This weekend I was cleaning up an old Acer laptop of mine and discovered a hidden folder on the root drive, C:\OEM.
Inside's a bunch of interesting files, one of these is a tool called RunCmd_X64.exe.
The file is a legitimate and signed binary by Acer:
 |
| Figure 1 - Signed RunCmd_X64 |
The tool contains a useful help file as follows:
A tool to execute a command file.
RunCmd.exe filepath [/T | /F]
filepath full path name or file name
/T launch command file and open the console window
/F launch command file and hide the console window
If there is not any flag, /T or /F, the default situation is hiding window
Examples:
RunCmd.exe "D:\EnBT.cmd" /T
RunCmd.exe "EnBT.cmd" /F
Simply put, you can use Acer's tool as an alternative to the built-in command prompt, and to launch other applications! Additionally, using the /F parameter or flag will hide the console window, which is by default if there isn't any parameter!
Some simple examples:
Run an application directly
 |
| Figure 2 - Running calc.exe |
Run virtually anything using a script
 |
| Figure 3 - Running calc using a batch file |
Note that since no parameter is used, the RunCmd tool will run silently and tools such as Process Explorer show a non-existent parent process.
In theory, you can run any script or scriptlet using Acer's tool to execute "command files" :)
For attackers
This "LOLBin", or at the least reusing a legitimate and signed binary for malicious purposes, has the following MD5 hash:
RunCmd_X64 - d71fb1b03bf84fae29af9b2dc525ba33
There is also a 32-bit version, however, this binary is not signed.
RunCmd - 4d50588568cae95331f00cbdb52be37a
For defenders
See "For attackers". Additionally, the RunCmd tool will attempt to create a folder named "RunCmdLog" to store logfiles. An example logfile is as follows:
Log files will have the following format:
2019-03-17 21:00:37 [ 193C] TRACE main - ENTER: main
2019-03-17 21:00:37 [ 193C] TRACE main - EXIT: main
2019-03-17 21:00:37 [ 193C] INFO main - Para 1: calc.bat
2019-03-17 21:00:37 [ 193C] INFO main - Para 2:
2019-03-17 21:00:37 [ 193C] INFO main - command: C:\Tools\Acer\calc.bat
2019-03-17 21:00:37 [ 193C] INFO main - command success
%s%02d-%02d-%02d %02d-%02d-%02d.log
Where %s is RunCmd and %02d is the date and time of execution. In our example above:
RunCmd2019-03-17 21-00-37.log
Why try using LOLBins when you can use tools installed by the manufacturer?
Resources
Github - Living Off The Land Binaries and Scripts (and also Libraries)
Hexacorn - Reusigned Binaries – Living off the signed land
nice post
ReplyDelete