Closed heck-gd closed 1 year ago
cccs-mog
commented
1 year ago I would be interested in having the tracking enabled for at least TASKSCHED and BITS also. Wondering what the issue was in the first place. Currently working into that but a sample/hint into where the problem was originating would help. Could do the PR and/or work with someone to find/fix the root cause.
Thanks.
kevoreilly
commented
1 year ago Hi - apologies for the late reply. The hook exclusion needs revisiting, I will see if I can find the maldoc tests that failed and look into them further with a view to re-enabling at least some of these messages for x64. Thanks for pointing this out, I will try and look at this tomorrow.
kevoreilly
commented
1 year ago This is now fixed.
I'm currently fixing up some code in the CoCreateInstance(Ex) hooks where a GUID for Task Scheduler 1.0 objects was missing.
In https://github.com/kevoreilly/capemon/commit/01cc21dcb153643f47674dbb8d218771fa59d603 x64 was excluded from sending pipe commands, apparently due to some issue with maldocs, but I couldn't find any more information about what exactly the problem was.
As it stands, for 64-bit malware that persists itself using a scheduled task and only then becomes active, CAPE doesn't currently track execution of the scheduled task malware process. Do you think anything speaks against at least enabling the
TASKSCHEDcommand for all platforms and excluding onlyWMI,BITSandINTEROP?If there are no concerns, I'll create a PR with the changes.