Detecting the Leverage of INF-SCT Fetch & Execute Techniques

9 min readJan 31, 2021

Overview

Over the last few days, I researched and tested an interesting method to execute various COM scripts/scriptlets (e.g. VBscript, Jscript, etc.)

Some of the great research already performed and documented by @subTee, @Oddvarmoe, @ItsReallyNick, @KyleHanslovan, @ChrisBisnett, and @NickTyrer.

I was curious to see if there were any potentially artifacts to detect the leveraged of LaunchINFSection, a method has been discovered by @bohops, for remotely launch staged SCT files configured within INF files.

In this post, we will describe the leverage of LaunchINFSection with INF file using IE4uinit binary, and understand how they work and how to detect them using multiple artifacts. In addition, we will write rules to help with detection.

Details

INF File

An information file (.inf) provides installation instructions that the Internet Component Download service provided in Microsoft Internet Explorer 3.0 or later uses to install and register software components downloaded from the Internet, as well as any files required by the components. The INF file is a text file that specifies the files that need to be present or downloaded for your component to run.

SCT File

Script used to create a Component Object Model (.COM) component; may be written in various scripting languages such as VBScript, JavaScript, or JScript; runs itself in Windows if the Windows Scripting Host is installed.

Malicious INF/SCT Usage with LaunchINFSection

INF-SCT Launch Methods

Methods for launching script component files (‘.sct’) via INF configuration files include InstallHinfSection (setupapi.dll), CMSTP, and LaunchINFSection (advpack.dll). FireEye has been analyzed a malware that leverage this technique by Iranian Threat Group more details https://www.fireeye.com/blog/threat-research/2018/03/iranian-threat-group-updates-ttps-in-spear-phishing-campaign.html Let’s dive in.

What is LaunchINFSection

The LaunchINFSection function in Advanced INF Installer can be used to launch an advanced INF section using RunDLL32.EXE. This API allows user to use advpack.dll from command line without writing the program.

Calling Syntax

rundll32.exe advpack.dll,LaunchINFSection inf filename[,section name][,flags][,smart reboot]

INF Filename

INF file pathname you want to launch.

Section Name

INF install section name you want to launch in the INF file.

Flags

Smart Reboot

Examples

The following examples demonstrate how to call the LaunchINFSection function using Rundll32.

rundll32.exe advpack.dll,LaunchINFSection myinf.inf,,3

This means installs myinf.inf with DefaultInstall section in Quiet Mode with no GrpConv, reboot if needed.

IE4uinit

Here is description from bohops blog.

Ie4uinit stands for Internet Explorer (for) Each User Initialization. Part of IE 5.0 per user install utility. Ie4uinit.exe file is a software component of Internet Explorer, software having both 32-bit and 64-bit versions. The version matching the machine resides in “C:\Windows\System32”. On 64-bit machines the 32-bit version is also run from “C:\Windows\SysWOW64”.

Most often “ie4uinit.exe” runs during Active Setup, where Windows detects at user login whether a user’s profile lacks certain registry subkeys in the Current User (HKCU) hive that exist in the Local Machine (HKLM) hive, performs specific functions, and then puts those subkeys in HKCU to prevent repetition. This is an essential tool in enterprise installations with many endpoints.

IE4uinit calls an INF file named ieuinit.inf and reside in the same path System32 and \SysWOW64 directories, which mean can’ be edit.

Adversaries may supply IE4uinit.exe with INF files infected with malicious commands. Similar to Regsvr32 / ”Squiblydoo”, IE4uinit.exe may be abused to load and execute COM scriptlets (SCT) from remote servers. This execution may also bypass AppLocker and other whitelisting defenses since IE4uinit.exe is a legitimate, signed Microsoft application.

Threat Scenario

As we know early, IE4uinit.exe call INF file hardcoded in the binary named ieuinit.inf in the same path. We will abuse IE4uinit.exe with infected INF files to download our SCT file (payload) from the remote server. Due to fact that can’t be edit let’s copy these files into a Tasks directory and update the INF file accordingly.

We need to construct remote server in order to upload our SCT payload.

With simple command in Ubuntu machine we can establish new URL for SCT payload to download and executed immediately.

At that time, we need to update the ie4unit.inf file by adding scrobj.dll/SCT URL payload under MSIE4RegisterOCX.Windows7 section.

Let’s invoke the ie4uinit.exe to download and execute our SCT payload.

Successed it creates Whoami command and redirected to BandarIsHere file.

