Updated 2019-10-12

Here are the links to all the ‘Beyond good ol’ Run key’ posts so far.

• Part 01 – https://www.hexacorn.com/blog/2012/07/23/beyond-good-ol-run-key/”
• Part 02 – https://www.hexacorn.com/blog/2012/09/16/beyond-good-ol-run-key-part-2/”
• Part 03 – https://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/”
• Part 04 – https://www.hexacorn.com/blog/2013/09/19/beyond-good-ol-run-key-part-4/”
• Part 05 – https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/”
• Part 06 – https://www.hexacorn.com/blog/2014/01/10/beyond-good-ol-run-key-part-6-2/”
• Part 07 – https://www.hexacorn.com/blog/2014/02/09/beyond-good-ol-run-key-part-7/”
• Part 08 – https://www.hexacorn.com/blog/2014/02/21/beyond-good-ol-run-key-part-8-2/”
• Part 09 – https://www.hexacorn.com/blog/2014/03/02/beyond-good-ol-run-key-part-9/”
• Part 10 – https://www.hexacorn.com/blog/2014/04/16/beyond-good-ol-run-key-part-10/”
• Part 11 – https://www.hexacorn.com/blog/2014/04/27/beyond-good-ol-run-key-part-11/”
• Part 12 – https://www.hexacorn.com/blog/2014/05/21/beyond-good-ol-run-key-part-12/”
• Part 13 – https://www.hexacorn.com/blog/2014/06/18/beyond-good-ol-run-key-part-13/”
• Part 14 – https://www.hexacorn.com/blog/2014/07/08/beyond-good-ol-run-key-part-14/”
• Part 15 – https://www.hexacorn.com/blog/2014/08/04/beyond-good-ol-run-key-part-15/”
• Part 16 – https://www.hexacorn.com/blog/2014/08/27/beyond-good-ol-run-key-part-16/”
• Part 17 – https://www.hexacorn.com/blog/2014/08/31/beyond-good-ol-run-key-part-17/”
• Part 18 – https://www.hexacorn.com/blog/2014/11/14/beyond-good-ol-run-key-part-18/”
• Part 19 – https://www.hexacorn.com/blog/2014/12/04/beyond-good-ol-run-key-part-19/”
• Part 20 – https://www.hexacorn.com/blog/2015/01/01/beyond-good-ol-run-key-part-20/”
• Part 21 – https://www.hexacorn.com/blog/2015/01/03/beyond-good-ol-run-key-part-21/”
• Part 22 – https://www.hexacorn.com/blog/2015/01/06/beyond-good-ol-run-key-part-22/”
• Part 23 – https://www.hexacorn.com/blog/2015/01/09/beyond-good-ol-run-key-part-23/”
• Part 24 – https://www.hexacorn.com/blog/2015/01/13/beyond-good-ol-run-key-part-24/”
• Part 25 – https://www.hexacorn.com/blog/2015/01/28/beyond-good-ol-run-key-part-25/”
• Part 26 – https://www.hexacorn.com/blog/2015/01/28/beyond-good-ol-run-key-part-26/”
• Part 27 – https://www.hexacorn.com/blog/2015/02/19/beyond-good-ol-run-key-part-27/”
• Part 28 – https://www.hexacorn.com/blog/2015/02/23/beyond-good-ol-run-key-part-28/”
• Part 29 – https://www.hexacorn.com/blog/2015/03/13/beyond-good-ol-run-key-part-29/”
• Part 30 – https://www.hexacorn.com/blog/2015/04/26/beyond-good-ol-run-key-part-30/”
• Part 31 – https://www.hexacorn.com/blog/2015/05/29/beyond-good-ol-run-key-part-31/”
• Part 32 – https://www.hexacorn.com/blog/2015/09/12/beyond-good-ol-run-key-part-32/ – this one contains a number of links to other research
• Part 33 – https://www.hexacorn.com/blog/2015/10/20/beyond-good-ol-run-key-part-33/”
• Part 34 – https://www.hexacorn.com/blog/2016/02/16/beyond-good-ol-run-key-part-34/”
• Part 35 – https://www.hexacorn.com/blog/2016/03/01/beyond-good-ol-run-key-part-35/”
• Part 36 – https://www.hexacorn.com/blog/2016/03/10/beyond-good-ol-run-key-part-36/”
• Part 37 – https://www.hexacorn.com/blog/2016/03/26/beyond-good-ol-run-key-part-37/”
• Part 38 – https://www.hexacorn.com/blog/2016/05/27/beyond-good-ol-run-key-part-38/”
• Part 39 – https://www.hexacorn.com/blog/2016/05/30/beyond-good-ol-run-key-part-39/”
• Part 40 – https://www.hexacorn.com/blog/2016/06/02/beyond-good-ol-run-key-part-40/”
• Part 41 – https://www.hexacorn.com/blog/2016/07/08/beyond-good-ol-run-key-part-41/”
• Part 42 – https://www.hexacorn.com/blog/2016/07/22/beyond-good-ol-run-key-part-42/”
• Part 43 – https://www.hexacorn.com/blog/2016/07/28/beyond-good-ol-run-key-part-43/”
• Part 44 – https://www.hexacorn.com/blog/2016/08/19/beyond-good-ol-run-key-part-44/”
• Part 45 – https://www.hexacorn.com/blog/2016/08/26/beyond-good-ol-run-key-part-45/”
• Part 46 – https://www.hexacorn.com/blog/2016/09/24/beyond-good-ol-run-key-part-46/”
• Part 47 – https://www.hexacorn.com/blog/2016/09/29/beyond-good-ol-run-key-part-47/”
• Part 48 – https://www.hexacorn.com/blog/2016/10/21/beyond-good-ol-run-key-part-48/”
• Part 49 – https://www.hexacorn.com/blog/2016/11/05/beyond-good-ol-run-key-part-49/”
• Part 50 – https://www.hexacorn.com/blog/2016/11/08/beyond-good-ol-run-key-part-50/”
• Part 51 – https://www.hexacorn.com/blog/2016/11/24/beyond-good-ol-run-key-part-51/”
• Part 52 – https://www.hexacorn.com/blog/2017/01/07/beyond-good-ol-run-key-part-52/”
• Part 53 – https://www.hexacorn.com/blog/2017/01/14/beyond-good-ol-run-key-part-53/”
• Part 54 – https://www.hexacorn.com/blog/2017/01/16/beyond-good-ol-run-key-part-54/”
• Part 55 – https://www.hexacorn.com/blog/2017/01/18/beyond-good-ol-run-key-part-55/”
• Part 56 – https://www.hexacorn.com/blog/2017/01/19/beyond-good-ol-run-key-part-56/”
• Part 57 – https://www.hexacorn.com/blog/2017/01/27/beyond-good-ol-run-key-part-57/”
• Part 58 – https://www.hexacorn.com/blog/2017/01/28/beyond-good-ol-run-key-part-58/”
• Part 59 – https://www.hexacorn.com/blog/2017/01/29/beyond-good-ol-run-key-part-59/
• Part 60 – https://www.hexacorn.com/blog/2017/03/18/beyond-good-ol-run-key-part-60/
• Part 61 – https://www.hexacorn.com/blog/2017/04/02/beyond-good-ol-run-key-part-61/
• Part 62 – https://www.hexacorn.com/blog/2017/04/19/beyond-good-ol-run-key-part-62/
• Part 63 – never released; PEBKAC 🙂
• Part 64 – https://www.hexacorn.com/blog/2017/07/12/beyond-good-ol-run-key-part-64/
• Part 65 – https://www.hexacorn.com/blog/2017/09/27/beyond-good-ol-run-key-part-65/
• Part 66  – https://www.hexacorn.com/blog/2017/10/05/beyond-good-ol-run-key-part-66/
• Part 67 – https://www.hexacorn.com/blog/2017/10/21/beyond-good-ol-run-key-part-67/
• Part 68 – https://www.hexacorn.com/blog/2017/12/08/beyond-good-ol-run-key-part-68/
• Part 69 – https://www.hexacorn.com/blog/2017/12/29/beyond-good-ol-run-key-part-69/
• Part 70 – https://www.hexacorn.com/blog/2017/12/30/beyond-good-ol-run-key-part-70/
• Part 71 – https://www.hexacorn.com/blog/2018/01/28/beyond-good-ol-run-key-part-71/
• Part 72 – https://www.hexacorn.com/blog/2018/02/09/beyond-good-ol-run-key-part-72/
• Part 73 – https://www.hexacorn.com/blog/2018/03/15/beyond-good-ol-run-key-part-73/
• Part 74 – https://www.hexacorn.com/blog/2018/03/26/beyond-good-ol-run-key-part-74/
• Part 75 – https://www.hexacorn.com/blog/2018/03/28/beyond-good-ol-run-key-part-75/
• Part 76 – https://www.hexacorn.com/blog/2018/04/22/beyond-good-ol-run-key-part-76/
• Part 77 – https://www.hexacorn.com/blog/2018/04/23/beyond-good-ol-run-key-part-77/
• Part 78 – https://www.hexacorn.com/blog/2018/05/28/beyond-good-ol-run-key-part-78-2/
• Part 79 – https://www.hexacorn.com/blog/2018/06/10/beyond-good-ol-run-key-part-79/
• Part 80 – https://www.hexacorn.com/blog/2018/07/06/beyond-good-ol-run-key-part-80/
• Part 81 – https://www.hexacorn.com/blog/2018/07/28/beyond-good-ol-run-key-part-81/
• Part 82 – https://www.hexacorn.com/blog/2018/07/29/beyond-good-ol-run-key-part-82/
• Part 83 – https://www.hexacorn.com/blog/2018/08/04/beyond-good-ol-run-key-part-83/
• Part 84 – https://www.hexacorn.com/blog/2018/08/17/beyond-good-ol-run-key-part-84/
• Part 85 – https://www.hexacorn.com/blog/2018/08/31/beyond-good-ol-run-key-part-85/
• Part 86 – https://www.hexacorn.com/blog/2018/09/02/beyond-good-ol-run-key-part-86/
• Part 87 – https://www.hexacorn.com/blog/2018/09/04/beyond-good-ol-run-key-part-87/
• Part 88 – https://www.hexacorn.com/blog/2018/09/08/beyond-good-ol-run-key-part-88
• Part 89 – https://www.hexacorn.com/blog/2018/10/07/beyond-good-ol-run-key-part-89/
• Part 90 – https://www.hexacorn.com/blog/2018/10/09/beyond-good-ol-run-key-part-90/
• Part 91 – https://www.hexacorn.com/blog/2018/10/10/beyond-good-ol-run-key-part-91/
• Part 92 – https://www.hexacorn.com/blog/2018/10/11/beyond-good-ol-run-key-part-92/
• Part 93 – https://www.hexacorn.com/blog/2018/10/12/beyond-good-ol-run-key-part-93/
• Part 94 – https://www.hexacorn.com/blog/2018/11/25/beyond-good-ol-run-key-part-94/
• Part 95 – https://www.hexacorn.com/blog/2018/12/02/beyond-good-ol-run-key-part-95/
• Part 96 – https://www.hexacorn.com/blog/2018/12/21/beyond-good-ol-run-key-part-96/
• Part 97 – https://www.hexacorn.com/blog/2018/12/26/beyond-good-ol-run-key-part-97/
• Part 98 – https://www.hexacorn.com/blog/2018/12/30/beyond-good-ol-run-key-part-98/
• Part 99 – https://www.hexacorn.com/blog/2018/12/30/beyond-good-ol-run-key-part-99/
• Part 100 – https://www.hexacorn.com/blog/2019/01/05/beyond-good-ol-run-key-part-100/
• Part 101 – https://www.hexacorn.com/blog/2019/02/02/beyond-good-ol-run-key-part-101/
• Part 102 – https://www.hexacorn.com/blog/2019/02/12/beyond-good-ol-run-key-part-102/
• Part 103 – https://www.hexacorn.com/blog/2019/02/15/beyond-good-ol-run-key-part-103/
• Part 104 – https://www.hexacorn.com/blog/2019/02/23/beyond-good-ol-run-key-part-104/
• Part 105 – https://www.hexacorn.com/blog/2019/05/29/beyond-good-ol-run-key-part-105/
• Part 106 – https://www.hexacorn.com/blog/2019/06/01/beyond-good-ol-run-key-part-106/
• Part 107 – https://www.hexacorn.com/blog/2019/06/07/beyond-good-ol-run-key-part-107/
• Pat 108 – https://www.hexacorn.com/blog/2019/07/11/beyond-good-ol-run-key-part-108-2/
• Part 109 – https://www.hexacorn.com/blog/2019/07/12/beyond-good-ol-run-key-part-109/
• Part 110 – https://www.hexacorn.com/blog/2019/07/13/beyond-good-ol-run-key-part-110/
• Part 111 – https://www.hexacorn.com/blog/2019/07/13/beyond-good-ol-run-key-part-111/
• Part 112 – https://www.hexacorn.com/blog/2019/08/16/beyond-good-ol-run-key-part-112/
• Part 113 – https://www.hexacorn.com/blog/2019/08/26/beyond-good-ol-run-key-part-113/
• Part 114 – https://www.hexacorn.com/blog/2019/09/07/beyond-good-ol-run-key-part-114/
• Part 115 – https://www.hexacorn.com/blog/2019/09/13/beyond-good-ol-run-key-part-115/
• Part 116 – https://www.hexacorn.com/blog/2019/09/20/beyond-good-ol-run-key-part-116/
• Part 117 – https://www.hexacorn.com/blog/2019/09/28/beyond-good-ol-run-key-part-117/
• Part 118 – https://www.hexacorn.com/blog/2019/10/04/beyond-good-ol-run-key-part-118/
• Part 119 – https://www.hexacorn.com/blog/2019/10/11/beyond-good-ol-run-key-part-119/

