Beyond good ol’ Run key, Part 121

October 24, 2019 in Anti-Forensics, Autostart (Persistence)

This is a very convoluted way of creating a persistence mechanism, but it’s worth describing.

The SPReview.exe I covered previously has an interesting option: /WuExecuted or /WusaExecuted. When it is executed with one of these as an argument it does a lot of stuff, but the most important from our perspective is this bit:

  • It reads value of HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\Pending\SPReviewEnabler=<file>
  • It copies that value to HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\SPReview=<file>
  • It then deletes the HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\Pending\SPReviewEnabler entry

So… as long as you set up the SPReviewEnabler and run the SPReview.exe with one of the WU* options you will have your chosen file executed once the very next time current user logs on. The cycle can be then repeated to establish a permanent persistence…

Comments are closed.