Purpose

The purpose of this document is to explain the O24AUTH service.

Introduction 

O24AUTH is a short-lived service initiated by the scanner on the target machine while performing an authenticated SMB scan against a windows host.

It is created to make sure that the target does not kill the process.

Behavior

This service listens on a named pipe/socket to execute commands on the target sent by the scanner and reports the results. It is removed automatically after the scan is done.

Caution

Do not remove O24AUTH while a scan is running.

Commands

Some of the examples are:

CommandsDescription

Get-Hotfix

Gets the hotfixes that are installed on local or remote computers.

New-Object -ComObject "Microsoft.Update.Session"

The New-Object cmdlet creates an instance of a .NET Framework or COM object.

docker --ps

Fetches currently running docker processes.

dism.exe

Fetches the windows features. This command is run with /online /get-features /format:Table options.

secedit /export /cfg

Exports security settings stored in a database.

Warning

The command list is subject to change with scanner updates.

Installation 

Note

Temp files are not created intentionally during the installation.

The installation procedure is as described below:

  1. The Outpost24 scanner connects to the target machine through the SMB port.
  2. Authenticates with user credentials. 
  3. The O24AUTH is created via the service manager on the svcctl named pipe. The command line of the service is an encoded PowerShell script.

    Note

    Encoded script is used for better data transmission.



Copyright

© 2021 Outpost24® All rights reserved. This document may only be redistributed unedited and unaltered. This document may be cited and referenced only if clearly crediting Outpost24® and this document as the source. Any other reproduction and redistribution in print or electronically is strictly prohibited without explicit permission.

Trademark

Outpost24® and OUTSCAN™ are trademarks of Outpost24® in Sweden and other countries.