You are browsing the archive for Autostart (Persistence).

Beyond good ol’ Run key, Part 125

July 30, 2020 in Autostart (Persistence), Living off the land, LOLBins

Update

Turns out @0gtweet posted about it in January and I missed that!!!

Old Post

Been awhile since I posted in this series, so here comes a new trick.

It is not your typical executable for sure, change.exe that is. When I looked at it for the first time I was perplexed — within first few lines of code it literally executes other executables. Must be something good I thought, and good it was indeed.

When launched, change.exe does something very strange – it enumerates Registry entries under this location:

  • HKLM\System\CurrentControlSet\Control\Terminal Server\Utilities\change

These entries are … interesting, because they look like some stringified flags followed by executable names. Possible abuse opportunity?

When you run ‘change /?’ you get the following help information:

CHANGE { LOGON | PORT | USER }

Do you see the pattern? — no? look at these Registry entries again.

In my first attempt I added ‘foo|0 1 NOTEPAD notepad.exe’:

I then ran ‘change notepad’ and … notepad executed.

Now, if you paid attention there are other registry keys listed on the first screenshot:

change -> change.exe 
query -> query.exe 
reset -> reset.exe

They all follow the same pattern and fetch command list from Registry!

So you can either add a new entry, or modify an existing one. Access rights are in place and the key is owned by TrustedInstaller, but… well… once on the box, always on the box.

Last, but not least – it’s a persistence mechanism and a LOLBIN in one.

Flash Player & Background updates from an internal server via mms.cfg

May 13, 2020 in Autostart (Persistence), Forensic Analysis, Living off the land, LOLBins, Random ideas

This is just a note to reference what I posted on Twitter earlier today.

According to Flash Player Admin Guide (‘Background updates from an internal server’ section), you can create a mms.cfg file with the following content:

AutoUpdateDisable=0 
SilentAutoUpdateEnable=1
SilentAutoUpdateServerDomain=<your serv>

Once installed, Flash will be updating from the server provided in the config. It could be a lolbin/persistence/covert channel opportunity. I have not tested it. Also, note that Flash is dying, so this is probably not that important.

In any case though, if you spot mmc.cfg file you may want to inspect it. Procmon tells me that these are possible locations:

  • C:\Windows\System32\mms.cfg
  • C:\Windows\SysWOW64\mms.cfg
  • C:\Windows\SysWOW64\Macromed\Flash\mms.cfg