Beyond good ol’ Run key, Part 66

October 5, 2017 in Anti-*, Autostart (Persistence), Compromise Detection, Forensic Analysis

I discussed Winsock-based persistence in the past.

There is one more.

It is a bit unusual, as it has to do with automatic proxy configuration, so it’s a bit tricky to reproduce. I have honestly not made an attempt to fully understand the logic winsock uses to determine how to find the proxy, plus it’s pretty late and I only discovered it now so maybe some other time…

For the purpose of this post, one thing that is interesting is this key:

  • HKCR\AutoProxyTypes

The two standard entries underneath are:

  • Application/x-internet-signup
  • Application/x-ns-proxy-autoconfig

It turns out you can add your own e.g.:

Winsock will enumerate the AutoProxyTypes key children nodes while trying to find the proxy and will load DLLs located underneath.

I had luck reproducing it on Windows 7 while tinkering with the Internet Options/Lan Settings (enabling/disabling it), but could not make it work on Windows 10. I may come back to do some more testing later on, but for now this screenshot should suffice:

Comments are closed.