This is just a quick post to highlight a possibility of abusing yet another configuration setting for persistence reasons. It’s not really a lot of trickery at work – it’s actually a legitimate feature documented by Microsoft and which allows to change the way executable manifests are loaded.

By changing the registry key:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide
"PreferExternalManifest"=dword:00000001

– the system will start using an external .manifest file for the executables, if such .manifest files exists. Modification of such external .manifest allows to load malicious component (DLL side-loading via Side by Side /SxS/).

While googling around about this setting I came across these posts that highlight issues that you may come across when this setting is changed and the Windows Sxs Activation Context Cache is not refreshed (the settings and external manifest will be ignored until you force the cache refresh by manipulating the timestamps):

• http://csi-windows.com/blog/all/27-csi-news-general/245-find-out-why-your-external-manifest-is-being-ignored
• https://blogs.msdn.microsoft.com/junfeng/2007/10/01/windows-vista-sxs-activation-context-cache/