Hexacorn

Hexacorn

Beyond good ol’ Run key, Part 59

Posted on 2017-01-29 by adam

In my last post I talked about Bluetooth. I have a mixed luck testing anything related to this technology…

You see, there is that one more potential persistence mechanism associated with Bluetooth which I was unable to test successfully. Despite my efforts it didn’t work, but this is probably because I don’t have a proper set up. Perhaps people owning a laptop with the Windows 8 on it (and not Windows 8.1 or newer) could give it a go… It is another documented feature of Windows, so it should work.

So… there is a thing called ‘Bluetooth Software Radio Switch Function Prototypes’ described on the Microsoft page here.

Adding the entry

HKLM\SYSTEM\CurrentControlSet\Services\

BTHPORT\Parameters\Radio Support\

SupportDLL = Path to DLL

should allow vendors to register a DLL that will handle requests to Bluetooth radio to switch it on or off.

The Microsoft page provides a link to another page that is describing the sample source code demonstrating to programmers how to build your own supporting DLL. The funny thing is that the demo code uses a different key (BthServ instead of BTHPORT service) than the previous page, and a Unicode path instead of an ANSI path provided in the documentation. Searching for strings within c:\windows directory I could find references to BTHPORT\Parameters\Radio Support and not BthServ\Parameters\Radio Support so the documentation is probably okay, and the demo is not.

Well, in any case. It should work.

Beyond good ol’ Run key – All parts

Posted on 2017-01-28 by adam

Updated 2019-10-12

Here are the links to all the ‘Beyond good ol’ Run key’ posts so far.

