Intro
Sysinternals Suite is a bundle of 70+ tools authored by Mark Russinovich back in 1996.
Russinovich created them under his company name (Winternals) along with the help of his colleague and co-founder Bryce Cogswell.
Winternals was then acquired in 2006 by Microsoft, and Mark Russinovich ended up working for them. He is currently the CTO of Microsoft Azure!
Behind this amazing story stands an even more amazing bundle of tools.
Those little administrative tools can (and will) make your life much easier as a Sysadmin, IT Support Engineer, etc. However, they are also amply used by threat actors/adversaries, as well as Security personnel (from SOC Analysts to Threat Hunters).
As the name implies, Sysinternals can help you dig deeper into your Windows hosts.
Today, you can download it from the Microsoft Store by typing in Sysinternals Suite. Alternatively, you can use winget (Windows Package Manager) and PowerShell to fetch it from the MS Store for you.
You can simply do
winget install sysinternalsIt’s all explained here.
Sysinternals suite utilities
Sysinternals offers the following utilities:
+Misc tools (everything else in the Sysinternals Suite)
For this article, I’ve picked the most interesting ones (although that may depend on the person) while trying to cover as many categories as possible.
Process Utilities
Autoruns
As per the definition found here:
This utility, which has the most comprehensive knowledge of auto-starting locations of any startup monitor, shows you what programs are configured to run during system bootup or login, and when you start various built-in Windows applications like Internet Explorer, Explorer and media players. These programs and drivers include ones in your startup folder, Run, RunOnce, and other Registry keys. Autoruns reports Explorer shell extensions, toolbars, browser helper objects, Winlogon notifications, auto-start services, and much more. Autoruns goes way beyond other autostart utilities.
As you can see from the image below, there are many tabs, some of which can be of great value to you.
Detailed entries about what processes are doing what to the registry (and when), for example, with the option of checking the hashes on VirusTotal, too (see below)
For example, this blog post describes (among other things) how Image Hijack can be …quite sneaky in that the Windows registry has a key to launch a certain process but instead is redirected to launch a different malicious process.
Adversaries are well aware of what they can exploit, and the registry being the db for the Windows OS is a prime target.
Autoruns can help you catch that. It can also help you check these entries for tampering, which can be one way they go on about establishing persistence.
Process Explorer
From the docs:
The Process Explorer display consists of two sub-windows. The top window always shows a list of the currently active processes, including the names of their owning accounts, whereas the information displayed in the bottom window depends on the mode that Process Explorer is in: if it is in handle mode you’ll see the handles that the process selected in the top window has opened; if Process Explorer is in DLL mode you’ll see the DLLs and memory-mapped files that the process has loaded.”
From the image below, you can see that I’ve chosen one of many Firefox.exe subprocesses, and under TCP/IP tab, I’ve inspected one of the IPs I’m connected with through Firefox. When I check the IP for reputation, I get the following (image 2.):
1.)
2.)
And this makes sense, as I have a connection to MS Azure portal.
On right-click, you can submit the specific process’ hash to VirusTotal (It’s the same with Autoruns, you can check from the application against VirusTotal). You can also create a full and partial dump. This can come in handy. Always keep in mind though, that the act of uploading to VirusTotal while helpful, means that you’re sharing your samples with the world. There are merits to both sharing and not, so figure out your whole (threat) model before just clicking on that option.
Process Explorer is, as you may have noticed, color-coded. This is explained in these two blog posts.
Under the options tab, there’s also the option called Replace Task Manager, which, you guessed it, replaces the Task Manager with the Process Explorer. You can revert to Task Manager in the same way.
Also, note that malware would (commonly) hide within the svchost.exe – which is very nicely explained on the Malwarebytes blog I linked above. The reason behind this is primarily because the svchost.exe usually has a lot of children processes running at the same time, so it is kind of like security through obscurity. Or, in this case, maliciousness.
