You are browsing the archive for Autostart (Persistence).

Beyond good ol’ Run key, Part 70

December 30, 2017 in Anti-*, Anti-Forensics, Archaeology, Autostart (Persistence), Forensic Analysis, Incident Response, Malware Analysis

Back in early 2000s shell extensions and desktop enhancers were very popular. Some of these ideas survived till today and even now one can either use pre-installed ones, or install new deskbands on the system.

There are many coders who already did a great job explaining what desk bands are and how to implement them, so instead of pretending that I know what I am talking about, I will just suggest that you read this great article ‘Shell Extensibility – Explorer Desk Band, Tray Notification Icon et al.‘ by Alex Blekhman. When you run the Calendar.exe that is attached to the article you will then have an option to make the calendar present as a Deskband

Interestingly enough, as far as I can tell Autoruns still doesn’t detect them.

To find out where the information about deskbands and other Explorer extension bars is stored in Registry you can read this article.

If you are in a hurry, just need to enumerate Registry and look for all CLSIDs with the Implemented Categories\ key with the following deskband identifiers set:

DeskBand
{00021492-0000-0000-C000-000000000046}

VerticalBand 
{00021493-0000-0000-C000-000000000046}

HorizontalBand 
{00021494-0000-0000-C000-000000000046}

e.g.:

HKLM\SOFTWARE\Classes\CLSID\...\
Implemented Categories\{00021492-0000-0000-C000-000000000046}

Additionally, it may be worth checking the following key:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\
Discardable\PostSetup\Component Categories\...\Enum

This is where Explorer stores cached information about explorer bar objects.

Beyond good ol’ Run key, Part 69

December 29, 2017 in Anti-*, Anti-Forensics, Autostart (Persistence), Forensic Analysis, Incident Response, Malware Analysis

This is just a quick post to highlight a possibility of abusing yet another configuration setting for persistence reasons. It’s not really a lot of trickery at work – it’s actually a legitimate feature documented by Microsoft and which allows to change the way executable manifests are loaded.

By changing the registry key:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide
"PreferExternalManifest"=dword:00000001

– the system will start using an external .manifest file for the executables, if such .manifest files exists. Modification of such external .manifest allows to load malicious component (DLL side-loading via Side by Side /SxS/).

While googling around about this setting I came across these posts that highlight issues that you may come across when this setting is changed and the Windows Sxs Activation Context Cache is not refreshed (the settings and external manifest will be ignored until you force the cache refresh by manipulating the timestamps):