Recently, my co-founders gave a talk at DerbyCon 7.0 on evading common persistence enumeration tools. Evasion using trusted applications has been a hot topic of discussion within the infosec community and is one of the techniques they covered in their presentation. However, very little discussion exists on why these matter or the steps researchers take to find “hosting” applications. This blog gives some background on the how and why.
While reviewing a suspicious item that Huntress detected on one of our Partner’s hosts, we noticed a group of unfamiliar services (totally unrelated to the suspicious item):
Each service had a unique name, but all shared the same executable. Although it’s not uncommon for shared services to use the same binary (see svchost.exe), this particular service gets a bit more interesting under the hood:
In the above image, note one executable is calling another as an argument. WseClientSvc.exe is a signed Microsoft binary. Can we have it start something arbitrary like calc.exe:
Obviously no luck there, but the error is interesting: “Could not load file or assembly ‘file:///c:\windows\system32\calc.exe’…”. It looks like it tried to load/call calc.exe. Using a .NET decompiler we can see what is going on.
Sure enough it is just invoking the name of the file specified as an argument. Now back to the error message when we tried calc.exe, “The module was expected to contain an assembly manifest”. This seems to indicate it is expecting a .NET executable. Let’s make our own.
Now we can try again, this time calling “WseClientSvc.exe passthru.exe calc.exe”:
The WseClientSvc.exe and the services we found are all installed as part of the Windows Server Essentials Connector for Windows Server 2012 R2. The MSI log shows a standard service install.
The services themselves use the ProviderServiceBase Class which provides a generic Windows Service host environment to host ProviderHost objects. This is all included with the Windows Server 2012 Essentials SDK. Seems like someone could create a pass-through service using the SDK that uses the signed WseClientSvc.exe (making it look like a legitimate Windows service) to call any arbitrary executable?
Get insider access to Huntress tradecraft, killer events, and the freshest blog updates.