Process Monitor
Process Monitor or Procmon is a Windows monitoring tool; as per Microsoft’s documentation:
“Process Monitor is an advanced monitoring tool for Windows that shows real-time file system, Registry and process/thread activity. It combines the features of two legacy Sysinternals utilities, Filemon and Regmon, and adds an extensive list of enhancements including rich and non-destructive filtering, comprehensive event properties such as session IDs and user names, reliable process information, full thread stacks with integrated symbol support for each operation, simultaneous logging to a file, and much more. Its uniquely powerful features will make Process Monitor a core utility in your system troubleshooting and malware hunting toolkit.”
Process Monitor will capture an enormous number of events in no time!
Just as I started the app, it already has captured 78k events! By the end of the capture (around 81%), it shows ~5 million events!
This is probably one of the best guides to configure this little beast of a tool. It is an essential piece of info since you’d want to figure out what filters to use for your specific Procmon needs.
PSExec
Now this one is already somewhat infamous. Chances are you’ve heard of PSExec if you’re in Cyber. It is associated with the following MITRE techniques:
- T1021.002 – Remote Services: SMB/Windows Admin Shares
- T1569.002 – System Services: Service Execution
- T1570 – Lateral Tool Transfer
Docs:
“PsExec is a light-weight telnet-replacement that lets you execute processes on other systems, complete with full interactivity for console applications, without having to manually install client software. PsExec’s most powerful uses include launching interactive command-prompts on remote systems and remote-enabling tools like IpConfig that otherwise do not have the ability to show information about remote systems.”
Also, check out this resource for in-depth information on PSExec.
It’s all about sharing, or rather remote administration, which we all know how dangerous it can be, if not done right.
File and disk utilities
Streams
Another useful and interesting tool is called streams, and, as per MS docs, it:
“The NTFS file system provides applications the ability to create alternate data streams of information. By default, all data is stored in a file’s main unnamed data stream, but by using the syntax ‘file:stream’, you are able to read and write to alternates. Not all applications are written to access alternate streams, but you can demonstrate streams very simply. First, change to a directory on a NTFS drive from within a command prompt. Next, type ‘echo hello > test:stream’. You’ve just created a stream named ‘stream’ that is associated with the file ‘test’. Note that when you look at the size of test it is reported as 0, and the file looks empty when opened in any text editor. To see your stream enter ‘more < test:stream’ (the type command doesn’t accept stream syntax so you have to use more).”
Why does this matter? We know some malware devs have been using the ADS to hide their data. Further, if you, say, downloaded a file from the Internet, there are indicators written in its stream that it was indeed downloaded from the Internet.
Zone.Identifier is the keyword here. And as you can see:
ADS or Alternate Data Streams is specific to the Windows NTFS. Since all files will have at least one data stream – $DATA- if you ever need another one, it’s where the ADS comes in.
I can simply say:
echo This is my super secret password > secret.txtWhich creates the .txt file…
No nefarious stuff to be found here… but wait till we hide our secret in the ADS stream!
echo hidden in the stream... Pa$$w0rd1! > secret.txt:supersecret.txtWe check using CMD to see if everything went okay. Use dir /r (a very sneaky command, as /r will look for another stream – what we want!)
One answer on Stackoverflow explains this nicely.
The /r option of CMD’s dir command calls FindFirstStreamW and FindNextStreamW on each file or directory in a listing in order to list its $DATA streams.
You can notice our hidden supersecret.txt file hidden in the stream. We can uncover it with a simple command:
notepad secret.txt:supersecret.txt
You can have more alternate data streams!
*Note the first columns (which tells us the size in bytes, respectively) – this confirms to us that something is written in the ADS. It also gives us the ADS names.
notepad secret.txt:second.txt
*Note that you can do this for .exe’s too, which is when it all becomes potentially scary. I covered the .txt’s but the logic remains the same. Google this stuff, it’s fascinating and useful! Doesn’t matter if you’re an analyst or a Red teamer.
