search

DFIR-ORC / dfir-orc

Forensics artefact collection tool for systems running Microsoft Windows
https://dfir-orc.github.io
GNU Lesser General Public License v2.1
370 stars 42 forks source link

BITS transfer error (error code : 0x800704dd) #34

Closed neticien closed 3 years ago

neticien commented 3 years ago

Hello,

I got an issue when using the following DFIR-ORC local configuration file : 

<dfir-orc>
    <upload job="orc" method="bits"
    server="http://[SERVER_FQDN]"
    path="upload"
    mode="async"
    operation="move" />
</dfir-orc>

Mothership v10.0.14 DFIR-Orc v10.0.14

When attempting a BITS transfer with ORC, the following error code appear: 0x800704dd.

ERROR (L’opération demandée n’a pas été effectuée car l’utilisateur n’est pas connecté au réseau. Le service spéci, hr=0x800704dd): Failed to add file [ORC_RESULT_FILEPATH] to BITS job orc

ERROR (L’opération demandée n’a pas été effectuée car l’utilisateur n’est pas connecté au réseau. Le service spéci, hr=0x800704dd): UPLOAD: Operation for [ORC_RESULT_FILEPATH] failed "Failed to upload file to destination server"

I’ve searched in the list of BITS error codes and I found this error with the name ERROR_NOT_LOGGED_ON.

The cause: The SENS service is not receiving user logon notifications. BITS (version 2.0 and up) depends on logon notifications from Service Control Manager, which in turn depends on the SENS service. Ensure that the SENS service is started and running correctly.

The SENS service seems to be started :

Command : sc query SENS

SERVICE_NAME: SENS
        TYPE               : 30  WIN32
        STATE              : 4  RUNNING
                                (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0

But the privileged account session that I use to launch ORC does not seem to appear on standard session query.

Command : query session

 SESSION           UTILISATEUR              ID  ÉTAT    TYPE        PÉRIPHÉRIQUE
 services                                    0  Déco
>console           STANDARD_USER             1  Actif

It only appears if I use logonsessions.exe from SysInternals.

It seems to be a bad implementation of BITS component into Windows.

The only workaround I found is to execute ORC through a schedule task with NT AUTHORITY\SYSTEM privileges :

schtasks /Create /SC ONCE /TN [TASK_NAME] /ST HH:mm /RU system /TR [DFIR-ORC_PATH]
sc-anssi commented 3 years ago

Hi, I can reproduce the issue with Start-BitsTransfer and bitsadmin only (even without DFIR-Orc), so I think your error may not be related to DFIR-Orc but rather BITS itself as you suggested. The setup I used to reproduce is logging in with an unprivileged user and starting an elevated command prompt from there. I believe this was the situation you were in as well.

I don't know exactly why BITS seems to be needing an interactive session to start the transfer. However, you could still use BITS (and therefore DFIR-Orc) from an interactive privileged session without any problem for testing purposes. When deploying in production, the "workaround" you found to use a scheduled task run by SYSTEM (deployed by GPO for instance) is actually one of the recommended way to deploy DFIR-Orc ;)

Thanks for the feedback and feel free to re-open if you encounter the same error in an interactive privileged session.