Yet another way to hide from Sysinternals’ tools

January 4, 2018 in Anti-*, Anti-Forensics, Autostart (Persistence), Compromise Detection, Forensic Analysis, Incident Response, Malware Analysis

The recipe is simple:

  • Pick up one of the environment variables.
  • Name your executable as ‘%environment variable%.exe’
  • Drop it in a place where system will find it (as per PATH)
  • Set e.g. Run key to point to it.

Example:

  • Drop c:\WINDOWS\%USERNAME%.exe

And add:

  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    “foobar”=”%USERNAME%”

Both Autoruns and Process Explorer (autorun location) won’t be able to locate the file, because they expand the environment variables. They will also mislead the user by showing a path to an executable that is definitely not on the system e.g. if the user’s name is JOHN, the entry I listed above will show up as ‘File not found: john.exe’. Looking for ‘john.exe’ on the system will not bring any relevant results.

Bonus #1:

You could concatenate a number of environment variables – the file will run, but the entry in the Autoruns will look like a bug. Only visiting the actual entry in the Registry will allow you to spot the trick.

Bonus #2:

Using less common environment variables can give even more random misleading information eg. ‘%PROCESSOR_LEVEL%’ can resolve to ‘6.exe’. Finding that ‘6.exe’ on the system will be pretty tricky.

Bonus #3:

Using ‘%ComSpec%’ gives the most intriguing result.

Autoruns will resolve it to ‘c:\WINDOWS\System32\cmd.exe’ instead of ‘c:\WINDOWS\%ComSpec%.exe’ and… since the resolved binary is native OS signed executable… it will be hidden from the view, unless you Unhide the ‘Hide Windows Entries’.

Share this :)

Comments are closed.