You are browsing the archive for Forensic Analysis.

Beyond good ol’ Run key, Part 51

November 24, 2016 in Anti-Forensics, Autostart (Persistence), Compromise Detection, Forensic Analysis, Incident Response, Malware Analysis

There is a number of persistence mechanisms related to Office that I have already discussed in the past, but the most obvious one – one that is actually documented – has not been covered in my posts yet. I am fixing it now 😉

When Word starts, it looks for the items inside the STARTUP folder that it can load. The older version of Office would look for files with the following extensions: .lnk, .wll (Word Add-in DLLs), or .dot  f.ex.:

  • c:\Program Files\Microsoft Office\<version>\STARTUP\*.dot
  • c:\Program Files\Microsoft Office\<version>\STARTUP\*.lnk
  • c:\Program Files\Microsoft Office\<version>\STARTUP\*.wll

Newer versions look for additional files *.dotm and *.dotx.

The location above is a STARTUP folder common for all users (and it’s a WORD STARTUP persistence location #1).

The user-specific folder is located… well, this is where it gets interesting 🙂

So… Winword tries to find the following registry key:

  • HKCU\Software\Microsoft\Office\<version>\Word\Options\STARTUP-PATH


  • HKCU\Software\Microsoft\Office\15.0\Word\Options\STARTUP-PATH

If exists, it will read its value and treat it as a user-specific STARTUP folder. if we change it to our own, we can abuse it (WORD STARTUP persistence location #2):


Otherwise… if it doesn’t exist, Word will read another Registry entry:

  • HKCU\Software\Microsoft\Office\<version>\Common\General\Startup

The default value is ‘STARTUP’, but we can change it to anything we want.

So, if the value is ‘Common\General\Startup’ default and equal ‘STARTUP’, the path will be:

  • %APPDATA%\Microsoft\Word\STARTUP (WORD STARTUP persistence #3a)

But if we change it to f.ex. TEMP, the location will be

  • %APPDATA%\Microsoft\Word\TEMP (WORD STARTUP persistence #3b)

We can try to wrap it up as follows (Word/Office 15.0):

  • c:\Program Files\Microsoft Office\Office15\STARTUP
  • %APPDATA%\Microsoft\Word\STARTUP

    • HKCU\Software\Microsoft\Office\Office15\Common\General\Startup = FOOBAR
    • %APPDATA%\Microsoft\Word\FOOBAR

Excel behaves in a similar way, except the paths and keys are (for Office 15.0):

  • C:\Program Files\Microsoft Office\Office15\XLSTART
  • %APPDATA%\Microsoft\Excel\XLSTART

    • HKCU\Software\Microsoft\Office\Office15\Common\General\Xlstart = FOOBAR
    • %APPDATA%\Microsoft\Excel\FOOBAR

Here are the Word and Excel options that dictate what are the actual user-specific %APPDATA% startup folders for both programs:


That’s all!

Beyond good ol’ Run key, Part 50

November 8, 2016 in Anti-Forensics, Autostart (Persistence), Compromise Detection, Forensic Analysis, Incident Response

Windows 10 has more phantom DLL files…

(Re)starting the Print Spooler or Fax services leads to C:\Windows\System32\ualapi.dll being loaded.


ualapi1Except it is not always present – as far as I can tell it is only present on Windows server 2012 (can someone confirm it?) as it is responsible for providing User Access Logging (UAL) functionality.

So, placing a malicious C:\Windows\System32\ualapi.dll on Windows 10 will lead to its execution anytime system starts (nowadays Print Spooler is started most of the time).

Of course, writing to c:\windows\system32 requires admin rights.