This attack vector might contain a slight element of creativity to it, but do not underestimate it.
SDelete
Secure delete, as it promises, deletes files securely. And per Microsoft’s documentation …implements the Department of Defense clearing and sanitizing standard DOD 5220.22-M, to give you confidence that once deleted with SDelete, your file data is gone forever.
Reliable, simple, and easy way to securely delete data, that’s Software-based. You can always use a magnet or a hammer too.
Sigcheck
A CLI utility that will give you a file version number, timestamp information, and digital signature details (as well as certificate chains). It will also have an option to check against VirusTotal.
I can quickly check my executables for any unsigned ones (on Windows systems, all .exes are to be found in the C:\Windows\System32 directory – except the Explorer.exe! Explorer.exe is located in the C:\Windows path)
I check by issuing a command:
sigcheck -u -e C:\Windows\System32
From MS docs:
-e Scan executable images only (regardless of their extension)
-u If VirusTotal check is enabled, show files that are unknown by VirusTotal or have non-zero detection, otherwise, show only unsigned files.
If you were to get a matching here, you should probably investigate that executable.
Honorable Mentions
Don’t disregard this paragraph. These are not less important or potent. I just didn’t have the space/have chosen otherwise, but I will briefly touch upon these few tools here. The reasoning is me covering just two out of (or 6 if you count misc) five categories the Suite offers.
- Sysmon (Security utilities)
- TCPView (Networking utilities)
- Strings
Sysmon is extremely powerful. You can think of it as of an Event Viewer with much more details and controls. Sysmon can be used to hunt for malware, Metasploit, Mimikatz, persistence, etc. All the usual suspects, and more!
Strings – Working on NT and Win2K means that executables and object files will many times have embedded UNICODE strings that you cannot easily see with a standard ASCII strings or grep programs. So we decided to roll our own. Strings just scans the file you pass it for UNICODE (or ASCII) strings of a default length of 3 or more UNICODE (or ASCII) characters. Note that it works under Windows 95 as well. Source.
Strings extracted from malware samples can be of valuable insight. Also, you can scan/analyze binaries. Useful.
TCPView – Technically, Windows already offers this functionality built-in within the Resource Monitor (you can call it from command-line with resmon) – you can find it under the Network tab.
As stated on the MS docs:
“TCPView is a Windows program that will show you detailed listings of all TCP and UDP endpoints on your system, including the local and remote addresses and state of TCP connections. On Windows Server 2008, Vista, and XP, TCPView also reports the name of the process that owns the endpoint. TCPView provides a more informative and conveniently presented subset of the Netstat program that ships with Windows. The TCPView download includes Tcpvcon, a command-line version with the same functionality.”
This is handy to have and can actually be used for some hunting too. Though, there might be better tools for the job.
Conclusion
This brings us to the end. I hope you liked the Sysinternals Suite introduction! I also hope to cover Sysmon in the future, so stay tuned.
Cover by Joshua Hanson
#sysinternals #procmon #autoruns #sdelete #procexp #psexec #streams #sigcheck #sysmon #strings #vicarius_blog
As part of our mission to secure the world’s OT, IoT and Cyber Physical infrastructures, we invest resources into offensive research of vulnerabilities and attack techniques.
Ripple20 are 19 vulnerabilities revealed by Israeli firm JSOF that affect millions of OT and IOT devices. The vulnerabilities reside in a TCP/IP stack developed by Treck, Inc. The TCP/IP stack is widely used by manufacturers in the OT and IoT industries and thus affects a tremendous amount of devices.
Among the affected devices are Cisco Routers, HP Printers, Digi IoT devices, PLCs by Rockwell Automation and many more. Official advisories by companies who confirmed having affected devices can be found here, in the “More Information” section.
The most critical vulnerabilities are three that can cause a stable Remote Code Execution (CVE-2020-11896, CVE-2020-11897, CVE-2020-11901) and another that can cause the target device’s memory heap to be leaked (CVE-2020-11898).
