You are browsing the archive for Autostart (Persistence).

Beyond good ol’ Run key, Part 124

March 4, 2020 in Anti-Forensics, Autostart (Persistence)

Most of persistence tricks rely on a modification of Registry, adding files, dropping phantom DLLs, lolbins, etc. Today (for a change), I will describe a trick that is a) a close relative of Office macros & b) introduces yet another file format that security product may need to learn to scan.

The target is Ultraedit – pretty much my favorite editor.

It supports a lot of different mechanisms that could be used for persistence and trickery, but I will describe only one which meets the criteria I specified above.

The editor supports a mechanism of macros. Macros can be easily edited using a dedicated Macro panel. While the commands are primarily editing-related, there is one command that is interesting to us – RunTool:

The macro on the screenshot is called ‘foo’ and runs a tool called ‘notepad’. What is the ‘notepad’ tool you may ask? It is actually not the Windows Notepad, but a reference to a task one can set up in UE Tool Configuration panel:

Not surprisingly, I set it up to actually execute c:\windows\system32\notepad.exe.

Okay, now we have a macro that runs our task called ‘notepad’ and that task in turn runs the actual Windows Notepad.

We can save our macro to a .mac file which is using a proprietary format:

And now we are ready for a final piece of a puzzle…

UE allows us to automatically set macros to run during startup (via command line):

as well as during load and save file events (works in GUI):

With all that in place… Notepad will be running a lot… perhaps as a celebration of these events.

Feels like Office macros – tick. Proprietary file format – tock.

Beyond good ol’ Run key, Part 123

November 18, 2019 in Anti-Forensics, Autostart (Persistence)

Yet another quick post. This time about a subset of libraries (and possibly programs, but I only saw the libraries) that reference Intel® VTune™ Amplifier.

As explained in a linked article, one can define following environment variables to ensure the ITT libraries are loaded during the program run-time:

  • INTEL_LIBITTNOTIFY32=<DLL>
  • INTEL_LIBITTNOTIFY64 =<DLL>

It’s probably a poor choice for a potential persistence mechanism. I only saw these referenced by tbbmalloc.dll, but there may be more programs/libraries. Even Mozilla seems to be using it in some of its builds.