Beyond good ol’ Run key, Part 92

October 11, 2018 in Anti-Forensics, Autostart (Persistence)

This is an old one, but I realized I have never covered it: Winlogon GP Extensions.

The key is located here:

  • HKLM\SOFTWARE\Microsoft\
    Windows NT\CurrentVersion\
    Winlogon\GPExtensions\
    {GUID}\DllName=<DLL>

Again, it’s an oldie and it’s supported by many startup enumeration programs including e.g. Autoruns. Some web sites list a number of known extensions e.g. here.

 

 

Beyond good ol’ Run key, Part 91

October 10, 2018 in Anti-Forensics, Autostart (Persistence), LOLBins

This is a mixed persistence trick/LOLBIN.

There is a program in the Windows system directory that is very rarely used: dmcfghost.exe. As far as I can tell it has something to do with OMA Client Provisioning (CP) protocol (the internal name of the program states: ‘Host Process for Push Router Client of OMA-CP’).

When you run it, if everything goes as planned (I don’t understand the logic inside the program, but it looks like running it on win 10 always returns success internally), it will load a DLL from the following registry entry:

  • HKLM\SOFTWARE\Microsoft\PushRouter\
    Test\TestDllPath2=<DLL>

So, adding e.g. a Run key pointing to dmcfghost.exe will ensure that this binary is loaded every time user logs on, and the ‘test’ DLL will load as well.