Tricky way to use the SEC to execute/schedule a program on a remote endpoint

RE: Tricky way to use the SEC to execute/schedule a program on a remote endpoint

jak — Sat, 22 Aug 2020 17:51:20 GMT

AutoUpdate will not pull down any old file added to the CID but the deployment workflow from SEC schedules a Windows task to run setup.exe from the CID. That's just a Windows Scheduled Task once created and will run the setup.exe it points at.

Of course this deployment workflow doesn't use RMS, just DCOM to create the remote scheduled task and the computer needs to be on at the time of creation, so if you can do it in SEC, you don't really need SEC but maybe it's a convenient way of performing the task on a number of machines in a particular group for example or in a specific state in SEC.

RE: Tricky way to use the SEC to execute/schedule a program on a remote endpoint

FormerMember — Fri, 21 Aug 2020 17:57:11 GMT

the scripting calls in SEC are not meant to alter the OS - they are for our own components.

In theory, you could deploy a PS script (not sure how you would get it onto the box if there is no trust) but based on what you are describing I have little hope of success. A domain trust break can be indicative of some serious problems on the box (HDD sectors failing, corrupted memory, amongst other things). However, you could try unjoining it -> have the script output a log -> check the log for success -> then try a join. There will be a reboot (maybe two) in there so that's a risk.

It would be very risky. If I was you, I would get my hands on the device before attempting anything.

SEC will not be able to help you here. If you just throw a file in the CID that won't do anything - the endpoints only download files that are signed and part of their manifest - you can't use SEC to infiltrate a system.

RE: Tricky way to use the SEC to execute/schedule a program on a remote endpoint

jak — Fri, 21 Aug 2020 17:08:40 GMT

SEC scheduled a task to run straight away which runs setup.exe from the CID. Did they replace setup.exe in the CID with a customer setup.exe that did what you needed?

RE: Tricky way to use the SEC to execute/schedule a program on a remote endpoint

RobertoF — Fri, 21 Aug 2020 13:20:39 GMT

Hi Christian,

I confirm it's possible - we had Sophos Professional Services onsite for two weeks during our initial Sophos rollout, and he proudly showed us an undocumented trick that allowed us to do just that. I think it involved using one of the functions of the SEC to deploy a script that was then executed on the endpoint... if I could just remember!

Too bad it's actually not an XP machine, otherwise we could have used one of the un-patcheable exploits to get in! It's a Windows 7 patched to the latest publicly available updates, and all my Metasploit attempts to break in have been unsuccessful so far.

Roberto

RE: Tricky way to use the SEC to execute/schedule a program on a remote endpoint

QC — Fri, 21 Aug 2020 13:10:53 GMT

Hello RobertoF,

I'm not aware that RMS (and SEC) ever allowed custom messages that moreover resulted in the execution of arbitrary commands.

in an nreachable physical location - but doing some useful and perhaps important work? And running Windows [:P]? Guess you wouldn't try to re-install Windows remotely. Whatever action you'd take you have likely just one try.

Christian