You are browsing the archive for threat hunting.

taskhost.exe $(Arg0) & its other arguments

July 1, 2019 in threat hunting

While looking at Sysmon logs on Windows 7 I noticed a strange process entry that had the following properties:

  • service.exe – as a parent process
  • taskhost.exe – as an image
  • $(Arg0) – as a command line argument

Anytime you see a placeholder / reference like this you start wondering whether it is a bug or a feature.

After grepping all .exe and .dll files under Windows directory I couldn’t find any references to $(Arg0). Only after grepping all files I finally came across the following task entry:

  • c:\WINDOWS\System32\Tasks\Microsoft\Windows\RAC

After looking at other Task XML files I noticed there are other variants of such command line argument under the <data> field
– – as far as I know they are not reported anywhere on the dedicated Task Scheduler interface or in Autoruns:

Other entries found:

  • SYSTEM
    • Microsoft\Windows\CertificateServicesClient\SystemTask
    • Microsoft\Windows\Customer Experience Improvement Program\UsbCeip
  • USER
    • Microsoft\Windows\CertificateServicesClient\UserTask
  • <![CDATA[KEYROAMING]]>
    • Microsoft\Windows\CertificateServicesClient\UserTask-Roam
  • <![CDATA[$(Arg0)]]>
    • Microsoft\Windows\SideShow\GadgetManager
  • ![CDATA[$(Arg1)]]
    • Microsoft\Windows\Media Center\MediaCenterRecoveryTask
    • Microsoft\Windows\Media Center\ObjectStoreRecoveryTask
    • Microsoft\Windows\Media Center\PvrRecoveryTask
    • Microsoft\Windows\Media Center\PvrScheduleTask
    • Microsoft\Windows\Media Center\SqlLiteRecoveryTask
  • PageNotZero
    • Microsoft\Windows\MemoryDiagnostic\CorruptionDetector
  • Decompression
    • Microsoft\Windows\MemoryDiagnostic\DecompressionFailureDetector
  • <![CDATA[Logon]]>
    • Microsoft\Windows\Offline Files\Logon Synchronization
  • $(Arg0)
    • Microsoft\Windows\RAC\RacTask
    • Microsoft\Windows\Task Manager\Interactive

So, if you come across weird command line arguments used by taskhost.exe, the Tasks folder is a place to look at. Note that CDATA notation which I left intact (copied directly from the files) will not be present in the logs. As such, if you see e.g. ‘taskhost.exe KEYROAMING’ it is coming from the following entry:

  • Microsoft\Windows\CertificateServicesClient\UserTask-Roam

Sign your name across my heart; vendor… use one name only…

June 29, 2019 in threat hunting

I have been looking at a data stored by vendors inside the VERSIONINFO structure for quite some time now. The TODO bit is one issue I described previously, but there are more.

One of the most annoying things is a crazy number of names that vendors use in a CompanyName field. This is of course kinda understandable – large companies have many departments and coding teams scattered across the whole world. It certainly looks like an impossible task to ensure all of them go through a single, bureaucratic office that will double-check if all of them use the very same vendor name. And perhaps there are other reasons too – I don’t know laws of all the countries of course, there could be a genuine need in some places to always use an official name of the company in that field(?). I really dunno.

In any case… From a threat hunting perspective, it complicates our life. For example, when you want to whitelist some of these vendor names you will always end up with a never-ending whack-a-mole game. In my experience, for every entry I add per vendor, there are another 1-5 out there that are very similar, and which I will add some time in the future. I don’t think there is any good solution for this today.

