Ivanti Endpoint Manager

2023-09-13 by Micah Babinski (mbabinski)

Ivanti does some weird stuff

The command-line arguments for the exes listed below occasionally contain fragmented, seemingly-random strings containing special unicode characters, what looks like bits of HTML or XML tags, and/or URL-enocoded strings. For example:

• LDdrives.exe -p 51205 -c -s -b5D€Cv
• LDdrives.exe -p 51205 -c -s -b8µq
• LDdrives.exe -p 51205 -c -s "-b8¶(+N& "
• LDmemory.exe -p 51207 -c -s "-b32164/><key nam=ÂgËo�"
• LDnetwork.exe -p 51214 -c -s -b10žÊ/€/�

These processes all spawn instances of Console Host (conhost.exe) with the 0x4 flag, like C:\Windows\system32\conhost.exe 0x4.

Documentation