Month: October 2024

Windows files system you should never whitelist in your environment

If you are working in SOC as SOC Analyst or Incident Response, Threat Hunters, Threat Intelligence Analyst, you might be facing with whitelisting and blacklisting already.

Whitelisting consists of allowing access within your environment. In SOC term, when you whitelist a file or command, it won’t show up in the alert, which could be very dangerous as you might not see the malicious activities triggering.

Blacklisting consists of blocking access within your environment.

Whitelisting and Blacklisting are usually done by tools such as EDR, SIEM, Antivirus and other.

You should be very careful while doing any of those, as it might cause several damages to your organization.

Below, we will describe some of the Windows files system that you should never whitelist within your environment.

First of all, let’s start by the folder C:\WINDOWS\system32\ . The folder is used by Windows OS to hold systems files and folders. Most of the files we will be discussing today, are in this folder.

Mshta.exe: Is an utility that executes Microsoft HTML Applications (HTA) files. HTAs are standalone applications that execute using the same models and technologies of Internet Explorer, but outside of the browser. Attacker can use the command as System Binary Proxy Execution to execute malicious code directly from a remote server to bypass application control and browser security.

Adversaries may abuse mshta.exe to proxy execution of malicious .hta files and Javascript or VBScript through a trusted Windows utility (https://attack.mitre.org/techniques/T1218/005 ).

Cmd.exe:  command-line interpreter for Windows, many threat actor run the malicious command from command-line interpreter to compromise the system, to exfiltrate data and others

utilman.exe:   The file is associated with the Utility Manager application of Windows. Can be used to monitor an application and give access to useful UI settings within Windows.

Svhost.exe: Used to host Windows services, malware can use the file to hide itself from the Antivirus or the detection engine.

Microsoft Shortcut File (LNK):  The file is used to link various types of information such as files, network shares, can be used by a malware to execute a malicious file located in a remote environment.

powershell.exe: It is a command line tool used to manage and automate tasks in the Windows operating system. The tools can be used to exploit the system by creating a script.

msiexec.exe:  It is used to install, modify, and perform operations on Windows Installer (MSI (Windows Installer Package)) from the command line.

services.exe: Is the Windows service control manager, it controls all the services. It can be used by a malware to start and stop a malicious service.

fodhelper.exe: Used for managing language changes in the operating system. It can be used by adversaries to bypass User Account Control and execute additional commands with escalated privileges.

dllhost.exe: It is used to host and execute DLLs. The process is used to host COM (Component Object Model) object. It can be used by malware to execute a fake DLL code.

rundll32.exe: It is used to give the access to the developers to create functions stored separately as a DLL file. It can be used my malware to run a DLL file to perform a malicious activity.

BCDEdit.exe:  It can be used to verify the new stores, modifying existing stores, and adding boot menu options. It can be used by malware to modify the boot loader configurations.

regsvr32.exe: It is used to register and unregister OLE controls, such as DLLs and ActiveX controls in the Windows Registry. It can be used by malware to store malicious file or key in the registry.

WMIC: It is a deprecated command-line interface working with Windows Management Instrumentation to manage data and operations on a Windows. The tool is deprecated and not available in PowerShell 6+. The tool can be used to provide users information from the remote computer.

PowerShell: It is an automation configuration tool. It can be used to deploy, test, build solution. The tool is quite often used by malware to deploy on the system and compromised.

userinit.exe: It is a is a program that restores the profile, fonts, colors for a user. It can be used by malware to add a program.

Schtaske.exe: It is used for performing a task scheduling task, maybe used by threat actors for the execution of malicious code. 

taskhostw.exe: The file is used by Windows 10 as a host for processes that execute as part of a DLL file. It can be used to monitor applications, keyboard, mouse activities. A threat actor can used that to perform malicious activities.

wsmprovhost.exe to identify remote connection related to WINRM or PowerShell

Vssadmin: Used to display the volume shadow copy backups and installed shadow copy writers and providers.  The threat actor can leverage to perform it to delete or copy the data backup, resize it (anti forensic technic) to destroy the evidence.

Mstsc.exe Creates and edit connections to Remote Desktop Session Host servers or other remote computers.

In conclusion, it is required to always check the file perform suspicious activity. You might know that some activities might be legitimate, for example activities performed by the admin. You need to know how to differentiate those normal activities from the malicious one. Checking the file location, the file hash, and signature will be a good starting point to detect a malicious file.