O24AUTH
Purpose
The purpose of this document is to explain the O24AUTH service.
Introduction
O24AUTH is a short-lived service initiated by the scanner on the target machine while performing an authenticated SMB scan against a windows host.
It is created to make sure that the target does not kill the process.
Behavior
This service listens on a named pipe/socket to execute commands on the target sent by the scanner and reports the results. It is removed automatically after the scan is done.
Caution
Do not remove O24AUTH while a scan is running.
Commands
Some of the examples are:
| Commands | Description |
|---|---|
| Gets the hotfixes that are installed on local or remote computers. | |
| The New-Object cmdlet creates an instance of a .NET Framework or COM object. | |
| Fetches currently running docker processes. | |
| Fetches the windows features. This command is run with /online /get-features /format:Table options. | |
| Exports security settings stored in a database. |
Warning
The command list is subject to change with scanner updates.
Installation
Note
Temp files are not created intentionally during the installation.
The installation procedure is as described below:
- The Outpost24 scanner connects to the target machine through the SMB port.
- Authenticates with user credentials.
The O24AUTH is created via the service manager on the svcctl named pipe. The command line of the service is an encoded PowerShell script.
Note
Encoded script is used for better data transmission.
Copyright
© 2024 Outpost24® All rights reserved. This document may only be redistributed unedited and unaltered. This document may be cited and referenced only if clearly crediting Outpost24® and this document as the source. Any other reproduction and redistribution in print or electronically is strictly prohibited without explicit permission.
Trademark
Outpost24® and OUTSCAN™ are trademarks of Outpost24® and its affiliated companies. All other brand names, product names or trademarks belong to their respective owners.