Beyond good ol’ Run key, Part 72

February 9, 2018 in Anti-*, Anti-Forensics, Autostart (Persistence), Compromise Detection, Forensic Analysis, Incident Response, Malware Analysis

In my old post I described a simple trick that shows how to set up a hot key that can be assigned to execute shortcuts (.LNK files) placed on a Desktop or in a Start Menu. This action survives reboots and logon/logoffs so it’s a nice, and somehow accidental persistence mechanism.

Turns out there is one more variant of this trick that relies on using the .URL files.

Placing a .URL files containing the following data:

[InternetShortcut]
URL=file:///c:/windows/system32/calc.exe
HotKey=768

on a Desktop will assign CTRL+SHIFT sequence to an action that will trigger the execution of the calculator.

The Hotkey can be assigned either manually (via properties):

– in such case you won’t be able to assign the more trickier combinations like CTRL+SHIFT. Or we can do it manually, and in such case all the hotkey tricks are available. All you have to do is to assign a proper value to the HotKey parameter inside the .url file.

You can find out what values represent what codes or by experimenting… or… you can cheat and read this old guide: An Unofficial Guide to the URL File Format.

 

 

Endpoint Detection and Response (EDR) solutions sheet – update

February 4, 2018 in EDR

I recently mentioned how cool it is to collaborate with people online. You publish some stuff and others provide corrections and improvements. Others publish some stuff and sometimes you can give them some hints, or ideas.

Today’s update is about collaboration too – Amos Yau kindly offered to update the IR_EndPointSolutions.xlsx file with some new information about:

  • Countertack
  • CrowdStrike
  • Mandiant/FireEye
  • ReaQta

Thank you Amos!

The latest EDR sheet can be found here.

As usual, if you find anything wrong/needing some amendment, please do let me know. I’ll fix it.