You are browsing the archive for Compromise Detection.

Event ID 7039 – out…pid a pid

February 26, 2021 in Compromise Detection, Sysmon, threat hunting

This event is not very well explained on the internet, so I took a liberty of describing it below:

The event message is as follows:

A service process other than the one launched by the Service Control Manager connected when starting the [SERVICE_NAME] service. The Service Control Manager launched process [PID1] and process [PID2] connected instead.

Note that if this service is configured to start under a debugger, this behavior is expected.

The message kinda tells us what happened – two different processes talk to SCM instead of one. It doesn’t really tell us WHY this happens.

Example from a case I looked at in response to a query on Twitter:

In this particular case the c:\windows\sysmon.exe was registered as a program that service process starts from. I believe this file was later manually replaced with a newer version of sysmon.exe. The little-known fact about distributable version of Sysmon (sysmon.exe from the sysinternals page) is that it is built as a 32-bit executable with an embedded 64-bit executable inside its resources. When launched on a 64-bit system the 32-bit version extracts and spawns that 64-bit version executable (note the PIDs and compare them against the Event Log):

Looking at it in general terms: when you register a service its configuration in Registry points to an executable file. This executable is then used to launch a service. Some services are not designed in a very good way. Once such programs are launched as a service, they spawn other processes, sometimes even batch files that may as well launch other programs. If one of these spawn programs talks to SCM the latter immediately recognizes that it’s not the same executable as the service process the service configuration points to. Such design is in general poor and could be a subject to possible privilege escalation (in a lolbinish way). And since this is a security concern the event 7039 is being logged.

And this leads me to the key reason I wanted to write an article. The Event 7309 tells you two things:

  • Whoever designed the service didn’t do the best job, OR, more importantly,
  • A bad guy may be using a badly designed service to escalate privileges.

Hence, you should be looking at these.

And last, but not least – does it mean Sysmon is designed badly? Nope. It’s designed in a clever way to use a single portable executable for 32-bit and 64-bit systems. The problem arises from a corner case in a way it was manually upgraded, instead of using the “-u” switch.

DownLOLoloaders

February 19, 2021 in Anti-Forensics, Compromise Detection, Living off the land, Reusigned Binaries

The previous posts about hosts files build a foundation for the trick I wanted to cover in this post.

Most of native LOLBINish downloaders are already known (certutil, BITS, etc.).

I thought it could be an interesting idea to explore a large world of signed binaries that are not native to OS with an intention of using them to communicate with a external world.

Being signed makes them attractive. Being marked as ‘green’ by VirusTotal makes them super-attractive because they are legitimate. For the purpose of the trick working they only need to fulfill one (or two?) requirement(s) – they need to download stuff w/o interaction and immediately execute it. With that in mind I started combing my ‘good files’ repo and quickly found a few candidates.

Immediately after start they kick off a GET request:

… and once the bin file is downloaded, it’s executed.

There are lots of signed samples like this available.

The last bit to make it work is ‘instrumentation’ of the DNS lookups. This is where the hosts files’ modification can come handy. And of course, a more complex and clandestine approach would be to reverse engineer RPC calls to directly modify entries inside the DNS Cache (these retrieved with ipconfig.exe via DnsGetCacheDataTableEx API).

Once the DNS lookups are in place, the downloader will reach out to an attacker controlled IP where it can download stuff from (this may require some additional set up to handle paths passed to the server, maybe HTTPS, if necessary).