Exploit.T1055DefenseEvasion possible rootkit

[ohnoaiv]

Had what i suspect to be a rootkit installed on my PC about a month ago and spread malware on my network; however i may be wrong.

No files were downloaded on my device, but i believe the IPv6/TCP windows exploit was utilized to gain root access via remote WMI commands/scripting (CVE-2024-38063) as the time frame of this starting was August 26th. I had ipv6 enabled, no vpn, AV disabled, and was playing Escape From Tarkov damn near constantly for those 13 days since that CVE publication.

I had a friend in the Cyber Security field make me a copy of windows 10 boot usb. I now run Windows 10 Pro (Privacy?) after installing this copy. Seems to be a version of windows 10 pro with anonymity maximized. the install process of this version was odd, only had the option to select the drive i wanted to target for installation. I have a paid license i havent yet linked to the this installation yet.

I used Asus Secure erase 3 times on each drive before installing. I reset CMOS however, did not flashback bios. Using same hardware, but have not used suspected infectious USB drives or peripherals yet.

I am seeing two different Local user acocunts at login but cannot find a trace of it. both named "private" which was the original local account name generted. before updating windows, i did not need a password to login. After udating windows, i was instructed my password expired and was now seeing the two accounts both named "private"

I have already ran recent scans with an updated FRST64, FSS, and Security Check by Galx24, one full custom scan (all drives all options) MWB, and 3 quick scans MWB in the past 6 hours.

Before using the VPN i received a notification from MWB. Ive used ADWcleaner on the desktop as well. No network card, no onbaord wifi/bluetooth only ethernet. Yet immediatly when connecting to internet something installs MiniPort WAN drivers.

Have a bit of different software installed, now. Attached are the scan results for FRST, FSS, Security Check, and the event log for the Exploit detection.

 

AdwCleaner[S00].txt AdwCleaner_Debug.log FRST.txt FSS.txt Malwarebytes Exploit Blocked Report 2024-09-22 002516.txt SecurityCheck.txt Shortcut.txt Addition.txt AdwCleaner[C00].txt

[Porthos]

@ohnoaiv Do you have the following enabled in advanced exploit settings?

That setting is specific to penetration testing (i.e. not actual threats) so enabling won't really do anything unless the system is tested using third-party testing tools/test exploits.  It is purely for testing purposes to verify that protection is working properly, however, it is not needed for protecting your system from actual malware which is why it is turned off by default.

I hope that helps to clarify things and if there is anything else we might help with please let us know.

Edited September 22 by Porthos

[ohnoaiv]

I do have that enabled.

I have it disabled, now, however i only received the one threat notification and have not seen anything since in that regard.

I have been monitoring network connections and have seen that two process have active TCP connections to a handful of IPv4 adresses. one of those is a System process and the other being svchost.exe(netsvcs -p)

There are also a few svchost.exe(RCPSS -p) services with unspecified ipv4/6 addresses.

is there a way to verify that there are no active remote wmi sessions that are hidden? Using commands such as get-localuser in powershell just return syntax errors.

[Porthos]

1 minute ago, ohnoaiv said:

I have it disabled, now, however i only received the one threat notification and have not seen anything since in that regard.

It was a false positive due to that setting.

[ohnoaiv]

understandable.

the reason for my paranoia was a previous infection that was able to disable my windows antivirus. i had noticed startup programs with hash-like stings of text as the name and no icon, and also had several fradulent charges attempted on numerous virtual cc's i had stored on here.

it may be paranoia, but im hoping theres a way to verify system .dll files havent been tampered with. as well as that the persistence the previous malware had gained, is no longer around. Ive been trying to find guides and syntax for powershell to disable remote wmi and any other RDC.

[ohnoaiv]

there are still weird things that happen, such as my internet connection still working with LockDown mode enabeld on Mullvad VPN even after disconnecting from the vpn.

if you think the logs look good, Ill absolutely take your word for it, though.

[Porthos]

Just now, ohnoaiv said:

if you think the logs look good, Ill absolutely take your word for it, though.

Please wait for one of the experts to reply. My only purpose in responding was to advise you to disable that setting in exploit protection.

Please save any further responses for when an expert replies. 👍

[AdvancedSetup]

Please run the following @ohnoaiv

Click on Start and type in CMD.EXE and when it shows on the menu, right-click and select "Run as administrator" then copy and paste the following and press the Enter key

SC QC VSS

 

Then do the same thing but this time use the following and press the Enter key after entering it in the console window

 

SC Queryex VSS

 

Then post back the results from both

Thank you

 

 

 

 

[AdvancedSetup]

Due to the lack of feedback, this topic is closed to prevent others from posting here.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this topic. Other members who need assistance please start your own topic in a new thread.

Tips to help protect from infection

Thanks