To demonstrate the issue, let’s have a look at common vendor names one can encounter…:

HP:

  • Hewlett Packard
  • Hewlett Packard Enterprise Company
  • Hewlett-Packard
  • Hewlett-Packard Company

Intel:

  • Intel Corporation
  • Intel Corporation – Business Client Platform Division
  • Intel Corporation – Client Components Group
  • Intel Corporation – Client Connectivity Division
  • Intel Corporation – Embedded Subsystems and IP Blocks Group
  • Intel Corporation – Intel® Management Engine Firmware
  • Intel Corporation – Intel® Rapid Storage Technology
  • Intel Corporation – Mobile Wireless Group
  • Intel Corporation – pGFX
  • Intel Corporation – Rapid Storage Technology
  • Intel Corporation – Software and Firmware Products
  • Intel Corporation ? Non-Volatile Memory Solutions Group
  • Intel Corporation-Mobile Wireless Group
  • Intel Corporation-Wireless Connectivity Solutions
  • Intel MCG PIV Tablet Validation
  • Intel Technology Sdn. Bhd.
  • Intel Wireless Display
  • Intel(R) Baytrail Wintablet
  • Intel(R) CherryTrail Windows
  • Intel(R) CISD Software
  • Intel(R) Client Connectivity Division SW
  • Intel(R) CN
  • Intel(R) Embedded Subsystems and IP Blocks Group
  • Intel(R) Intel Network Drivers
  • Intel(R) Intel_ICG
  • Intel(R) INTELND1617
  • Intel(R) INTELND1617S2
  • Intel(R) INTELNPG1
  • Intel(R) Network Platform Group
  • Intel(R) NVMe Windows Driver
  • Intel(R) OWR
  • Intel(R) pGFX
  • Intel(R) Rapid Storage Technology
  • Intel(R) Rapid Storage Technology enterprise
  • Intel(R) Smart Connect software
  • Intel(R) Smart Sound Technology
  • Intel(R) Software
  • Intel(R) Software (Pre-release)
  • Intel(R) Software and Firmware Products
  • Intel(R) Software Development Products
  • Intel(R) Software Products
  • Intel(R) Update Manager
  • Intel(R) USB eXtensible Host Controller Drivers
  • Intel(R) Wireless Connectivity Solutions
  • Intel(R) Wireless Display
  • Intel® Identity Protection Technology Software
  • Intel® Rapid Storage Technology

Lenovo:

  • LENOVO
  • Lenovo (Beijing) Limited
  • Lenovo (Beijing) Ltd.
  • Lenovo (Japan) Ltd
  • Lenovo (Japan) Ltd.
  • Lenovo Group Limited
  • Lenovo Information Products (Shenzhen) Co.
  • Lenovo Japan
  • Lenovo(Japan)Ltd.
  • Lenovo.Ltd
  • LenovoEMC Products USA

Microsoft:

  • Microsoft Corporation
  • Microsoft Corporation (Europe)
  • Microsoft Dynamic Code Publisher
  • Microsoft Mobile Device Privileged Component Update Publisher
  • Microsoft Windows
  • Microsoft Windows 2000 Publisher
  • Microsoft Windows 2000 Publisher (Europe)
  • Microsoft Windows Component Publisher
  • Microsoft Windows Hardware Compatibility Publisher
  • Microsoft Windows Publisher
  • Microsoft Windows XP Publisher

Apple:

  • Apple Computer
  • Apple Inc.

Google:

  • Google
  • Google Inc

Dell:

  • Dell Computer Corporation
  • Dell Inc
  • Dell Inc.
  • Dell Incorporated

Alcor Mirco:

  • Alcor Micro
  • AlcorMicro

Baidu:

  • Baidu (China) Co.
  • Baidu Online Network Technology (Beijing) Co.
  • Beijing baidu Netcom science and technology co.ltd
  • BeiJing Baidu Netcom Science Technology Co.

ASIX Electronics:

  • ASIX Electronics Corp.
  • ASIX Electronics Corp.<blank character>

IBM:

  • IBM
  • IBM (China) Investment Company Limited
  • IBM Corporation
  • IBM Japan
  • IBM UK Ltd
  • IBM United Kingdom Limited
  • IBMUK Ltd

Wacom:

  • Wacom Co.
  • Wacom Technology Corp.
  • Wacom Technology Corporation

As we can see, lots of typos, single letter differences – a full stop, a hyphen, a blank character, lots of cosmetic issues, etc.

Whack-a-mole is the name of the game.