Nessus Output

Description
The copy of ‘sethc.exe’ in the Windows ‘System32’ directory on the remote host appears to have been modified, perhaps for use as a backdoor. Either or both of the ‘InternalName’ or ‘OriginalFilename’ file attributes no longer match the original file.

This file is part of the Windows ‘Sticky Keys’ functionality and is launched with SYSTEM privileges from a login screen when a Shift key is pressed several times. After replacing the original file with, for example, cmd.exe, an attacker with access to the host can bypass authentication and gain a command shell and, in turn, complete control of the host.

Solution
Verify the contents of the ‘sethc.exe’ file and, if appropriate, whether the system has been compromised.

Output

File : C:\WINDOWS\System32\sethc.exe
Internal Name : cmd
Original Filename : cmd.exe

Manual Verification

 C:\WINDOWS\system32> Get-ItemProperty .\sethc.exe | select versioninfo | format-list
 
 
VersionInfo : File: C:\WINDOWS\system32\sethc.exe
<span style="background-color: #ffff00;"> 
 InternalName: cmd OriginalFilename: Cmd.Exe.MUI</span> FileVersion: 10.0.14393.0 (rs1_release.160715-1616)
 FileDescription: Windows Command Processor
 Product: Microsoft® Windows® Operating System
 ProductVersion: 10.0.14393.0
 Debug: False
 Patched: False
 PreRelease: False
 PrivateBuild: False
 SpecialBuild: False
 Language: English (United States)

Fixes

sfc /SCANFILE=C:\Windows\System32\sethc.exe

Windows Resource Protection found corrupt files but was unable to fix some
of them. Details are included in the CBS.Log windir\Logs\CBS\CBS.log. For
example C:\Windows\Logs\CBS\CBS.log. Note that logging is currently not
supported in offline servicing scenarios.

Sometimes this doesn’t work out as expected and we need to dig a little bit further.

 C:\WINDOWS\system32> findstr /c:"sethc.exe" C:\Windows\Logs\CBS\CBS.log
 
2016-08-29 07:45:16, Info CSI 00000008 Hashes for file member \SystemRoot\WinSxS\amd64_microsoft-win
dows-sethc_31bf3856ad364e35_10.0.14393.0_none_9034aa748bcdf2b8\sethc.exe do not match actual file [l:9]'sethc.exe' :
2016-08-29 07:45:16, Info CSI 00000009 [SR] Cannot repair member file [l:9]'sethc.exe' of Microsoft-
Windows-sethc, version 10.0.14393.0, arch amd64, nonSxS, pkt {l:8 b:31bf3856ad364e35} in the store, hash mismatch
2016-08-29 07:45:16, Info CSI 0000000b Hashes for file member \SystemRoot\WinSxS\amd64_microsoft-win
dows-sethc_31bf3856ad364e35_10.0.14393.0_none_9034aa748bcdf2b8\sethc.exe do not match actual file [l:9]'sethc.exe' :
2016-08-29 07:45:16, Info CSI 0000000c [SR] Cannot repair member file [l:9]'sethc.exe' of Microsoft-
Windows-sethc, version 10.0.14393.0, arch amd64, nonSxS, pkt {l:8 b:31bf3856ad364e35} in the store, hash mismatch
2016-08-29 07:45:16, Info CSI 0000000e Hashes for file member \??\C:\WINDOWS\System32\sethc.exe do n
ot match actual file [l:9]'sethc.exe' :
2016-08-29 07:45:16, Info CSI 0000000f Hashes for file member \SystemRoot\WinSxS\amd64_microsoft-win
dows-sethc_31bf3856ad364e35_10.0.14393.0_none_9034aa748bcdf2b8\sethc.exe do not match actual file [l:9]'sethc.exe' :
2016-08-29 07:45:16, Info CSI 00000010 [SR] <span style="background-color: #ffff00;">Could not reproject corrupted file \??\C:\WINDOWS\System
32\sethc.exe; source file in store is also corrupted</span>
2016-08-29 07:45:16, Info CSI 00000015 Hashes for file member \SystemRoot\WinSxS\amd64_microsoft-win
dows-sethc_31bf3856ad364e35_10.0.14393.0_none_9034aa748bcdf2b8\sethc.exe do not match actual file [l:9]'sethc.exe' :
2016-08-29 07:45:16, Info CSI 00000016 [SR] Cannot repair member file [l:9]'sethc.exe' of Microsoft-
Windows-sethc, version 10.0.14393.0, arch amd64, nonSxS, pkt {l:8 b:31bf3856ad364e35} in the store, hash mismatch
2016-08-29 07:45:16, Info CSI 00000018 Hashes for file member \SystemRoot\WinSxS\amd64_microsoft-win
dows-sethc_31bf3856ad364e35_10.0.14393.0_none_9034aa748bcdf2b8\sethc.exe do not match actual file [l:9]'sethc.exe' :
2016-08-29 07:45:16, Info CSI 00000019 [SR] Cannot repair member file [l:9]'sethc.exe' of Microsoft-
Windows-sethc, version 10.0.14393.0, arch amd64, nonSxS, pkt {l:8 b:31bf3856ad364e35} in the store, hash mismatch
2016-08-29 07:45:16, Info CSI 0000001b Hashes for file member \??\C:\WINDOWS\System32\sethc.exe do n
ot match actual file [l:9]'sethc.exe' :
2016-08-29 07:45:16, Info CSI 0000001c Hashes for file member \SystemRoot\WinSxS\amd64_microsoft-win
dows-sethc_31bf3856ad364e35_10.0.14393.0_none_9034aa748bcdf2b8\sethc.exe do not match actual file [l:9]'sethc.exe' :
2016-08-29 07:45:16, Info CSI 0000001d [SR] Could not reproject corrupted file \??\C:\WINDOWS\System
32\sethc.exe; source file in store is also corrupted

