You are browsing the archive for Autostart (Persistence).

Beyond good ol’ Run key, Part 111

July 13, 2019 in Anti-Forensics, Autostart (Persistence)

I came across this entry by a pure chance. I was testing some software (sorry, can’t reveal which one) and noticed that at some stage it tried to read the following WOW6432Node entry from the Registry:


Of course, anytime I see something like this I immediately test it as it is an opportunity to document yet another persistence mechanism. My quick test confirmed we can modify this value to load our DLL of choice when the aforementioned software starts.

Now… this entry is not software-specific. In fact, the tested software does talk to the databases a lot. And after a quick googling exercise I discovered why I saw this artifact in my logs – the key is documented and is used for ADO.NET Tracing.

Of course, it works in a non-WOW set up too:


So you can either do the tracing, or load a badness. Your choice.

Beyond good ol’ Run key, Part 110

July 13, 2019 in Anti-Forensics, Autostart (Persistence)

This is rather short post and it refers to a qt.conf file. If you can find such a file on a system it can be often modified to affect the settings of a Qt framework that is used by some application installed on your system. You may find many occurrences of this file in the environment. Not all the programs respect these settings though.

The change could be redirecting Qt framework to load plugins from a different directory than expected, etc. See the first link that explains the settings stored inside the file.

There are tones of applications leveraging Qt and actually more and more are Enterprise solutions so it’s a kinda unexpected, but still decent persistence mechanism and due to unpredictability of the qt.conf file file location – kinda stealthy.

How to do ‘the bad’ stuff?

This simple config will load plugins from a c:\test path:


Obviously, real plugins need to be loaded as well so it’s a bit like a path companion type of persistence that needs some housekeeping to make it work.