Beyond good ol’ Run key, Part 66

October 5, 2017 in Anti-*, Autostart (Persistence), Compromise Detection, Forensic Analysis

I discussed Winsock-based persistence in the past.

There is one more.

It is a bit unusual, as it has to do with automatic proxy configuration, so it’s a bit tricky to reproduce. I have honestly not made an attempt to fully understand the logic winsock uses to determine how to find the proxy, plus it’s pretty late and I only discovered it now so maybe some other time…

For the purpose of this post, one thing that is interesting is this key:

  • HKCR\AutoProxyTypes

The two standard entries underneath are:

  • Application/x-internet-signup
  • Application/x-ns-proxy-autoconfig

It turns out you can add your own e.g.:

Winsock will enumerate the AutoProxyTypes key children nodes while trying to find the proxy and will load DLLs located underneath.

I had luck reproducing it on Windows 7 while tinkering with the Internet Options/Lan Settings (enabling/disabling it), but could not make it work on Windows 10. I may come back to do some more testing later on, but for now this screenshot should suffice:

Running programs via Proxy & jumping on a EDR-bypass trampoline, Part 2

October 4, 2017 in Anti-*, EDR, Incident Response


After my post Zod contacted me with this mike-dropping link: Ultimate AppLocker ByPass List. Really lots of good stuff there! Thx Zod!

Old Post

In the first part I listed a couple of examples of programs that may be used as a proxy to launch other programs. In the meantime, subTee kicked off a very interesting thread on Twitter listing a number of signed .exe binaries that can be used as a proxy to load a DLL. Yesterday I came across a few cool posts by @0rbz_. This in return reminded me of my first post and I decided to add a few more proxy/living off the land ideas.

There is a number of signed .exe that can be used to load other .exes or .dlls and as a result – break standard EDR detection rules, or bypass some whitelisting. This may sometimes involve copying the signed binary to your folder in order to sideload your DLL (PlugX is a very good example, funnily enough – in many cases they don’t even need to bring a signed .exe and fetch one that is typically present on the system).

Here is the list:

  • AppVLP.exe – to launch .exe
    • From this Tweet by @0rbz_
    • Just run C:\Program Files\Microsoft Office\root\client\AppVLP.exe <exename>
  • pcalua.exe
    • From this Tweet by @0rbz_ and mentioned on this forum
    • Just run C:\windows\system32\pcalua.exe -a <exename>
  • odbcconf.exe – to load .dll
  • odbcad32.exe – to load .dll via GUI
    • drop c:\windows\system32\<dllfile>
    • run odbcad32.exe
    • go to Tracing Tab
    • choose Custom Trace DLL
    • hit Start Tracing Now
  • WinMail.exe – to load .dll
    • copy c:\Program Files\Windows Mail\WinMail.exe to your folder
    • name your DLL ‘msoe.dll’
    • launch one of these
      • WinMail.exe /identcatalog
      • WinMail.exe /identfileslist:foo
      • WinMail.exe /identfile:foo
  • xwizard.exe – to load .dll
    • From my previous post
    • copy c:\WINDOWS\system32\xwizard.exe to your folder
    • name your DLL ‘xwizards.dll’
    • run xwizard.exe with at least two arguments
  • java.exe – to load .dll
    • From my previous post
    • run java -agentlib:<dllname>
    • run java -agentpath:<dllname_with_dll_extension>
  • any other phantom / sideloaded dlls – to load .dll

If you know of any other tricks like this, please let me know. Thanks!

p.s. as I was about to post it, Huntress Labs just published yet another cool technique using WseClientSvc.exe passthru.exe calc.exe!