Team: Huntress EDR
Product: Remote access tools using 32-bit applications
Summary: Remote access tools can accidentally "hide" files or registry values, so be sure to review the reported footholds for their exact locations.
I Don't See The Foothold That Was Reported?
We occasionally get questions about a reported foothold not being found on the host. In our experience, this is most often caused by the remote access tool "hiding" the file or registry value. The reason these tools cannot see the item is because the tool is 32-bit and the item is located in a 64-bit area of the file system/registry. In these cases you'll want to use the tools included with Windows to perform the remediation (and demand better support from your tool provider ;).
On Windows, 32-bit applications are isolated from 64-bit applications to prevent file and registry collisions. To illustrate this, in the image below we created a folder "c:\windows\system32\0000__system32_folder" and opened the 32-bit command prompt (c:\windows\syswow64\cmd.exe).
Note that the directory listing from the command prompt does not show the "0000__system32__folder", but rather the folder we created in c:\windows\syswow64. That is because Windows redirects c:\windows\system32 to c:\windows\syswow64 for 32-bit applications. To access the "actual" system32 directory from a 32-bit application you need use a special path, c:\windows\sysnative.