Part 01 – https://www.hexacorn.com/blog/2012/07/23/beyond-good-ol-run-key/”
Part 02 – https://www.hexacorn.com/blog/2012/09/16/beyond-good-ol-run-key-part-2/”
Part 03 – https://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/”
Part 04 – https://www.hexacorn.com/blog/2013/09/19/beyond-good-ol-run-key-part-4/”
Part 05 – https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/”
Part 06 – https://www.hexacorn.com/blog/2014/01/10/beyond-good-ol-run-key-part-6-2/”
Part 07 – https://www.hexacorn.com/blog/2014/02/09/beyond-good-ol-run-key-part-7/”
Part 08 – https://www.hexacorn.com/blog/2014/02/21/beyond-good-ol-run-key-part-8-2/”
Part 09 – https://www.hexacorn.com/blog/2014/03/02/beyond-good-ol-run-key-part-9/”
Part 10 – https://www.hexacorn.com/blog/2014/04/16/beyond-good-ol-run-key-part-10/”
Part 11 – https://www.hexacorn.com/blog/2014/04/27/beyond-good-ol-run-key-part-11/”
Part 12 – https://www.hexacorn.com/blog/2014/05/21/beyond-good-ol-run-key-part-12/”
Part 13 – https://www.hexacorn.com/blog/2014/06/18/beyond-good-ol-run-key-part-13/”
Part 14 – https://www.hexacorn.com/blog/2014/07/08/beyond-good-ol-run-key-part-14/”
Part 15 – https://www.hexacorn.com/blog/2014/08/04/beyond-good-ol-run-key-part-15/”
Part 16 – https://www.hexacorn.com/blog/2014/08/27/beyond-good-ol-run-key-part-16/”
Part 17 – https://www.hexacorn.com/blog/2014/08/31/beyond-good-ol-run-key-part-17/”
Part 18 – https://www.hexacorn.com/blog/2014/11/14/beyond-good-ol-run-key-part-18/”
Part 19 – https://www.hexacorn.com/blog/2014/12/04/beyond-good-ol-run-key-part-19/”
Part 20 – https://www.hexacorn.com/blog/2015/01/01/beyond-good-ol-run-key-part-20/”
Part 21 – https://www.hexacorn.com/blog/2015/01/03/beyond-good-ol-run-key-part-21/”
Part 22 – https://www.hexacorn.com/blog/2015/01/06/beyond-good-ol-run-key-part-22/”
Part 23 – https://www.hexacorn.com/blog/2015/01/09/beyond-good-ol-run-key-part-23/”
Part 24 – https://www.hexacorn.com/blog/2015/01/13/beyond-good-ol-run-key-part-24/”
Part 25 – https://www.hexacorn.com/blog/2015/01/28/beyond-good-ol-run-key-part-25/”
Part 26 – https://www.hexacorn.com/blog/2015/01/28/beyond-good-ol-run-key-part-26/”
Part 27 – https://www.hexacorn.com/blog/2015/02/19/beyond-good-ol-run-key-part-27/”
Part 28 – https://www.hexacorn.com/blog/2015/02/23/beyond-good-ol-run-key-part-28/”
Part 29 – https://www.hexacorn.com/blog/2015/03/13/beyond-good-ol-run-key-part-29/”
Part 30 – https://www.hexacorn.com/blog/2015/04/26/beyond-good-ol-run-key-part-30/”
Part 31 – https://www.hexacorn.com/blog/2015/05/29/beyond-good-ol-run-key-part-31/”
Part 32 – https://www.hexacorn.com/blog/2015/09/12/beyond-good-ol-run-key-part-32/ – this one contains a number of links to other research
Part 33 – https://www.hexacorn.com/blog/2015/10/20/beyond-good-ol-run-key-part-33/”
Part 34 – https://www.hexacorn.com/blog/2016/02/16/beyond-good-ol-run-key-part-34/”
Part 35 – https://www.hexacorn.com/blog/2016/03/01/beyond-good-ol-run-key-part-35/”
Part 36 – https://www.hexacorn.com/blog/2016/03/10/beyond-good-ol-run-key-part-36/”
Part 37 – https://www.hexacorn.com/blog/2016/03/26/beyond-good-ol-run-key-part-37/”
Part 38 – https://www.hexacorn.com/blog/2016/05/27/beyond-good-ol-run-key-part-38/”
Part 39 – https://www.hexacorn.com/blog/2016/05/30/beyond-good-ol-run-key-part-39/”
Part 40 – https://www.hexacorn.com/blog/2016/06/02/beyond-good-ol-run-key-part-40/”
Part 41 – https://www.hexacorn.com/blog/2016/07/08/beyond-good-ol-run-key-part-41/”
Part 42 – https://www.hexacorn.com/blog/2016/07/22/beyond-good-ol-run-key-part-42/”
Part 43 – https://www.hexacorn.com/blog/2016/07/28/beyond-good-ol-run-key-part-43/”
Part 44 – https://www.hexacorn.com/blog/2016/08/19/beyond-good-ol-run-key-part-44/”
Part 45 – https://www.hexacorn.com/blog/2016/08/26/beyond-good-ol-run-key-part-45/”
Part 46 – https://www.hexacorn.com/blog/2016/09/24/beyond-good-ol-run-key-part-46/”
Part 47 – https://www.hexacorn.com/blog/2016/09/29/beyond-good-ol-run-key-part-47/”
Part 48 – https://www.hexacorn.com/blog/2016/10/21/beyond-good-ol-run-key-part-48/”
Part 49 – https://www.hexacorn.com/blog/2016/11/05/beyond-good-ol-run-key-part-49/”
Part 50 – https://www.hexacorn.com/blog/2016/11/08/beyond-good-ol-run-key-part-50/”
Part 51 – https://www.hexacorn.com/blog/2016/11/24/beyond-good-ol-run-key-part-51/”
Part 52 – https://www.hexacorn.com/blog/2017/01/07/beyond-good-ol-run-key-part-52/”
Part 53 – https://www.hexacorn.com/blog/2017/01/14/beyond-good-ol-run-key-part-53/”
Part 54 – https://www.hexacorn.com/blog/2017/01/16/beyond-good-ol-run-key-part-54/”
Part 55 – https://www.hexacorn.com/blog/2017/01/18/beyond-good-ol-run-key-part-55/”
Part 56 – https://www.hexacorn.com/blog/2017/01/19/beyond-good-ol-run-key-part-56/”
Part 57 – https://www.hexacorn.com/blog/2017/01/27/beyond-good-ol-run-key-part-57/”
Part 58 – https://www.hexacorn.com/blog/2017/01/28/beyond-good-ol-run-key-part-58/”
Part 59 – https://www.hexacorn.com/blog/2017/01/29/beyond-good-ol-run-key-part-59/
Part 60 – https://www.hexacorn.com/blog/2017/03/18/beyond-good-ol-run-key-part-60/
Part 61 – https://www.hexacorn.com/blog/2017/04/02/beyond-good-ol-run-key-part-61/
Part 62 – https://www.hexacorn.com/blog/2017/04/19/beyond-good-ol-run-key-part-62/
Part 63 – never released; PEBKAC 🙂
Part 64 – https://www.hexacorn.com/blog/2017/07/12/beyond-good-ol-run-key-part-64/
Part 65 – https://www.hexacorn.com/blog/2017/09/27/beyond-good-ol-run-key-part-65/
Part 66 – https://www.hexacorn.com/blog/2017/10/05/beyond-good-ol-run-key-part-66/
Part 67 – https://www.hexacorn.com/blog/2017/10/21/beyond-good-ol-run-key-part-67/
Part 68 – https://www.hexacorn.com/blog/2017/12/08/beyond-good-ol-run-key-part-68/
Part 69 – https://www.hexacorn.com/blog/2017/12/29/beyond-good-ol-run-key-part-69/
Part 70 – https://www.hexacorn.com/blog/2017/12/30/beyond-good-ol-run-key-part-70/
Part 71 – https://www.hexacorn.com/blog/2018/01/28/beyond-good-ol-run-key-part-71/
Part 72 – https://www.hexacorn.com/blog/2018/02/09/beyond-good-ol-run-key-part-72/
Part 73 – https://www.hexacorn.com/blog/2018/03/15/beyond-good-ol-run-key-part-73/
Part 74 – https://www.hexacorn.com/blog/2018/03/26/beyond-good-ol-run-key-part-74/
Part 75 – https://www.hexacorn.com/blog/2018/03/28/beyond-good-ol-run-key-part-75/
Part 76 – https://www.hexacorn.com/blog/2018/04/22/beyond-good-ol-run-key-part-76/
Part 77 – https://www.hexacorn.com/blog/2018/04/23/beyond-good-ol-run-key-part-77/
Part 78 – https://www.hexacorn.com/blog/2018/05/28/beyond-good-ol-run-key-part-78-2/
Part 79 – https://www.hexacorn.com/blog/2018/06/10/beyond-good-ol-run-key-part-79/
Part 80 – https://www.hexacorn.com/blog/2018/07/06/beyond-good-ol-run-key-part-80/
Part 81 – https://www.hexacorn.com/blog/2018/07/28/beyond-good-ol-run-key-part-81/
Part 82 – https://www.hexacorn.com/blog/2018/07/29/beyond-good-ol-run-key-part-82/
Part 83 – https://www.hexacorn.com/blog/2018/08/04/beyond-good-ol-run-key-part-83/
