdata%\Adobe\adobe.exe

Now, we can launch:

  • %appdata%\adobe\adobe.exe url.dll, OpenURL file://c:\windows\system32\calc.exe
  • %appdata%\adobe\adobe.exe url.dll, OpenURLA file://c:\windows\system32\calc.exe
  • %appdata%\adobe\adobe.exe url.dll, FileProtocolHandler calc.exe
  • %appdata%\adobe\adobe.exe zipfldr.dll, RouteTheCall calc.exe

And get the very same result, this time, with the parent process being adobe.exe.

If you know any other EXE/DLL combo that can act as a proxy, I’d be grateful if you could let me know. Thanks!