Beyond good ol’ Run key, Part 85

August 31, 2018 in Anti-Forensics, Autostart (Persistence)

This is a LOLbinish 2-stage persistence trick. One where we add startup items to point to OS  binaries, and – while they will be ignored by many users and security solutions (at least at first glance) – they will be launching the second stage of the persistence mechanism for us…

Many people who use win7-win10 know that the Werfault.exe process is all over the place. It’s a process ‘repairer’ or ‘fixer’ that handles crashes or other unpleasant activities of other processes. It turns out you can launch werfault.exe with a number of specific command line arguments. One of these modes is called ‘reflective debugger’ and is very interesting to us. To launch werfault in this mode we need to provide the following parameters:

  • werfault.exe -pr <somevalue>

And  how does it load the debugger?

By reading:

  • HKLM\Software\Microsoft\Windows\
    Windows Error Reporting\Hangs\ReflectDebugger=
    <path>

and… executing it.

That’s it.

So if we add a Run key like this:

– it will in the end launch our program of choice when the user logs on.

Share this :)

Comments are closed.