Also see discussion on how many of these persistence techniques can be also Lateral Movement techniques:

• https://www.hexacorn.com/blog/2018/10/05/lateral-movement-and-persistence-tactics-vs-techniques/

You may also want to visit the new series Beyond good ol’ LaunchAgent by Pasquale Stirparo – the series is dedicated to MAC ‘autoruns’ tricks and is a must read for anyone who is doing forensics or reverse engineering on OSX

I stumbled upon this persistence mechanism by chance and its nature is similar to the many I have covered before – the preset applications that are executed when a certain event happens. This time I was checking the Bluetooth Stack applications on a laptop and discovered it could be easily configured to run arbitrary programs. We can assume that many other similar Bluetooth configuration utilities developed by other companies offer similar capabilities.

I don’t know how many people use Bluetooth on their PC laptops nowadays, but as long as the Bluetooth stack is installed, radio is enabled and applications are installed – the specific events should trigger the execution of preset applications…

There are at least two places I found where one could add persistent malware to the Bluetooth configuration settings.

The first one is under the SMART tab in General Options:

Despite efforts I didn’t manage to trigger it, but I don’t have many Bluetooth devices at hand. Perhaps someone will be able to run a QC on this one.

The setting is located inside the Registry under the following location:

• HKCU\Software\Toshiba\BluetoothStack\
  V1.0\Mng\IasStartAplPath= EXE Path

The second, is not just one, but it’s actually a group of individual settings assigned to each connection – here is an example of properties of such one connection where I added the c:\windows\system32\notepad.exe to execute anytime the connection is established:

This one works for sure and it was easy to test it.

The location of these settings is as follows:

• HKCU\Software\Toshiba\BluetoothStack\
  V1.0\EZC\DATA\1001\SCORIGINAL
  APPEXECUTE=hex:01
  APPFILEPATHBYTECNT=dword:<Path Length in bytes>
  APPFILEPATH=hex:<Path expressed as a sequence of hexadecimal numbers>
  APPFILEPATH2=EXE Path represented as a string
  PSM=dword:0000000f
  SECURITY=dword:00000001

The key DATA\1001\SCORIGINAL changes to DATA\1002\SCORIGINAL for the second connection and increases for subsequent connections. This is how it looks like inside the Registry:

It’s pretty simple, but it’s also not very convincing – I don’t think we should expect a flood of malware using it. Still, worth documenting.