Category Archives: Autostart (Persistence)

Beyond good ol’ Run key, Part 134

Posted on by

This one is for historical reasons, primarily.

Old Adobe Photoshop/ImageReady used to have a feature called “Jump to” which is neatly described here.

The feature was implemented via a simple directory structure located here:

  • c:\Program Files\Adobe\Adobe Photoshop CS2\Helpers

and its 2 subdirectories:

  • Jump To Graphics Editor
  • Jump To HTML Editor

Dropping your own LNK, EXE or any executable file inside these subdirectories would enable you to extend the menu, or… replace the existing LNK file. Basically implementing a lame persistent mechanism e.g. as shown on the below pic:

Debug Environment Variable are \o/

Posted on by

Looking at the list of debug environment variables one can immediately spot a lot of room for abuse.

One can hypothesize that setting e.g. _NT_SYMBOL_PATH, _NT_ALT_SYMBOL_PATH, _NT_SYMBOL_PROXY, SRCSRV_INI_FILE to point to a malicious server will ensure that next time OS or any application tries to reach out to Symbol server, it will actually ping the malicious server first. It could be a nice semi-covert channel to communicate with C2. Moreso, if executed via proxy e.g. via existing software (ideally OS or some coding components) e.g. Windows Error Reporting (WEFault.exe), debuggers (windbg, cdb), sysinternals tools (ProcMon), and other reversing tools (IDA), etc – the fact it’s the good guys calling out may help to hide the activity from prying eyes of EDR/AV.

Other ideas can circle around abusing paths e.g. _NT_DEBUGGER_EXTENSION_PATH and WINDBG_INVOKE_EDITOR to use them both as a persistence method and/or for LOLBIN purposes.

In my tests, not all tools obey these environment variables so YMMV.