Category Archives: Autostart (Persistence)

Beyond good ol’ Run key, Part 139

Posted on by

This one is a curious one. I actually don’t know how to trigger it!

Yet, I will document some bits and bobs, so that you may take these entry points into consideration, at least from a DFIR perspective.

So, edgehtml.dll and mshtml.dll are monsters of a library (23-25MB+). One of the things they do is they provide functions that work in so-called Diagnostic Mode. When Browser is in that mode, it checks a number of environment variables, and if they are set, it will load a COM library specified by one of these entries (JS_DM_CLSID).

And all these Java Script/Diagnostic Mode environment variables it checks are:

  • JS_DM_CLSID
  • JS_DM_FLAGS
  • JS_DM_PATH
  • JS_DM_ID

I know it’s not a lot, but if JS_DM_CLSID is set as an environmental variable, you better check it’s value as it may be loaded by the browser. If you know more about the Diagnostic Mode, please let me know.

Adobe: JSX and JSXBIN files

Posted on by

I wrote about older Adobe scripting before. I recently discovered that Adobe products support scripting using so-called ExtendScript language with code being stored either in a source-level JSX file, or its binary equivalent – JSXBIN (it’s actually considered legacy at this stage). Add these file extensions to your watch list.

The documentation [PDF warning] suggests that some security precautions are in place, and:

1.5 Activating full scripting features
The default is for scripts to not be allowed to write files or send or receive communication over a network. To allow
scripts to write files and communicate over a network, choose Edit > Preferences > General (Windows) or After Effects Preferences > General (Mac OS), and select the Allow Scripts To Write Files And Access Network option.
Any After Effects script that contains an error preventing it from being completed generates an error message from the application. This error message includes information about the nature of the error and the line of the script on which it occurred. The ExtendScript Toolkit (ESTK) debugger can open automatically when the application encounters a script error. This feature is disabled by default so that casual users do not encounter it. To activate this feature, choose Preferences > General, and select Enable JavaScript Debugger

I don’t have access to Adobe products, but these seem to be interesting features.

Defenders should look for:

  • unusual processes spawn by Adobe products
  • invocations of afterfx.exe – scrutinize its command line
  • on macOS: use of AppleScript to invoke DoScript
  • presence/invocation of autostart scripts in Adobe’s Startup and Shutdown folders (the exact location is unknown to me; if you have Adobe products, please let me know and I will update this post)

1.6.5 Running scripts automatically during application startup or shutdown
Within the Scripts folder are two folders called Startup and Shutdown. After Effects runs scripts in these folders
automatically, in alphabetical order, on starting and quitting, respectively

Yes, it’s not a lot to pivot from, but if you have an access to a large number of systems, you may want to keep an eye on process trees spawn around Adobe products. Just to be ahead of time.

Other info: