Organizations tend to focus a significant amount of their efforts on external threats, such as phishing and ransomware, but they often overlook one of the most dangerous attack vectors on their internal networks. 

The post Commonly Abused Administrative Utilities: A Hidden Risk to Enterprise Security  appeared first on Black Hills Information Security, Inc..

On this webcast, we’ll guide you through an iterative process of building and deploying effective and practical Group Policy Objects (GPOs) that increase security posture. Slides for this webcast can […]

The post Webcast: Group Policies That Kill Kill Chains appeared first on Black Hills Information Security, Inc..

This weekend I was cleaning up an old Acer laptop of mine and discovered a hidden folder on the root drive, C:\OEM.

Inside's a bunch of interesting files, one of these is a tool called RunCmd_X64.exe.

The file is a legitimate and signed binary by Acer:

Figure 1 - Signed RunCmd_X64

The tool contains a useful help file as follows:

A tool to execute a command file.
RunCmd.exe filepath [/T | /F]
filepath full path name or file name
/T launch command file and open the console window
/F launch command file and hide the console window
If there is not any flag, /T or /F, the default situation is hiding window
Examples:
RunCmd.exe "D:\EnBT.cmd" /T
RunCmd.exe "EnBT.cmd" /F

Simply put, you can use Acer's tool as an alternative to the built-in command prompt, and to launch other applications! Additionally, using the /F parameter or flag will hide the console window, which is by default if there isn't any parameter!

Some simple examples:

Run an application directly

Figure 2 - Running calc.exe

Run virtually anything using a script 

Figure 3 - Running calc using a batch file

Note that since no parameter is used, the RunCmd tool will run silently and tools such as Process Explorer show a non-existent parent process.

In theory, you can run any script or scriptlet using Acer's tool to execute "command files" :)

For attackers

This "LOLBin", or at the least reusing a legitimate and signed binary for malicious purposes, has the following MD5 hash:

RunCmd_X64 - d71fb1b03bf84fae29af9b2dc525ba33

There is also a 32-bit version, however, this binary is not signed.

RunCmd - 4d50588568cae95331f00cbdb52be37a


For defenders

See "For attackers". Additionally, the RunCmd tool will attempt to create a folder named "RunCmdLog" to store logfiles. An example logfile is as follows:

2019-03-17 21:00:37 [  193C] TRACE main - ENTER: main
2019-03-17 21:00:37 [  193C] TRACE main - EXIT: main
2019-03-17 21:00:37 [  193C] INFO main - Para 1: calc.bat
2019-03-17 21:00:37 [  193C] INFO main - Para 2:
2019-03-17 21:00:37 [  193C] INFO main - command: C:\Tools\Acer\calc.bat
2019-03-17 21:00:37 [  193C] INFO main - command success

Log files will have the following format:
%s%02d-%02d-%02d %02d-%02d-%02d.log

Where %s is RunCmd and %02d is the date and time of execution. In our example above:
RunCmd2019-03-17 21-00-37.log

Why try using LOLBins when you can use tools installed by the manufacturer?


Resources

Github - Living Off The Land Binaries and Scripts (and also Libraries)
Hexacorn - Reusigned Binaries – Living off the signed land