C:\WINDOWS\system32> findstr /c:"sethc.exe" C:\Windows\Logs\CBS\CBS.log 2016-08-29 07:45:16, Info CSI 00000008 Hashes for file member \SystemRoot\WinSxS\amd64_microsoft-win dows-sethc_31bf3856ad364e35_10.0.14393.0_none_9034aa748bcdf2b8\sethc.exe do not match actual file [l:9]'sethc.exe' : 2016-08-29 07:45:16, Info CSI 00000009 [SR] Cannot repair member file [l:9]'sethc.exe' of Microsoft- Windows-sethc, version 10.0.14393.0, arch amd64, nonSxS, pkt {l:8 b:31bf3856ad364e35} in the store, hash mismatch 2016-08-29 07:45:16, Info CSI 0000000b Hashes for file member \SystemRoot\WinSxS\amd64_microsoft-win dows-sethc_31bf3856ad364e35_10.0.14393.0_none_9034aa748bcdf2b8\sethc.exe do not match actual file [l:9]'sethc.exe' : 2016-08-29 07:45:16, Info CSI 0000000c [SR] Cannot repair member file [l:9]'sethc.exe' of Microsoft- Windows-sethc, version 10.0.14393.0, arch amd64, nonSxS, pkt {l:8 b:31bf3856ad364e35} in the store, hash mismatch 2016-08-29 07:45:16, Info CSI 0000000e Hashes for file member \??\C:\WINDOWS\System32\sethc.exe do n ot match actual file [l:9]'sethc.exe' : 2016-08-29 07:45:16, Info CSI 0000000f Hashes for file member \SystemRoot\WinSxS\amd64_microsoft-win dows-sethc_31bf3856ad364e35_10.0.14393.0_none_9034aa748bcdf2b8\sethc.exe do not match actual file [l:9]'sethc.exe' : 2016-08-29 07:45:16, Info CSI 00000010 [SR] <span style="background-color: #ffff00;">Could not reproject corrupted file \??\C:\WINDOWS\System 32\sethc.exe; source file in store is also corrupted</span> 2016-08-29 07:45:16, Info CSI 00000015 Hashes for file member \SystemRoot\WinSxS\amd64_microsoft-win dows-sethc_31bf3856ad364e35_10.0.14393.0_none_9034aa748bcdf2b8\sethc.exe do not match actual file [l:9]'sethc.exe' : 2016-08-29 07:45:16, Info CSI 00000016 [SR] Cannot repair member file [l:9]'sethc.exe' of Microsoft- Windows-sethc, version 10.0.14393.0, arch amd64, nonSxS, pkt {l:8 b:31bf3856ad364e35} in the store, hash mismatch 2016-08-29 07:45:16, Info CSI 00000018 Hashes for file member \SystemRoot\WinSxS\amd64_microsoft-win dows-sethc_31bf3856ad364e35_10.0.14393.0_none_9034aa748bcdf2b8\sethc.exe do not match actual file [l:9]'sethc.exe' : 2016-08-29 07:45:16, Info CSI 00000019 [SR] Cannot repair member file [l:9]'sethc.exe' of Microsoft- Windows-sethc, version 10.0.14393.0, arch amd64, nonSxS, pkt {l:8 b:31bf3856ad364e35} in the store, hash mismatch 2016-08-29 07:45:16, Info CSI 0000001b Hashes for file member \??\C:\WINDOWS\System32\sethc.exe do n ot match actual file [l:9]'sethc.exe' : 2016-08-29 07:45:16, Info CSI 0000001c Hashes for file member \SystemRoot\WinSxS\amd64_microsoft-win dows-sethc_31bf3856ad364e35_10.0.14393.0_none_9034aa748bcdf2b8\sethc.exe do not match actual file [l:9]'sethc.exe' : 2016-08-29 07:45:16, Info CSI 0000001d [SR] Could not reproject corrupted file \??\C:\WINDOWS\System 32\sethc.exe; source file in store is also corrupted

If the file could not be restored have a look at https://support.microsoft.com/en-us/kb/929833

Plugin details

Looking at the source of Nessus plugin (smb_sethc_backdoor.nasl) we can see that only the InternalName and InternalFilename are checked:

# Check for matching names
if (
 (
 !isnull(internal_name) &&
 internal_name != "sethc.exe" &&
 internal_name != "sethc"
 )
 ||
 (
 !isnull(original_filename) &&
 original_filename != "sethc.exe" &&
 original_filename != "sethc"
 )
)

This can easily be bypassed by using tools like ResourceHacker.

We can copy the VERSIONINFO from the original sethc.exe to cmd.exe.