Windows: Process Monitor

This post will cover some basics of Process Monitor, a program that is part of the Sysinternals Suite, which is a set of tools that was created by Mark Russinovich.

To download just the tool click here or if you want the entire Sysinternals Suite (170 mb) press here.

Writing the draft for this post I felt the need to research the difference between Process Monitor and Process Explorer, which can be generalized as the following:

Process Monitor (Procmon64)

Captures live information about the processes on your system, how processes interact with the file system, registry and network. Much like Wireshark you can open and save capture logs, which you then can filter.

Process Explorer 

Displays other aspects of the processes, such as handles, DLL:s, memory usage and resources. It shows how processes are related to each other as parent or child process in a tree view. Process Explorer can also be used as a "task manager on steroids" and replace task manager as the default app.

Using Procmon64

This section will explain how to create a basic capture and how to save it with an applied filter. Process Monitor starts gather information as soon as you start it so should you want to stop it press Ctrl +E. To clear the view in the window press Ctrl + X.

When you are ready to start the program that you are troubleshooting or analyzing, start "capture event", with Ctrl + E.

When you have reach the point where you want to stop, stop the capture.

Next you might want to apply filters, use Ctrl + L to get into the filter view.

As an example I took powershell.exe.

Select filter "program name" and "contains", write the name of the program in the textbox (for my example I just wrote powershell). Take add and apply, and then it filters out the data in the main window for you.

Maybe you want to filter out only registry queries for example, then you can add the additional filter "operation", "contains" and "RegQuery".

To save your log use Ctrl + S, it natively saves it in the .pml format but you can choose .xml and .csv as well.

Cybersecurity: Living of the land

Living of the land means to use resources that are already on the machine, as opposed to bringing external or homemade tools to the target device for example. The LOTL technique uses native tools which can make intrusion detection difficult as they leave minimal footprints and often are considered trusted. 

These native binaries can be used to break out of restricted shells and here are some examples that exist for both Unix (GTFOBins) and for Windows (LOLBAS).

Recently I watched a video from John Hammond that covered this cybersecurity technique. The YouTube video was in turn largely based of the research from Grzegorz Tworek.

I had previously seen how replacing utilman.exe with cmd.exe could grant administrator level command prompt from outside Windows before and in a similar fashion the video showed another replacement action. Grzegorz example that John is covering in the video shows how the native program tpmtool spawns cmd.exe which in turn calls for logman.exe in an unsafe way. The way this is executed is similar to "binary planting" and "DLL hijacking", the computer is simply tricked to execute something else than intended.

This is how he demonstrated the technique:

With Procmon64 actively gathering information about processes the command line tool "tpmtool drivertracing stop" was then run in cmd which resulted in an error. He then filtered out results for tpmtool which he was investigating and ran the command in cmd again. By doing this he could see that the tpmtool opens another cmd.exe window in a "process create" operation. 

Another filter for cmd.exe was also applied, which showed both a process create and process start, that according to the event properties starts yet another program in cmd, named logman and it is this program that could theoretically be replaced with something else. 

The reason why this exploit works is because logman.exe has no directory specified, you are essentially telling the computer to see if there is a program with that name where it is currently looking. If another exe-file is placed in the working directory of the initial cmd ("C:\Users\username") and is renamed to logman.exe, then the next time "tpmtool drivertracing stop" runs in cmd it calls on the fake logman.exe file.

For more information on how to use Process Monitor, I have written another post covering some basics here.

PowerShell: New .ps1 in context menu

The context menu is the menu that shows up when you right-click in your explorer window. This is where you can create new files, folders and shortcuts.

So as I am a bit of a PowerShell nerd I thought it would be handy to have the .ps1 file in the context menu where you create new files as well. I found a reliable source at Winaero and a reg file created by Sergey Tkachenko (press the click here to download) to get the zip folder.

Compiling the research this is essentially the steps you need to take:

1. Open regedit as administrator and go to HKEY_CLASSES_ROOT and find the key for .ps1 files.

2. Change the value of "(Default)" to ps1legacy. Mine was set to ps1_file_auto

3. Create a new key (folder) under the .ps1 extension in the left pane. Name it ShellNew and within it create a new string value called NullFile and make sure the data is empty.

4. On the top level of HKEY_CLASSES_ROOT, create a new key for it named ps1legacy, give the "(Default)" the data Windows PowerShell Script. Create a new string value in the same place with the name FriendlyTypeName, give it the same data as the other string value.

Here is the result! 😊

Lastly, let's explore how we with some lines of PowerShell code could create the same result. This code snippet is boiled down to the essentials on purpose for simple step-through, reviewing and modification.

# Run as admin #

Set-ItemProperty -Path "Registry::HKEY_CLASSES_ROOT\.ps1" -Name "(Default)" -Value "ps1legacy"

New-Item -Path "Registry::HKEY_CLASSES_ROOT\.ps1\ShellNew" -Force

Set-ItemProperty -Path "Registry::HKEY_CLASSES_ROOT\.ps1\ShellNew" -Name "NullFile" -Value ""

New-Item -Path "Registry::HKEY_CLASSES_ROOT\ps1legacy" -Force

Set-ItemProperty -Path "Registry::HKEY_CLASSES_ROOT\ps1legacy" -Name "(Default)" -Value "Windows PowerShell Script"

Set-ItemProperty -Path "Registry::HKEY_CLASSES_ROOT\ps1legacy" -Name "FriendlyTypeName" -Value "Windows PowerShell Script"