capa-rules icon indicating copy to clipboard operation
capa-rules copied to clipboard

Published 20 hours ago verified publisher icon mandiant

C2: usage of Windows mailslots

Open captainGeech42 opened this issue 3 years ago • 1 comments

Prerequisites

  • [ ] Put an X between the brackets on this line if you have done all of the following:
    • Checked that your rule idea isn't already filed: search

Summary

Some rules that look for certain usages of Windows mailslots could be interesting. This is a new IPC mechanism to me, no clue how common it is in malware, at least some things use it.

Examples

n/a

Features

(tbd)

Additional context

Rule details

Namespace

(tbd)

References

https://docs.microsoft.com/en-us/windows/win32/ipc/mailslots

Other rule meta information

captainGeech42 avatar Sep 09 '22 19:09 captainGeech42

Some more information on Mailslots.

Naming convention (from https://learn.microsoft.com/en-us/windows/win32/ipc/mailslot-names):

When a process creates a mailslot, the mailslot name must have the following form. \\.\mailslot\[path\]name A mailslot name requires the following elements: two backslashes to begin the name, a period, a backslash following the period, the word "mailslot", and a trailing backslash. Names are not case sensitive. A mailslot name can be preceded by a path consisting of the names of one or more directories, separated by backslashes.

Limitations & Lifespan :

The data in a mailslot message can be in any form, but cannot be larger than 424 bytes when sent between computers. Unlike disk files, mailslots are temporary. When all handles to a mailslot are closed, the mailslot and all the data it contains are deleted.

Standard file operations (read/write) are used once a handle is obtained.

A snippet from malware sample 686dbe5eb148db706e48a74eba627270055ed1ba534a98d5d00690577eb42e49

0x0040151d]> pd 8 @ 0x004016cb
│           0x004016cb      mov   eax, dword data.004066c0             ; [0x4066c0:4]=0
│           0x004016d0      push  eax                                  ; LPSECURITY_ATTRIBUTES lpSecurityAttributes
│           0x004016d1      push  0xffffffff                           ; -1 ; DWORD lReadTimeout
│           0x004016d6      push  0                                    ; DWORD nMaxMessageSize
│           0x004016d8      push  str.._mailslot_LogCC                 ; 0x40504f ; "\\.\mailslot\LogCC" ; LPCSTR lpName
│           0x004016dd      call  dword [sym.imp.KERNEL32.dll_CreateMailslotA] ; 0x40627c ; HANDLE CreateMailslotA(LPCSTR lpName, DWORD nMaxMessageSize, DWORD lReadTimeout, LPSECURITY_ATTRIBUTES lpSecurityAttributes)
│           0x004016e3      mov   dword [hMailslot], eax
│           0x004016e9      cmp   dword [hMailslot], 0xffffffff

In this particular instance, the mailslot (named \\.\mailslot\LogCC) is created via a call to CreateMailslotA, and the handle is stored off (to be used later by Read/Write file operations)

Some ideas to detect usage are

  • Calls to CreateMailslot (mandatory)
  • Optional usage of GetMailslotInfo, SetMailslotInfo
  • Optional Mailslot name \\.\mailslot\..... (could reside in an obfuscated form statically)

re-fox avatar Oct 04 '22 17:10 re-fox