You are browsing the archive for Anti-Forensics.

Beyond good ol’ Run key, Part 45

August 26, 2016 in Anti-Forensics, Autostart (Persistence), Compromise Detection, Forensic Analysis, Malware Analysis

RDP was a feature guest in the last two parts of the series. Time for the third visit as there is still something to write about…

Using dedicated addins one can change the behavior of RDP session by leveraging a mechanism that Microsoft calls Virtual Channels.

Quoting directly from the web site:

Virtual channels are software extensions that can be used to add functional enhancements to a Remote Desktop Services application. Examples of functional enhancements might include: support for special types of hardware, audio, or other additions to the core functionality provided by the Remote Desktop Services Remote Desktop Protocol (RDP). The RDP protocol provides multiplexed management of multiple virtual channels.

The mechanism is implemented using DLLs, and since it is a legitimate feature its implementation and persistence mechanism are very well documented on the web site.

While the web site describes the HKCU keys only:

  • HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default\Addins
  • HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\connection\Addins

the HKLM works as well (at least for the Default; I have not tested the connection ones cuz it’s Friday 🙂 ).


  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Terminal Server Client\Default\Addins\Malware
    Name  = c:\test\test.dll


Unlike the ClxDllPath Path presented in part 44, the Addins DLLs are loaded not immediately after mstsc.exe is launched:


but only after the actual connection with the remote system is established:

virtchan2Note: If you want to test it, make sure that the DLL you want to load matches the mstsc.exe architecture (32- or 64-bit)


Beyond good ol’ Run key, Part 44

August 19, 2016 in Anti-Forensics, Autostart (Persistence), Compromise Detection, Forensic Analysis, Incident Response

In my previous post I described a persistence mechanism that is triggered when someone is connecting to the infected system via RDP.

This is an interesting way to stay alive, but it would be probably much better if we could apply the same logic not to the server, but to the client.

That is – launch a DLL of our choice anytime someone tries to use mstsc.exe…


Not really.

Did I mention testing?

Yet another artifact that seems to be testing-related is this:

  • HKLM\SOFTWARE\Microsoft\Terminal Server Client
    ClxDllPath=<path to DLL>


Adding this to the Windows 10 Registry:


will give us the following result:

test_clientThe c:\test\test_client.dll is loaded anytime we start mstsc.exe.

We don’t even need to connect to the real system. Just launching mstsc.exe is enough,