You are browsing the archive for LOLBins.

aMus(ing)Notification

January 3, 2021 in Archaeology, LOLBins, Undocumented Windows Internals

Update

Added Dialog_RebootDTU, Dialog_RebootForcedDTU, RebootWithUXForceOthers, and a few more items that I apparently missed. Thanks to @0gtweet who spotted some of the missing items, and rebooted his box on the way 🙂

Old Post

Have you ever got annoyed by this popup?

I got curious where they come from and after running sysmon I quickly discovered they come from the invocation of MusNotification.exe and MusNotificationUx.exe.

This one in particular is a lunch of:

MusNotificationUx.exe Dialog_EngagedFourthReminder 0

The Dialog_xxx is a very unique keyword, so after quick search I discovered the whole gamut of similar messages hidden inside the UserProcess:: GetNotificationCommandLineArguments routine inside the MusNotification.exe:

  • Dialog_AllowSchedulingFirstReminder
  • Dialog_AllowSchedulingForcedReminder
  • Dialog_AllowSchedulingPerAUPolicy
  • Dialog_AllowSchedulingRebootFailed
  • Dialog_AllowSchedulingSecondReminder
  • Dialog_AllowSchedulingThirdReminder
  • Dialog_AllowSchedulingWarning
  • Dialog_CantDownloadUpdate
  • Dialog_CantInstallUpdate
  • Dialog_DataMigrationFailed
  • Dialog_DownloadAvailable
  • Dialog_DownloadNeedUserAgreementPerCTA
  • Dialog_EngagedFourthReminder
  • Dialog_EnhancedEngagedAcceptAuto
  • Dialog_EnhancedEngagedForcedPrecursor
  • Dialog_EnhancedEngagedForcedWarning
  • Dialog_EnhancedEngagedRebootFailed
  • Dialog_EnhancedEngagedRebootImminent
  • Dialog_EnhancedEngagedRebootReminder
  • Dialog_EnhancedEngagedSecondRebootReminder
  • Dialog_ExpeditedReboot
  • Dialog_InstallNeedEula
  • Dialog_InstallNeedUserAgreement
  • Dialog_LowUptime
  • Dialog_PolicyDeadlineApproaching
  • Dialog_PolicyDeadlineEngagement
  • Dialog_PolicyDeadlineRebootFailed
  • Dialog_PolicyDeadlineRebootImminent
  • Dialog_PolicyDeadlineUserScheduled
  • Dialog_RebootActiveHoursForcedReminder
  • Dialog_RebootActiveHoursForcedWarning
  • Dialog_RebootActiveHoursImminent
  • Dialog_RebootActiveHoursUserSelected
  • Dialog_RebootDTU
  • Dialog_RebootForcedDTU
  • Dialog_RebootImminent
  • Dialog_RebootPolicyEnabledForcedWarning
  • Dialog_RebootPostponeMgmt
  • Dialog_RebootWarning
  • Dialog_ScheduleUpdate
  • Dialog_ScheduleUpdateFailed
  • Dialog_SuggestedActiveHours

You can pick up any of them and run via a similar invocation using MusNotificationUx.exe e.g.

MusNotificationUx.exe Dialog_CantDownloadUpdate 0

and others:

Apart from being a gimmick these invocations could be a good social engineering add-on to malware repertoire, and would certainly add a lot of credibility to rogue antispyware software back in a day.

There also seem to be a possibility of a Lolbin as the invocations of MusNotificationUx.exe via MusNotification.exe refer to %SYSTEMROOT% environment variable as opposed to path retrievwed using GetSystemDirectory — still a questionable programmer’s choice prevalent in many native OS binaries.

Finally, there is also a whole list of Toast_* invocations, which I have not figured out yet how to execute properly:

  • Toast_CompatIssue
  • Toast_DesktopKeepOnReminder
  • Toast_DownloadNeedMoreSpace
  • Toast_DownloadNeedUserAgreement
  • Toast_DownloadNeedUserAgreementPerCTA
  • Toast_DownloadNeedWifi
  • Toast_DownloadViaCellularNeedUserAgreement
  • Toast_EngagedFirstReminder
  • Toast_EngagedRebootFailed
  • Toast_EngagedRebootWarning
  • Toast_EngagedSecondReminder
  • Toast_EngagedThirdReminder
  • Toast_EnhancedEngagedRebootReminder
  • Toast_FailedDiskSpaceCheck
  • Toast_FairWarningDesktop
  • Toast_FairWarningLaptop
  • Toast_FairWarningPolicyNotifyDeadline
  • Toast_InstallBlocked
  • Toast_InstallNeedEula
  • Toast_InstallNeedMoreSpace
  • Toast_InstallNeedUserAgreementPerAUPolicy
  • Toast_KeepAliveOnBatteryWarning
  • Toast_LaptopPlugInReminder
  • Toast_LowUptime
  • Toast_MeteredConnection
  • Toast_NotifyToDownload
  • Toast_NotifyToInstall
  • Toast_OOBEDownloadInProgress
  • Toast_PersistentReadyToReboot
  • Toast_PolicyDeadlineEngagement
  • Toast_RebootActiveHoursForcedReminder
  • Toast_RebootActiveHoursImminent
  • Toast_RebootNeedUserAgreementPerAUPolicy
  • Toast_RebootOtherUsers
  • Toast_RebootReminder
  • Toast_SuggestedActiveHours
  • Toast_UpdateFailed

Last, but not least, there are some additional options the tool accepts, in particular:

  • RebootWithUXForceOthers
  • RebootWithUX
  • ClearActiveNotifications
  • QueryNotificationState
  • -Embedding
  • /CV – correlation vector
  • /MusUxStateString
  • /ToastAction, where the action can be one of these:
    • AlwaysAllowAutoUpdates
    • DeferRestartInHour
    • DeferRestartNow
    • ForcedRemRestartNow
    • ImmAnotherTime
    • ImmRestartNow
    • NotifyRestartNow
    • OthersPickTime
    • OthersRestartAnyway
    • RemPickTime
    • RemRestartNow
    • RemSnooze
    • RestartFailedRetry
    • RestartTonight
    • RestartWarningOption
    • Settings
    • Setup
    • SnoozeUx
    • SuggestedAHConfirm
    • SuggestedAHDontChange
    • WarnPickTime
    • WarnRestartNow
    • dismiss
  • eDTERestartTonight
  • /ToastLaunchTimestamp

certutil – one more GUI lolbin

August 23, 2020 in LOLBins

Cerutil is a very complex tool and only careful review of all its options allows us to comprehend its rich functionality. Lots of its command line arguments are described online all over the place and as such, what I present below is not new. However, AFAICT it has not been covered in a context of lolbining and as such, perhaps deserves some attention.

Project LOLBAS describes at least two ways of downloading files via certutil. Here is the third one:

certutil -URL https://www.google.com

This will launch a GUI window for a program called URL Retrieval Tool:

Once you hit Retrieve button you will get the ‘Failed’ status, but… the file that URL points to will be now downloaded into %APPDATA%\..\LocalLow\Microsoft\CryptnetUrlCache\Content\<hash> file (thx to @OsandaMalith for pointing out a mistake in the path).