You are browsing the archive for Autostart (Persistence).

Beyond good ol’ Run key, Part 79

June 10, 2018 in Autostart (Persistence), Living off the land, LOLBins

This persistence post targets users of Total Commander (TC).

I love TC and have been using it for many years. Quite frankly… I really can’t imagine working on Windows w/o using this tool, and I really pity anyone who is using Windows Explorer either by choice or by force. The other good alternative to TC is FAR, but its far (unintended pun) less popular, and definitely not present in the corporate environment as much as TC…

Anyway…

Being so popular makes TC an obvious target and since it has such a rich functionality it’s very easy to abuse these features to stay on the system persistently.

There are many ways to do it… I doubt I can cover all of them, but let’s jot down some notes:

  • The system of plug-ins is an easy target, so I will skip its description as it’s boring (okay, you just drop a DLL into TC’s plug-in directory and ensure it’s registered to handle some filetypes, of viewer, etc.). These are officially supported plug-in types:
    • Packer Plug-ins
    • File-system Plug-ins
    • Lister Plug-ins
    • Content Plug-ins
    • (note that existing plugins can be swapped, or be a subject to side-loading issues, etc.)
  • Not many people know about it, but the TC accepts command line arguments, including:
    • /i=name.ini – a different location of wincmd.ini file; a changed .ini file may include some extras
    • /INSTALLDRIVERQ- installs ‘cglptnt’ service pointing to C:\WINDOWS\system32\DRIVERS\cglptnt.sys that is copied there by TC – this file could be swapped
  • The next one is one that I kinda like as an idea as it’s quite subtle
    • TC offers a really cool functionality that allows you to quickly ‘jump to the directory’ from the menu
    • The function is activated by the CTRL+D keyboard shortcut
    • The actual ‘jump’ is implemented via a ‘cd’ command, so every new directory added to the menu will have a Command set to ‘cd <directory’:
    • You can change this ‘cd’ command to e.g. c:\windows\system32\calc.exe
    • Next time someone attempts to change the directory to Windows, the calculator will be spawn:
    • The caveat is that the directory itself is not changed in such case – I guess malware could send that sequence of keys to TC to force the directory change or simply modify the entry back to its original content and user would be none the wiser – the command would work the second time they try; since it’s not a typical persistence (it only works when the menu is used), it could be used as a ‘backup’
  • The TC can handle some UAC kinda graciously
    • For example, if you want to enter c:\Windows\CSC directory, you will get this message box:
    • Hitting ‘As Administrator’ will engage Tcmadmin.exe program that is located in the TC program directory; swapping this program with your own will make TC launch your own program anytime it handles UAC business

There are probably many other ways… and as a side note, since TC includes a native client for (S)FTP, it can be used to download/upload stuff as well…

So, in a way, TC is an ultimate… LOLBIN.

There you have it… but want to emphasize one thing – this post is not to scaremonger  you – TC is awesome and consider purchasing it, and… keeping an eye on its config files…

Beyond good ol’ Run key, Part 78

May 28, 2018 in Anti-*, Autostart (Persistence)

Here’s a quick persistence mechanism for you: we all know that you can change the HKCR settings for file extensions to introduce a malicious proxy executable that can then launch the appropriate file. Changes to HKCR’s .exe, .txt, handlers are as old as Windows malware itself.

It turns out that you can apply the same trick to folders, and you can do so with an extra twist. To do so, just add these Registry entries:

  • HKCR\Folder\shell\(default)=test
  • HKCR\Folder\shell\test\command
    @=”notepad.exe”

And from now on, anytime you open any folder in Windows Explorer the notepad.exe will launch. And for the twist –  note that we are introducing a new ‘verb’ called ‘test’ for Shell and not modifying the ‘open’ command; spotting this may be much harder as you need the security solution to read what the default verb is first, then read its settings from the Registry. You can leverage this trick to modify shell’s behavior for any file type.

Obviously, such changes may ruin the user’s folder browsing experience, but Notepad is now a folder parasite and is here to stay…

If you wanted to be a bit more sneaky, and apply it to specific folders only, e.g. Recycle Bin, you just need to add (in this case we modify the ‘open’ verb settings, for simplicity):

HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\open\command
@=”c:\\windows\\system32\\calc.exe”

Where the 645FF040-5081-101B-9F08-00AA002F954E CLSID refers to Recycle Bin folder. Same goes for other special folders (as long as they are supported on your Windows version – win8/10 changes a lot here as they introduce that awful AOLish Start Menu).