re-pwning the box you already own
Friday I was called to handle a malware situation. This was essentially a mission-critical workstation and the goal was not to fully reverse engineer or preserve the machine for evidence. The McAfee antivirus product identified a malicious .js and .exe, but the logs didn't show the detection. The behavior I was called to fix was that most executables failed to run.
I started experimenting with other useful commands, and found that wmic was not affected in the same way but still provided a shell. So start->run->wmic.exe. Once I had a wmic shell open, I could execute the following:
process call create cmd.exe
Which did spawn a shell where start-run failed. Once I'm in this shell I ran a few commands to look around to confirm there wasn't still a separate malicious process that didn't belong. It appears the McAfee client did successfully kill separate executables.
Here I ran via the cmd.exe shell a reg.exe command to enumerate drivers:
reg.exe query "hklm\software\microsoft\windows nt\CurrentVersion\Drivers32"
Here, most things seemed normal except for one value named "aux6" that was something like "../isgerh.exe" (parent directory then a random executable). On different systems, this will be a different aux device, so the important thing to remember is if the infection just happened, it will be the highest-numbered device.
To delete this device from the registry, I simply typed:
reg.exe delete "hklm\software\microsoft\windows nt\CurrentVersion\Drivers32" /va aux6
After a reboot, things behaved normally.
If you boot into safe mode you can make the registry edit with the regedit.exe or reg.exe without running wmic. A full scan of the drive in safe mode likely would have removed the malicious driver, but the registry would still attempt to load it and would result in an EventLog entry about a driver failing to load. It is also possible that a stager execuable could re-dowload the malicious driver as well. So far, it seems that the combination of the commercial scanner and the registry edit completely removed the malware that prevented most executables from running.
Often I'm asked why/how I ended up focusing on Incident Response/Handling plus Penetration Testing. Well, sometimes you have to re-pwn your machine you own. The command line building blocks are great for both. A good reason to follow the Command Line Kung Fu blog.
I have two majors projects I'm trying to wrap up today, and I promise I'll post info on them as soon as I can. Meanwhile, have you registered for the SANS Penetration Testing Summit?
I started experimenting with other useful commands, and found that wmic was not affected in the same way but still provided a shell. So start->run->wmic.exe. Once I had a wmic shell open, I could execute the following:
process call create cmd.exe
Which did spawn a shell where start-run failed. Once I'm in this shell I ran a few commands to look around to confirm there wasn't still a separate malicious process that didn't belong. It appears the McAfee client did successfully kill separate executables.
Here I ran via the cmd.exe shell a reg.exe command to enumerate drivers:
reg.exe query "hklm\software\microsoft\windows nt\CurrentVersion\Drivers32"
Here, most things seemed normal except for one value named "aux6" that was something like "../isgerh.exe" (parent directory then a random executable). On different systems, this will be a different aux device, so the important thing to remember is if the infection just happened, it will be the highest-numbered device.
To delete this device from the registry, I simply typed:
reg.exe delete "hklm\software\microsoft\windows nt\CurrentVersion\Drivers32" /va aux6
After a reboot, things behaved normally.
If you boot into safe mode you can make the registry edit with the regedit.exe or reg.exe without running wmic. A full scan of the drive in safe mode likely would have removed the malicious driver, but the registry would still attempt to load it and would result in an EventLog entry about a driver failing to load. It is also possible that a stager execuable could re-dowload the malicious driver as well. So far, it seems that the combination of the commercial scanner and the registry edit completely removed the malware that prevented most executables from running.
Often I'm asked why/how I ended up focusing on Incident Response/Handling plus Penetration Testing. Well, sometimes you have to re-pwn your machine you own. The command line building blocks are great for both. A good reason to follow the Command Line Kung Fu blog.
I have two majors projects I'm trying to wrap up today, and I promise I'll post info on them as soon as I can. Meanwhile, have you registered for the SANS Penetration Testing Summit?
Labels: command-line, malware, pentest
posted by James Shewmaker at
10:44 AM
0 Comments:
Post a Comment
Subscribe to Post Comments [Atom]
<< Home