Impact

The leverage of INF/SCT technique, it will bypass security restrictions like AppLocker and allow to execute command.

Solution

Prevention and Mitigation

This type of malicious technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features. The following suggestions specify good security practices:

Monitor ie4uinit.exe executable loading an INF file from outside %windir% directory
Monitor creation of ie4uinit.exe executable and the INF file and not in the original paths which (C:\windows\system32\) and (C:\Windows\SysWOW64), and consider monitor hash file not the file name only, due to the fact that can easily bypass your monitor by changing the file name
Monitor Creation of SCT or WSC files in this path

Actual monitor this for any creation of new SCT or WSC file, could be a good rule to detect any abuse of SCT files

Monitor any INF file located in user profile (Appdata)
Monitor for ieuinit.inf file located outside the original path

Detection

The leverage of INF/SCT leave behind artifacts which can be used for detection, we will look for multiple artifacts and analyzing them.

Detecting with Windows Registry

Windows create several relevant key in registry that can be golden artifacts to detect the adversary.

The following are several evidences found in registry:

1-SCT payload URL.

2- Malicious INF file path.

3-Progid.

4-Version.

5-Description.

6-Classid.

7-“scrobj.dll” utilization.

8-Last date and time of abused.

Just for memorize what was in the payload.

Creation of new key for CLSID and evidence of “C:\Windows\system32\scrobj.dll” utilization.

ProgID with version as in the payload.

In addition, the description that was in the payload.

The most important evidence is the SCT payload URL and path of malicious INF file.

Finally, last date and time of the ie4uinit.exe executed in our case abuse, we can correlate with other evidence to know the date.

We need to convert it to human-readable date, using epochconverter website.

Note most of the registry related artifacts need to restart the machine to appear.

Detecting with Windows File system

MFT File

Here in file system level we found several artifacts, first the creation of MFT record for the ie4uinit.exe and ieuinit.inf files in different path outside the original path which was the first step for abused, here you need to know the INF file ieuinit.inf can’t be renamed but the ie4uinit.exe can be, which lead us to second and the fifth points in Prevention and Mitigation section.

As result of abused, MFT record creation for the SCT file payload.

There was a temp file has been created and deleted immediately with this content.

“\IWshShell3.Run(“calc.exe”);”

which was my first payload execute “calc.exe”, and when I executed with new SCT payload.

“IWshShell3.Run(“cmd.exe /c whoami > BandarIsHere.txt”);”.

Timeline

File creation and execution, here when we executed “calc.exe” as payload, we can see the order of execution. First execute ie4uinit.exe that execute another ie4uinit.exe with “-ClearIconCache” switche which execute rundll32.exe and then download the SCT payload with immediately execute calc.exe.

When we executed with second payload that will launch “whoami” command.

Prefetch Files

Prefetch artifact, is another way to detect the utilization of ie4uinit.exe, As mentioned above in the picture, prefetch files are found in the static directory C:\Windows\Prefetch. Prefetch files have a .pf extension and follow a standard naming convention:

<APPLICATION NAME IN ALL CAPS>-<EIGHT CHARACTER HASH OF APPLICATION LOCATION>.pf

Prefetch files contain the following metadata:

The name of the corresponding executable

· The number of times the executable has been run

· The size of the prefetch file

· The files and directories that were referenced during the application startup (this is what Windows wants to trace)

· Information related to the volume that the executable is on, including the volume path and serial number

We can see the hash of “IE4UINIT.EXE-A2B7246E.pf” is different than what is expected hash. In addition, analyzing the prefetch file will appear the really path.

There is another evidence for the SCT file download in Prefetch artifact.

Detecting with Network

The last way to detect the leverage of INF/SCT is an abnormal spike in traffic between ie4uinit.exe and chrom.exe to the remote server as part of the download payload step.

Network analysis is still important; here we can see the user agent invoked by scrobj.dll to fetch SCT file payload.

Fun Facts

Here are some funny facts has been observed during my test.

Process

The process would appear without parent process.

Log File

Using ie4uinit.exe will create file for each unique command switch in this path “AppData\Local\Microsoft\Internet Explorer”.

The creation of these files occur regardless of the path of ie4uinit.exe, in system32 or desktop doesn’t matter.

Many thanks to Norah Al Sabti for helping me to discovered this logs.

Download Payload

Downloaded of SCT file with different file type.

Making SCT URL from github will downloaded with SCT file type and changing the SCT URL to my Ubuntu server will download the file with WSC file type, I have no idea what is the reason behind this behavior.