How long is the command line buffer?
Depends on a program…
How much of command line do Sysmon, 4688 events log?
A finite amount.
‘Depends’ minus ‘finite’ == opportunity.
Re-visiting my old Sysmon demo where I’ve shown how to hide long command lines I thought that it would be interesting to check a different idea:
- Write a program A that launches program B
- Program A passes a very long command line to program B
- Program B retrieves the command line and prints out last 5 characters only
The idea was to check if we can use the end of that long buffer as a covert channel for two processes to exchange some data (lame IPC)…
After testing it with 4688 and Sysmon enabled I spotted two things:
- 4688 completely missed the process B creation
- Sysmon log truncated the last bits of the command line (these 5 characters!!!) with ellipsis.
The pic below shows how 4688 log looks like:
- We can see the invocation of the program A (first event 4688), followed by conhost.exe and then Program B is not logged at all.
- Then we see program termination – Program A, Program B, and conhost.exe.
Sysmon logged a long command line, but the last bits are truncated and replaced by the ellipsis:
This is the invocation of ProgramB that I used (via CreateProcess):
buffer dw 'p','r','o','g','r','a','m','B',' '
dw 32698 dup(0FABEh)
dw 'h','e','l','l','o'
dw 0and this is what ProgramB shows:
