Category Archives: Forensic Analysis

Beyond good ol’ Run key, Part 38

Posted on by

It’s been a while since my last post about persistence tricks. Today I decided to fix this and write about yet another trick – kinda old, yet still cool – that works even today despite being as old as Windows NT.

The userinit.exe process was featured in a number of persistence posts before (here , here and here). Turns out, we have not given it all the attention it needs yet.

When you add a new user to the system, you have an option to change some properties of the user account as shown on the below screenshot. One of these properties is responsible for loading the user logon script (I named it foobar123.bat on the test system).

pic0

The alternative to GUI is using the following command:

  • net user /scriptpath:<Relative Path>

Once added to the user properties, the script will be executed anytime user logs on:

pic3

You may be wondering where on the system it has to be placed to ensure it is executed.

There are two places:

  • You can place it on Netlogon share:
    • either the real one from the domain controller (where all user scripts reside),
      or
    • you can create a fake, local one by using the trick shown below:

pic1

In such case the script will be loaded like this:

pic4

  • You can place it inside the %systemroot%\System32\Repl\Import\Scripts directory

In such case it will be executed like this:

pic2If you use net user command, the relative path is relative to %systemroot%\System32\Repl\Import\Scripts.

This trick is not my idea and is described in various places on the internet – I shamelessly ‘borrowed’ most of the bits and ideas from here.

DeXRAY – Twentin Quarantino

Posted on by

DeXRAY now supports over twenty Quarantine filetypes. I set a goal to look at one AV per day, unless I am busy with other stuff. So far, the results are kinda predictable: the most difficult to access with a debugger / crack / analyze are Chinese, Russian, and… Microsoft. The rest of the files took between 2 minutes to 2h of work max. It’s a great reversing experience as it’s heavily time-sensitive research (I want to crack it in one session), and at the same time I am learning about many pointers which I can use for further research and study. The guys @ProjectZero are unfortunately right. The moment you start looking at AV internals you discover lots of juicy stuff. Ouch. I strongly believe the AV is _needed_ in a current ‘open ecosystem’ setup existing in most of the companies, but it’s time AV vendors really review their code.

Anyway…

I have added support for Baidu .qv, CMC Antivirus *.cmc, and F-Prot .tmp Quarantine files. Confirmed Lavasoft AdAware  to be using BitDefender’s Quarantine files (.bdq), confirmed Comodo stores Quarantine files w/o encryption 🙂

The full list of supported or recognized file formats is listed below:

  • AhnLab (V3B)
  • ASquared (EQF)
  • Avast (Magic@0=’-chest- ‘)
  • Avira (QUA)
  • Baidu (QV)
  • BitDefender (BDQ)
  • CMC Antivirus (CMC)
  • Comodo <GUID> (not really; Quarantined files are not encrypted 🙂
  • ESET (NQF)
  • F-Prot (TMP) (Magic@0=’KSS’)
  • Kaspersky (KLQ)
  • Lavasoft AdAware (BDQ) /BitDefender files really/
  • MalwareBytes Data files (DATA)
  • MalwareBytes Quarantine files (QUAR)
  • McAfee Quarantine files (BUP)
  • Microsoft Forefront|Defender (Magic@0=0B AD|D3 45) – not handled yet; only recognized
  • Panda <GUID> Zip files
  • SUPERAntiSpyware (SDB)
  • Symantec Quarantine Data files (QBD)
  • Symantec Quarantine files (VBN)
  • Symantec Quarantine Index files (QBI)
  • TrendMicro (Magic@0=A9 AC BD A7 which is ‘VSBX’ string ^ 0xFF)
  • QuickHeal <hash> files
  • Vipre (<GUID>_ENC2)
  • Any binary file (using X-RAY scanning)

The script can be downloaded here.