question

MichaelAdams-5874 avatar image
0 Votes"
MichaelAdams-5874 asked MotoX80 commented

Can't Delete Folder Called COM1 on Windows Server 2019

Hackers attacked a Windows Server 2019, and in the process put a folder called COM1 on Drive C. I have made a number of attempts to delete this folder. Unfortunately, COM1 is a reserved name. Here is what I have tried and have failed.

I took ownership of the folder back to the Administrators group, which I was able to do. However, it did not allow the folder removal process through File Explorer.

Then I tried removing the directory from a DOS prompt.

rmdir \\?\<x>:\<path_to_folder>\<COM1>

Result: "Access denied".

Then i tried renaming the folder.

ren "\.\C:\<path to folder>\COM1 TEMP

Result: "Access denied".

File Explorer shows the folder is shared, but if go to Advanced Options, it does not show up as a Share. It also does not show up
as a shared folder in Computer Management.

I tried running the attrib command from a DOS prompt. It will display the attributes of the folder, (only Archive shows). Trying to set attributes results in,

Path not found - \.\com1\

I am running out of ideas. Any help would be appreciated.

windows-serverwindows-server-security
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

MotoX80 avatar image
0 Votes"
MotoX80 answered MotoX80 commented

So it came back with a file or directory called FRArX with access denied.

Try this sequence.

 icacls \\.\c:\Progra~3\COM1  /inheritance:r  /grant:R  everyone:f /t 
 attrib -R -S -H  \\.\c:\Progra~3\com1   
 attrib -R -S -H  \\.\c:\Progra~3\com1\*  /S /D 
 rd  \\.\c:\Progra~3\COM1 /s /q 

If that doesn't work, try the rename. If that works, then there should not be any restrictions on the name.

 ren \\.\c:\Progra~3\COM1 XXX



· 6
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Progress is being made!!!

I wasn't able to remove the directory, but i was able to rename it. I think the mystery folder FRArx is what's holding us up now.

164892-capture9.png


0 Votes 0 ·
capture9.png (47.4 KiB)
MotoX80 avatar image MotoX80 MichaelAdams-5874 ·

Good. So now you should be able to reference that folder as C:\ProgramData\xxx\FRArX and use the explorer to change ownership and permissions and do a delete.

0 Votes 0 ·

Success!!! You did it MotoX80!!! It's gone.

It turned out there was an .aspx file also inside the FRArX folder that I also had to be deleted. It had System, Hidden, Read-only attributes.

I turned off the Read Only attributes for the FRArX folder and the .aspx file. The ownership for both said "Unable to display current owner". I changed both to Administrator.

I then could see the directory and file rights (they were blocked from view before the Owner was changed). SYSTEM was present but did not have Full Rights. I changed it to Full Rights. I also added user Administrator, and gave it Full Rights.

I was then able to delete the .aspx file, then the FRArX folder, and finally the XXX folder.

MotoX80, huge THANK YOU for hanging in there and providing all your help. I could not have done this without your help.

I also want to thank Gary Nebbett, Andreas Baumgarten and Crypt32 who assisted with this project, too, and kept the ideas flowing.

It feels great to have this folder gone. :-)

Best wishes,

Michael



0 Votes 0 ·
Show more comments
MotoX80 avatar image
0 Votes"
MotoX80 answered

This worked for me on Win10.

 rd \\.\c:\temp\ComTest\COM1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

MichaelAdams-5874 avatar image
0 Votes"
MichaelAdams-5874 answered MichaelAdams-5874 commented

I appreciate the suggestion very much. Unfortunately, I got the same "Access denied" message.

· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Can you see the permissions or the ownership on the folder? Or grant everyone access? Open the command prompt with "Run as administrator".

 icacls \\.\c:\temp\ComTest\COM1
 dir /q \\.\c:\temp\ComTest\com1
 icacls \\.\c:\temp\ComTest\com1 /grant everyone:f







0 Votes 0 ·

Here are the results:

icacls \.\c:\Progra~3\COM1
\.\c:\Progra~3\COM1 NT AUTHORITY\SYSTEM:(DENY)(W,D)
NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)
BUILTIN\Administrators:(I)(OI)(CI)(F)
CREATOR OWNER:(I)(OI)(CI)(IO)(F)
BUILTIN\Users:(I)(OI)(CI)(RX)
BUILTIN\Users:(I)(CI)(WD,AD,WEA,WA)

dir /q \.\c:\Progra~3\COM1

Directory of \.\c:\Progra~3\COM1

File Not Found

icacls \.\c:\Progra~3\COM1 /grant everyone:f

processed file: \.\c:\Progra~3\COM1
Successfully processed 1 files; Failed processing 0 files

rd \.\c:\Progra~3\COM1

Access is denied

0 Votes 0 ·
Crypt32 avatar image
0 Votes"
Crypt32 answered MichaelAdams-5874 commented

You have a different and more serious problem than this magic folder. The real problem is that the server is compromised and you have to perform format-reinstall for entire server and restore from last known good backup. You may need to examine other machines on your network because they can be compromised as well.

Regarding the magic folder — you have to use a non-Win32 tool to delete the folder. But this doesn't solve your root problem.


· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

I am not disagreeing with you, but since this is a production Exchange Server, I have to leave that as a last resort. I have done extensive remediation, and this folder is a remnant.

Do you have any POSIX tools you could recommend I try?

0 Votes 0 ·
MotoX80 avatar image
0 Votes"
MotoX80 answered MotoX80 commented

I took ownership of the folder back to the Administrators group, which I was able to do.

If you opened the command prompt with "run as administrator", then I would have expected the RD command to work.

If a reinstall as Crypt32 suggested is not an option, try using psexec.

https://docs.microsoft.com/en-us/sysinternals/downloads/psexec

 psexec \\localhost -s cmd.exe

That will get you a command prompt running as the system account. Then run the RD command that I posted earlier. "Exit" will close the session.

Are you sure that you got all of the malware? If you've got a rogue process still running with an open handle to that folder, you won't be able to delete it. What steps did you take to clean the server?



· 5
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Command prompt won't help.

0 Votes 0 ·

But running as SYSTEM might.

0 Votes 0 ·

It is not a real permission issue, because it is special file/folder name so SYSTEM permissions won't help.

0 Votes 0 ·
Show more comments

Unfortunately, I still got "Access is denied" when running psexec. I confirmed it was running as the System user with the "whoami" command.

I used a Powershell command earlier to confirm the folder was not locked by a process. It was clear of any processes.

0 Votes 0 ·
AndreasBaumgarten avatar image
0 Votes"
AndreasBaumgarten answered MichaelAdams-5874 commented

Is this server a VM or a physical server?
If it is a VM and the challenge is to delete just the folder, why not shutdown the VM, mounting the virtual disk to a "clean VM" as an additional drive and try to delete the folder (after taking ownership and modifying the ACL if required)?
If successful mount he drive back to the exchange VM again.

Just an idea.


(If the reply was helpful please don't forget to upvote and/or accept as answer, thank you)

Regards
Andreas Baumgarten

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

This server does not have a VM. Just Windows Server 2019.

0 Votes 0 ·
MotoX80 avatar image
0 Votes"
MotoX80 answered MotoX80 commented

cacls .\c:\Progra~3\COM1
.\c:\Progra~3\COM1 NT AUTHORITY\SYSTEM:(DENY)(W,D)

You've got a deny acl for system on the folder. Try this sequence from an admin command prompt. If that doesn't work try it from psexec.

 icacls \\.\c:\Progra~3\com1 /inheritance:d
 icacls \\.\c:\Progra~3\com1 /grant:r  everyone:f
 icacls \\.\c:\Progra~3\com1
 rd  \\.\c:\Progra~3\com1 




· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

I appreciate all of the suggestions.

