Beyond good ol’ Run key, Part 38

May 27, 2016 in Anti-Forensics, Autostart (Persistence), Compromise Detection, Forensic Analysis, Incident Response

It’s been a while since my last post about persistence tricks. Today I decided to fix this and write about yet another trick – kinda old, yet still cool – that works even today despite being as old as Windows NT.

The userinit.exe process was featured in a number of persistence posts before (here , here and here). Turns out, we have not given it all the attention it needs yet.

When you add a new user to the system, you have an option to change some properties of the user account as shown on the below screenshot. One of these properties is responsible for loading the user logon script (I named it foobar123.bat on the test system).

pic0

The alternative to GUI is using the following command:

  • net user /scriptpath:<Relative Path>

Once added to the user properties, the script will be executed anytime user logs on:

pic3

You may be wondering where on the system it has to be placed to ensure it is executed.

There are two places:

  • You can place it on Netlogon share:
    • either the real one from the domain controller (where all user scripts reside),
      or
    • you can create a fake, local one by using the trick shown below:

pic1

In such case the script will be loaded like this:

pic4

  • You can place it inside the %systemroot%\System32\Repl\Import\Scripts directory

In such case it will be executed like this:

pic2If you use net user command, the relative path is relative to %systemroot%\System32\Repl\Import\Scripts.

This trick is not my idea and is described in various places on the internet – I shamelessly ‘borrowed’ most of the bits and ideas from here.

Share this :)

Comments are closed.