Beyond good ol’ Run key, Part 44

August 19, 2016 in Anti-Forensics, Autostart (Persistence), Compromise Detection, Forensic Analysis, Incident Response

In my previous post I described a persistence mechanism that is triggered when someone is connecting to the infected system via RDP.

This is an interesting way to stay alive, but it would be probably much better if we could apply the same logic not to the server, but to the client.

That is – launch a DLL of our choice anytime someone tries to use mstsc.exe…


Not really.

Did I mention testing?

Yet another artifact that seems to be testing-related is this:

  • HKLM\SOFTWARE\Microsoft\Terminal Server Client
    ClxDllPath=<path to DLL>


Adding this to the Windows 10 Registry:


will give us the following result:

test_clientThe c:\test\test_client.dll is loaded anytime we start mstsc.exe.

We don’t even need to connect to the real system. Just launching mstsc.exe is enough,

Updated EDR sheet

August 12, 2016 in EDR

I have received tones of emails and am finally catching up. Thank you to everyone who provided the feedback and especially those of you who took an effort and time to make it as constructive as possible, I really really appreciate it!

I have updated and merged all the comments I came across. If you find anything missing or wrong, just please let me know and I’ll fix it. A typical turnaround is one week. If I missed your comments, I apologize in advance – hard to keep up with the mail goodness I am receiving 🙂 Thank you for your understanding!

Last, but not least – if you do happen to whine about the quality of this sheet, notice that this is a collaborative effort – let me know what’s wrong and I’ll fix it. Saying that’s it’s a piece of crap (yup, received blunt comments like this too 🙂 ) is okay as long as you explain why…

I promise I will put the next version of this sheet on Google Sheet – please bear with me.

The latest EDR sheet can be found here.