I first ran the commands from the Administrator command prompt. Here are the results.

icacls \.\c:\Progra~3\com1 /inheritance:d

processed file: \.\c:\Progra~3\com1
Successfully processed 1 files; Failed processing 0 files


icacls \.\c:\Progra~3\com1 /grant:r everyone:f

processed file: \.\c:\Progra~3\com1
Successfully processed 1 files; Failed processing 0 files


icacls \.\c:\Progra~3\com1

\.\c:\Progra~3\com1 NT AUTHORITY\SYSTEM:(DENY)(W,D)
Everyone:(F)
NT AUTHORITY\SYSTEM:(OI)(CI)(F)
BUILTIN\Administrators:(OI)(CI)(F)
CREATOR OWNER:(OI)(CI)(IO)(F)
BUILTIN\Users:(OI)(CI)(RX)
BUILTIN\Users:(CI)(WD,AD,WEA,WA)


rd \.\c:\Progra~3\com1

Access is denied.

I then ran from psexec, and, unfortunately, got the same results.

0 Votes 0 ·
MotoX80 avatar image MotoX80 MichaelAdams-5874 ·

Icacls isn't replacing the permissions. Try cacls. This command will prompt you to enter a Y.

 cacls \\.\c:\Progra~3\com1 /grant  everyone:f


Then check the perm with icacls. You should only have one entry for everyone full.

 icacls \\.\c:\Progra~3\com1 

Then try the RD command.

0 Votes 0 ·
MotoX80 avatar image
0 Votes"
MotoX80 answered

Ok, this appears to be working.

 icacls \\.\c:\Progra~3\COM1 
 icacls \\.\c:\Progra~3\COM1 /reset
 icacls \\.\c:\Progra~3\COM1  /inheritance:r  /grant:R  everyone:f
 icacls \\.\c:\Progra~3\COM1
 rd  \\.\c:\Progra~3\COM1
 dir  \\.\c:\Progra~3


Point 1 is inherited and explicit credentials on a folder named COM1.
Point 2 is where COM1 only has everyone full control.
Point 3 is COM deleted.

161056-capture.jpg


If you still get access denied, then I can only conclude that your server is still infected, and the malware is still running.



capture.jpg (101.4 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AndreasBaumgarten avatar image
0 Votes"
AndreasBaumgarten answered MichaelAdams-5874 commented

If this is a physical server and maybe the malware is maybe still running ...
What about booting the computer from a different source/media to get just the disk access?


(If the reply was helpful please don't forget to upvote and/or accept as answer, thank you)

Regards
Andreas Baumgarten

· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thanks for the idea. Do you have any suggestions for what to use as boot media?

0 Votes 0 ·

You could give it a try with the Windows Server Recovery Console:

  1. Insert the Windows Server 2019 installation media into your computer and boot from this media

  2. At the Windows Setup Dialog configure your settings and click Next

  3. Click Repair your Computer -> Troubleshoot -> Command Prompt


(If the reply was helpful please don't forget to upvote and/or accept as answer, thank you)

Regards
Andreas Baumgarten



0 Votes 0 ·

Thanks, Andreas!

I'm not actually onsite, so I can't perform this right away. I'll kee this in mind if none of the remote techniques fail.

0 Votes 0 ·
MichaelAdams-5874 avatar image
0 Votes"
MichaelAdams-5874 answered MichaelAdams-5874 commented

Here are the results of the commands.

161175-capture1.png

I also found some other issues with this folder, which I believe may be causing it not to be deleted. I believe the hackers corrupted some of the directory information associated with this folder. For instance, there are no creation or modified dates.

161271-capture2.png

I ran the Fanbar Tool, and it shows this for the directory.

0-00-00 00:00 - 2446-65429-65535 17756:00 - 000000000 _ C:\ProgramData\COM1

It should look something like this Windows INF folder.

2021-12-18 15:54 - 2018-09-14 23:17 - 000000000 ____D C:\Windows\INF

I believe the first date is supposed to be the Modified date. COM1 has all zeros.

I believe the second date is supposed to be the creation date. COM1 has some crazy number in there.

I ran these Powershell commands to see if any processes were running on the folder.

$Regex = "C:\ProgramData\COM1"

Get-WmiObject Win32_Process | Where {$_.CommandLine -like "$Regex"} | Select -Property Name,ProcessId,CommandLine | Format-Table

It came back with no entries, so I don't believe any malware has locked the folder.



capture1.png (51.8 KiB)
capture2.png (19.1 KiB)
· 26
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

It came back with no entries, so I don't believe any malware has locked the folder.

You are only looking at the command lines. You have to search for open file handles.

https://docs.microsoft.com/en-us/sysinternals/downloads/handle

From an admin command prompt run:

 handle -a com1








0 Votes 0 ·

Thank you for the suggestions. I ran the handle program. Here are the results.

handle -a com1

Nthandle v4.22 - Handle viewer
Copyright (C) 1997-2019 Mark Russinovich
Sysinternals - www.sysinternals.com

No matching handles found.

0 Votes 0 ·
MotoX80 avatar image MotoX80 MichaelAdams-5874 ·

So much for that idea.

Try the fsutil command that @GaryNebbett suggested.

And just for fun open a Powershell admin prompt and try this.

 (get-item  -path "\\?\c:\Progra~3\COM1") | format-list -Property *
 (get-item  -path "\\?\c:\Progra~3\COM1").LastWriteTime = (get-date)
 (get-item  -path "\\?\c:\Progra~3\COM1") | format-list -Property *


What does that show?

I get hooked on problems like this, and we can't let the computer demons win!!.

0 Votes 0 ·
Show more comments

Maybe try running a chkdsk too.

0 Votes 0 ·

Good idea! I ran Disk Scan, but not actually chkdsk. I'll run this tonight since it has to be done on a restart.

I'll run

chkdsk /f

0 Votes 0 ·

Ran chkdsk /f and then,

C:\>rd \.\c:\PROGRA~3\COM1
Access is denied.

Argh!

0 Votes 0 ·
Show more comments

Hello All,

The results of the tests that have been posted so far are difficult to understand (they don't correspond with my expectations).

My suggestion would be to try the following two things:

  1. Issue the command fsutil file layout /v \\.\C:\Progra~3\COM1 and report the results.

  2. Try any of the previous suggestions whilst tracing with ETW (Event Tracing for Windows), Procmon or any other similar tool and check the failure status of the low level (native) API that tries to delete the directory.

Gary



0 Votes 0 ·

The results of the tests that have been posted so far are difficult to understand (they don't correspond with my expectations).

What specifically don't you understand?

0 Votes 0 ·

Hello Dave,

Sorry, that was a poor way of expressing myself.

What I can't understand is how the "rmdir" command could fail with error message "Access denied", given all of the steps and checks that have been performed on its security descriptor. That is why it might be helpful to see the NTSTATUS returned at the lowest level possible (in case that "Access denied" is a poor translation of an NTSTATUS to a Win32 status).

One could also try issuing the command fltmc instances to see if there are any "unusual" file system filter drivers in operation.

Gary

0 Votes 0 ·
Show more comments

Hi Gary,

I got called away to another job yesterday, but I am back on it again today.

Thank you for the suggestions.

Here the results of the fsutil command.


161616-capture4.png


0 Votes 0 ·
capture4.png (54.7 KiB)

Hello Michael,

There are two (slightly) odd items in that listing.

The minor point is the File attributes (Hidden and System as well as Directory). I would have guessed that you would have removed the System and Hidden attributes at some stage in your attempt to remove the directory.

The major point (for me, since it is unexpected and will need some more research) is the "HLINK Name" information. As far as I knew, the only two name types were NTFS and DOS (as documented here: https://docs.microsoft.com/en-us/windows/win32/devnotes/file-name). Let's see what we can find out about "HLINK".

BTW, have you any update on the "fltmc instances" command? The filters that I have are: FileInfo, WdFilter, Wof, bindflt, luafv and wcifs. If you have anything else then let us know.

Gary

0 Votes 0 ·
Show more comments