Category Archives: Autostart (Persistence)

Beyond good ol’ Run key, Part 89

Posted on by

What would be Windows without all these hidden, test, debugging features?

I loathe Windows 10 for many reasons and so far do not plan installing it on my computer, but I do welcome all its updates and changes as they provide a fertile soil for research of any sort. New persistence tricks are of course pretty high on my list and I especially welcome these ones that ‘break’ something new.

Such is the case of the persistence trick I am going to cover today: persistence within Metro Apps.

Despite the Metro Apps no longer being plain vanilla PE files they still need to be loaded.

The task of loading them is delegated to WWAhost.exe that launches respective Metro App when we click the app’s icon. For instance, loading and launching Netflix App that you install from the Microsoft Store leads to the following process being created:

  • “C:\WINDOWS\system32\wwahost.exe” -ServerName:Netflix.App.wwa

and the current directory of the app is set to:

  • C:\Program Files\WindowsApps\4DF9E0F8.Netflix_6.81.325.0_x86__mcm4njqhnhss8\

I am not that familiar with Metro App internals yet, so I got curious about their loading process and started poking around this particular host process. I quickly discovered that it leverages the good old IFEO key and tests for a presence of an entry called ‘WWAInject’.

Ah, how nice…  seeing IFEO and ‘inject’ in the same sentence (a.k.a. one Procmon log row) can only lead to one conclusion: this is probably a new persistence trick!

So…

I added:

  • HKLM\SOFTWARE\Microsoft\Windows NT\
    CurrentVersion\Image File Execution Options\
    wwahost.exe\WWAInject=<DLL>

and pointed it to my test DLL.

Then I launched the test Metro App… and… nothing.

Not only it didn’t launch properly, it actually crashed.

Hmm…

Looking at the Procmon logs I discovered that the Access denied was reported for my DLL when the application was loaded. The fact it was accessed was a good sign. The fact it didn’t load… a bit of a disappointment. It then hit me. Metro App are sandboxed and use various mechanisms to restrict access of the protected apps to the local system.

After checking the OS libraries’ rights that are obviously loaded by the wwahost.exe without any problem I noticed that on a file system level they grant access to the following entities:

  • APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(RX)
  • APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(RX)

I cheated and used icacls with its /save and /restore options to copy the OS library rights to my DLL:

  • icacls C:\Windows\System32\rpcss.dll /save c:\test\foo

and then (after editing the name of the DLL) inside the ‘foo’ file to test.dll:

  • icacls C:\test\ /restore c:\test\foo

Now the DLL file has all the rights identical with C:\Windows\System32\rpcss.dll and can be loaded via the WWAInject entry with no problem. No more crashes, and the DLL does whatever I want it to.

Lateral Movement and Persistence: tactics vs techniques

Posted on by

Now that Mitre Att&ck is present pretty much in every single preso related to threat hunting & sales pitch of many vendors it is going to be pretty interesting to see what the future holds for it. I personally like the framework, and I believe in the benefits of its adoption. Despite all this I do remain skeptical (I did talk about its potential limitations in the past – some points I listed there no longer stand), but at the moment I don’t know any better way of structured approach for developing a foundation of any threat hunting program.

In this post I am not going to talk about the framework per se, or even threat hunting, or alert fatigue, but about… tactics.

Why?

We are so focused on techniques that we often forget to take a step back and look at the big picture. Yup, you are reading it right, we are going a bit ‘holistic’ here and the focus is the relationship between tactics and techniques 😉

The two tactics I mentioned in the title: lateral movement and persistence, draw my attention for two reasons:

  • I have extensively researched many persistence mechanisms on Windows and am pretty confident that there is at least 2, if not 5 times more of these than we know about
  • Lateral Movement is in my opinion heavily ‘under-researched’

The first point is easy. The second one – probably less.

I think there is a perception (and this may be just my biased opinion) that to run code on remote systems one has to use some sort of magic unicorn trick – known tricks include: remote service (psexec), WMI, DCOM, WSHRemote, phishing, drive-by/good old exploits, etc..

The truth is that with the proper creds and remote access to the file system/Registry the number of Lateral movement techniques becomes almost instantly a superset of all known unicorn tricks + many persistence techniques that are well-known and available (probably 100+ on Windows at the moment of writing). If you can modify Registry, a file (e.g. viral, or change the config), or add new file in a specific location then …. you can move laterally, except in some cases it will take a bit longer. For instance, one could add desktop shortcuts, .local files, .manifest files, phantom DLLs, plug-ins, etc., or modify one of many Registry keys and point to either remote (e.g. via UNC) or local (copied over) file.

Think of it: even temporarily swapping popular executables on a remote system may allow to execute code on that system when e.g. user opens that swapped popular program (office, conference applications, browsers, their less important plugins, etc.). Sky is the limit (okay, some limitations exist for systems that are not attended to by users, use EDR, whitelisting, and other factors, but it’s not the point – depending on the target you have the whole gamut of lateral movement/persistence techniques to use!).

I am obviously not the first one to spot the ‘persistence can create a lateral movement’ opportunity, but I don’t recall seeing any post that tries to look at this as a whole, and especially with regards to the Mitre framework. The described approach to leverage same techniques for different purpose is not new, but such a ‘bulk’ addition to the (currently) relatively small, ‘unicorn’ lateral movement tactic’ arsenal may significantly affect the way we look at tactics and techniques. They are not that atomic, independent, or limited to the scope that we are led to believe due to an error of availability (most presos talking about lateral movement completely ignore the persistence tricks providing possible lateral movement opportunities).

I think tactics as a leading force for the framework may end up being inadequate to represent clusters of techniques as this leads to many duplicate entries. Perhaps a way to approach it is to focus on techniques as a leading force of defense, and then label each technique with the available ‘tactic’ tags? I don’t know. It is one of the things that requires more people to come together and discuss…

Perhaps there is a Mitre Att&ck 2.0 in the making that will address that ‘bulk’ duplicity.

Update: coincidentally, after I posted this piece I saw this post (‘Draw.io for threat modeling’) on Twitter that describes a more detailed (and perhaps more traditional) threat modeling approach that I find pretty interesting in this context.