Knowledge base
Knowledge base
Breadcrumbs

O24AUTH



Purpose

The purpose of this document is to explain the O24AUTH service.

Introduction 

O24AUTH is a short-lived service initiated by the scanner on the target machine while performing an authenticated SMB scan against a windows host.

It is created to make sure that the target does not kill the process.

Behavior

This service listens on a named pipe/socket to execute commands on the target sent by the scanner and reports the results. It is removed automatically after the scan is done.

Do not remove O24AUTH while a scan is running.

Commands

Some of the examples are:

Commands

Description

Get-Hotfix

Gets the hotfixes that are installed on local or remote computers.

New-Object -ComObject "Microsoft.Update.Session"

The New-Object cmdlet creates an instance of a .NET Framework or COM object.

docker --ps

Fetches currently running docker processes.

dism.exe

Fetches the windows features. This command is run with /online /get-features /format:Table options.

secedit /export /cfg

Exports security settings stored in a database.


The command list is subject to change with scanner updates.

Installation 

Temp files are not created intentionally during the installation.

The installation procedure is as described below:

  1. The Outpost24 scanner connects to the target machine through the SMB port.

  2. Authenticates with user credentials. 

  3. The O24AUTH is created via the service manager on the svcctl named pipe. The command line of the service is an encoded PowerShell script.

Encoded script is used for better data transmission