The purpose of this document is to explain the O24AUTH service.
O24AUTH is a short-lived service initiated by the scanner on the target machine while performing an authenticated SMB scan against a windows host.
It is created to make sure that the target does not kill the process.
This service listens on a named pipe/socket to execute commands on the target sent by the scanner and reports the results. It is removed automatically after the scan is done.
Do not remove O24AUTH while a scan is running.
Some of the examples are:
|Gets the hotfixes that are installed on local or remote computers.|
|The New-Object cmdlet creates an instance of a .NET Framework or COM object.|
|Fetches currently running docker processes.|
|Fetches the windows features. This command is run with /online /get-features /format:Table options.|
|Exports security settings stored in a database.|
The command list is subject to change with scanner updates.
Temp files are not created intentionally during the installation.
The installation procedure is as described below:
- The Outpost24 scanner connects to the target machine through the SMB port.
- Authenticates with user credentials.
The O24AUTH is created via the service manager on the svcctl named pipe. The command line of the service is an encoded PowerShell script.
Encoded script is used for better data transmission.
© 2021 Outpost24® All rights reserved. This document may only be redistributed unedited and unaltered. This document may be cited and referenced only if clearly crediting Outpost24® and this document as the source. Any other reproduction and redistribution in print or electronically is strictly prohibited without explicit permission.
Outpost24® and OUTSCAN™ are trademarks of Outpost24® in Sweden and other countries.