On behalf of our customers, we set out to explore the real impact of these vulnerabilities, which we’re now sharing with the public.
The research has been conducted by researchers Maayan Fishelov and Dan Haim, and has been managed by SCADAfence’s Co-Founder and CTO, Ofer Shaked.
Exploitability Research
We set out to check the exploitability of these vulnerabilities, starting with CVE-2020-11898 (the heap memory leak vulnerability), one of the 19 published vulnerabilities.
We created a Python POC script that is based on JSOF official whitepaper for this vulnerability. According to JSOF, the implementation is very similar to CVE-2020-11896, which is an RCE vulnerability that is described in the whitepaper. Also mentioned about the RCE vulnerability: “Variants of this Issue can be triggered to cause a Denial of Service or a persistent Denial of Service, requiring a hard reset.”
Trial Results:
Test 1 target: Samsung ProXpress printer model SL-M4070FR firmware version V4.00.02.18 MAY-08-2017. This device is vulnerable according to the HP Advisory.
Test 1 result: The printer’s network crashed and required a hard reset to recover. We were unable to reproduce the heap memory leak as described, and this vulnerability would have been tagged as unauthenticated remote DoS instead, on this specific printer.
Test 2 target: HP printer model M130fw. This device is vulnerable according to the HP Advisory.
Test 2 result: Although reported as vulnerable by the manufacturer, we were unable to reproduce the vulnerability, and we believe that this device isn’t affected by this vulnerability. We believe that’s because the IPinIP feature isn’t enabled on this printer, which we’ve verified with a specially crafted packet.
Test 3 target: Undisclosed at this stage due to disclosure guidelines. We will reveal this finding in the near future.
Test 3 result: We found an unreported vendor and device, on which we can use CVE-2020-11898 to remotely leak 368 bytes from the device’s heap, disclosing sensitive information. No patch is available for this device. Due to our strict policy of using Google’s Responsible Disclosure, we’ve reported this to the manufacturer, to allow them to make a patch available prior to the publication date.
Key Takeaways
We’ve confirmed the exploitability vulnerabilities on our IoT lab devices.
On the negative side: The vulnerabilities exist on additional products that are unknown to the public. Attackers are likely to use this information gap to attack networks.
On the positive side: Some devices that are reported as affected by the manufacturers are actually not affected, or are affected by other vulnerabilities. It might require attackers to tailor their exploits to specific products, increasing the cost of exploitation, and prevent them from using the vulnerability on products that are reported as vulnerable.
SCADAfence Research Recommendations
Check your asset inventory and vulnerability assessment solutions for unpatched products affected by Ripple20.
The SCADAfence Platform creates an asset inventory with product and software versions passively and actively, and allows you to manage your CVEs across all embedded and Windows devices.
Prioritize patching or other mitigation measures based on: Exposure to the internet, exposure to insecure networks (business LAN and others), criticality of the asset.
This prioritization can automatically be obtained from tools such as the SCADAfence Platform.
Detect exploitation based on network traffic analysis.
The SCADAfence Platform detects usage of these exploits in network activity by searching for patterns that indicate usage of this vulnerability in the TCP/IP communications.
If you have any questions or concerns about Ripple20, please contact us and we’ll be happy to assist you and share our knowledge with you or with your security experts.
About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.
About SCADAfence
SCADAfence helps companies with large-scale operational technology (OT) networks embrace the benefits of industrial IoT by reducing cyber risks and mitigating operational threats. Our non-intrusive platform provides full coverage of large-scale networks, offering best-in-class detection accuracy, asset discovery and user experience. The platform seamlessly integrates OT security within existing security operations, bridging the IT/OT convergence gap. SCADAfence secures OT networks in manufacturing, building management and critical infrastructure industries. We deliver security and visibility for some of world’s most complex OT networks, including Europe’s largest manufacturing facility. With SCADAfence, companies can operate securely, reliably and efficiently as they go through the digital transformation journey.