Part 84 – https://www.hexacorn.com/blog/2018/08/17/beyond-good-ol-run-key-part-84/
Part 85 – https://www.hexacorn.com/blog/2018/08/31/beyond-good-ol-run-key-part-85/
Part 86 – https://www.hexacorn.com/blog/2018/09/02/beyond-good-ol-run-key-part-86/
Part 87 – https://www.hexacorn.com/blog/2018/09/04/beyond-good-ol-run-key-part-87/
Part 88 – https://www.hexacorn.com/blog/2018/09/08/beyond-good-ol-run-key-part-88
Part 89 – https://www.hexacorn.com/blog/2018/10/07/beyond-good-ol-run-key-part-89/
Part 90 – https://www.hexacorn.com/blog/2018/10/09/beyond-good-ol-run-key-part-90/
Part 91 – https://www.hexacorn.com/blog/2018/10/10/beyond-good-ol-run-key-part-91/
Part 92 – https://www.hexacorn.com/blog/2018/10/11/beyond-good-ol-run-key-part-92/
Part 93 – https://www.hexacorn.com/blog/2018/10/12/beyond-good-ol-run-key-part-93/
Part 94 – https://www.hexacorn.com/blog/2018/11/25/beyond-good-ol-run-key-part-94/
Part 95 – https://www.hexacorn.com/blog/2018/12/02/beyond-good-ol-run-key-part-95/
Part 96 – https://www.hexacorn.com/blog/2018/12/21/beyond-good-ol-run-key-part-96/
Part 97 – https://www.hexacorn.com/blog/2018/12/26/beyond-good-ol-run-key-part-97/
Part 98 – https://www.hexacorn.com/blog/2018/12/30/beyond-good-ol-run-key-part-98/
Part 99 – https://www.hexacorn.com/blog/2018/12/30/beyond-good-ol-run-key-part-99/
Part 100 – https://www.hexacorn.com/blog/2019/01/05/beyond-good-ol-run-key-part-100/
Part 101 – https://www.hexacorn.com/blog/2019/02/02/beyond-good-ol-run-key-part-101/
Part 102 – https://www.hexacorn.com/blog/2019/02/12/beyond-good-ol-run-key-part-102/
Part 103 – https://www.hexacorn.com/blog/2019/02/15/beyond-good-ol-run-key-part-103/
Part 104 – https://www.hexacorn.com/blog/2019/02/23/beyond-good-ol-run-key-part-104/
Part 105 – https://www.hexacorn.com/blog/2019/05/29/beyond-good-ol-run-key-part-105/
Part 106 – https://www.hexacorn.com/blog/2019/06/01/beyond-good-ol-run-key-part-106/
Part 107 – https://www.hexacorn.com/blog/2019/06/07/beyond-good-ol-run-key-part-107/
Pat 108 – https://www.hexacorn.com/blog/2019/07/11/beyond-good-ol-run-key-part-108-2/
Part 109 – https://www.hexacorn.com/blog/2019/07/12/beyond-good-ol-run-key-part-109/
Part 110 – https://www.hexacorn.com/blog/2019/07/13/beyond-good-ol-run-key-part-110/
Part 111 – https://www.hexacorn.com/blog/2019/07/13/beyond-good-ol-run-key-part-111/
Part 112 – https://www.hexacorn.com/blog/2019/08/16/beyond-good-ol-run-key-part-112/
Part 113 – https://www.hexacorn.com/blog/2019/08/26/beyond-good-ol-run-key-part-113/
Part 114 – https://www.hexacorn.com/blog/2019/09/07/beyond-good-ol-run-key-part-114/
Part 115 – https://www.hexacorn.com/blog/2019/09/13/beyond-good-ol-run-key-part-115/
Part 116 – https://www.hexacorn.com/blog/2019/09/20/beyond-good-ol-run-key-part-116/
Part 117 – https://www.hexacorn.com/blog/2019/09/28/beyond-good-ol-run-key-part-117/
Part 118 – https://www.hexacorn.com/blog/2019/10/04/beyond-good-ol-run-key-part-118/
Part 119 – https://www.hexacorn.com/blog/2019/10/11/beyond-good-ol-run-key-part-119/

Also see discussion on how many of these persistence techniques can be also Lateral Movement techniques:

https://www.hexacorn.com/blog/2018/10/05/lateral-movement-and-persistence-tactics-vs-techniques/

You may also want to visit the new series Beyond good ol’ LaunchAgent by Pasquale Stirparo – the series is dedicated to MAC ‘autoruns’ tricks and is a must read for anyone who is doing forensics or reverse engineering on OSX