tag:blogger.com,1999:blog-9518042.post6749447046371740707..comments2024-03-19T07:46:20.437-05:00Comments on Windows Incident Response: Links: Plugin Updates and Other ThingsUnknownnoreply@blogger.comBlogger12125tag:blogger.com,1999:blog-9518042.post-88466325401635003132016-03-23T09:33:23.461-05:002016-03-23T09:33:23.461-05:00Hi,
In fact, the problem was still there.
IMHO...Hi, <br /><br />In fact, the problem was still there. <br /><br />IMHO, the links you refer to and the links I found concerning the "Sysproc" key don't state that the programs registered in this key will be automatically launch at logon...<br /><br />So I've just made a test. I add "calc.exe" in the sysprocs key of a Windows Seven computer. I connect via remote desktop but "calc" do not popup when I logon and wasn't present in the task manager.<br /><br />Reading the Symantec report I identified what could be classical persistence mecanisms ( service, winlogon-notify) but I'm really not sure for the "sysprocs" key. I must admit that I don't know why this key is added by the malware. Maybe i misunderstood some point. <br /><br />Thanks in advance.<br /><br /><br /><br /> Thierry_Frnoreply@blogger.comtag:blogger.com,1999:blog-9518042.post-75335209964961244352016-03-22T16:48:25.405-05:002016-03-22T16:48:25.405-05:00Was it helpful?Was it helpful?H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-8241750478054100542016-03-22T16:44:47.781-05:002016-03-22T16:44:47.781-05:00Thanks for taking time to answer.Thanks for taking time to answer.Thierry_Frnoreply@blogger.comtag:blogger.com,1999:blog-9518042.post-10986019281698553282016-03-16T10:36:42.063-05:002016-03-16T10:36:42.063-05:00@Thierry_Fr,
Try clicking on the link in the comm...@Thierry_Fr,<br /><br />Try clicking on the link in the comment.<br /><br />Also, there's a link in the header to the plugin in the "References" section that might be of help.<br /><br />Thanks.H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-18553642564441731102016-03-16T10:29:54.932-05:002016-03-16T10:29:54.932-05:00Hi,
Thanks for your answer.
In this post you ma...Hi, <br /><br />Thanks for your answer.<br /><br />In this post you made the following remark : <br /><br />"Also, I ran across a report of malware using a persistence mechanism I hadn't seen before, so I updated termserv.pl to address the "new" key." <br /><br /><br />You updated the "termserv.pl" regripper plugin ( a really great tool !) <br /><br /># termserv.pl<br /># Plugin for Registry Ripper; <br /># <br /># Change history<br /># 20160224 - added SysProcs info" <br /><br />So my comment concerns this persistence mecanism. Maybe you can give me some clarifications on this.<br /><br />Thanks a lot.<br /><br />Thierry_Fr<br />Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-9518042.post-57061413057343569612016-03-11T11:47:10.208-05:002016-03-11T11:47:10.208-05:00Thierry_Fr,
I'm sorry, but I don't follow...Thierry_Fr,<br /><br />I'm sorry, but I don't follow your comment...what does the "Sysprocs" key have to do with this post? I'm not sure that I'm clear on the context.<br /><br />Thanks.H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-28382175401637302522016-03-11T10:32:24.194-05:002016-03-11T10:32:24.194-05:00Hi,
Thanks for your post and your shares.
I'...Hi, <br /><br />Thanks for your post and your shares.<br /><br />I've made a few searches on the "Sysprocs" key but could'nt figure how it is a persistence mecanism. According to my understanding, a remote desktop session won't close correctly if a program launched at logon (or one of his childs) takes time to terminate because the operating system won't terminate this program automatically. Adding a value in the "sysprocs" concerning this program will allow the O.S. to automatically terminate this program when ending the session.<br /><br />Do you mean that by adding a value in this key, the program will automatically be launch when a Remote Desktop session starts ? <br /><br />Thierry_Fr<br /><br /><br />Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-9518042.post-65166988427908399882016-02-25T08:16:09.395-05:002016-02-25T08:16:09.395-05:00So, it sounds like the process tree would look som...So, it sounds like the process tree would look something like this:<br /><br />WINWORD.EXE /n /dde...<br /> cmd.exe /V /C set...<br /> wscript.exe ....<br /><br />Does this look right?<br /><br />If so, it would seem that the user would see something running, due to the use of wscript.exe over cscript.exe.<br /><br />I'd still like to the actual process tree, with the complete set of arguments.<br />H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-10205269916406772222016-02-25T07:24:33.934-05:002016-02-25T07:24:33.934-05:00No, the next thing is WScript.exe for executing th...No, the next thing is WScript.exe for executing the vb script. At least for monitoring purposes wscript executing vbs from appdata could be monitored (or block completely). Or Word starting cmd.exe.<br /><br />I found the js here, most part looks the same as with Decalage's version:<br />http://pastebin.com/V5KdeTb6Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-9518042.post-34658403038325588052016-02-25T07:08:55.945-05:002016-02-25T07:08:55.945-05:00@Anonymous,
Thanks, but is that it? Is that all ...@Anonymous,<br /><br />Thanks, but is that it? Is that all there is?H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-81473221925055902832016-02-25T07:03:19.710-05:002016-02-25T07:03:19.710-05:00In the referenced HA report within the article fro...In the referenced HA report within the article from Decalage, the following process tree is shown:<br /> WINWORD.EXE /n /dde<br /> cmd.exe /V /C set <br /><br />Is it this what you asked for?Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-9518042.post-63418358356170322412016-02-24T21:58:54.899-05:002016-02-24T21:58:54.899-05:00Harlan:
I very much enjoy your posts. Thanks for t...Harlan:<br />I very much enjoy your posts. Thanks for the work you do and for sharing it here.StephenBhttps://www.blogger.com/profile/05200057605202892727noreply@blogger.com