Beyond good ol’ Run key, Part 80

Posted on by

I talked about remapping keys a number of times (e.g. remapping Win+E, adding sneaky hotkeys, adding more sneaky hotkeys).

Today I am describing one more Registry entry that is a subject to remapping, and as such, may be used as yet another persistence mechanism…

Modern keyboards come with a variety of ‘media’ buttons. Their assignment seems to be hardcoded, but in reality, one can change it by modifying the following entries in the Registry:

HKCU or HKLM\software\microsoft\windows\
currentversion\explorer\appkey\<number>\
ShellExecute=<program>

The <number> is the crucial bit – e.g. the calculator button is number 18 so if you change it, anytime someone presses the Calc media button that chosen program will be launched instead.

All the mappings are listed in MSDN.

You may notice that 18 that belongs to Calculator is named as APPCOMMAND_LAUNCH_APP2, but such is life. Don’t trust the documentation 🙂

Note:

I didn’t discover it, but I don’t recall seeing it mentioned in a context of persistence, so documenting it for the sake of it… Having said that, I must mention that googling around led me to this blog post where the very same trick is described as being used to deliver a clever evasion – courtesy of PlugX.

Note2:

Turns out there is a good post from Jan 2018 describing 2 additional registry entries that you may find under the same location:

  • Association – the application associated with a particular file type will be opened
  • RegisteredApp – the application registered for that function will be called.

One – Cyber Version

Posted on by

In the past I wrote two cyber covers for well-known songs Orgasmatron (Motorhead/Sepultura) and Enter Sandman (Metallica).

Today I present you the ‘One’ – it’s dedicated to all the AI-ML-NextGen security vendors 🙂

Now, the funny thing is that I originally thought of parodying either Metallica’s ‘One’, or U2’s one (pun intended). But… when I googled ‘One lyrics’ a completely different set of lyrics appeared. Not only they were neither Metallica nor U2, they were also not Ed Sheeran’s to whom they were attributed by Google. And when I read these lyrics I immediately had a cyber version of the song in my head lol. After further googling around I discovered the lyrics are from a song by George Jones & Tammy Wynette – I have no idea who they are, but apparently some old country music (?).

I found this whole experience really fitting as it almost feels like AI was leading me all the way to it…

So here it is…

I don’t know if it fits the music, but at least you get the cyber lyrics now 😉

One

If you want to hear a sales song
I could call you now
If you want to buy the Next-Gen Product
We could sell you one
If you need to catch a cybervillain
We could charge for one
If you want to QA our product
You could be the one

Now, you talk about threat hunting
I only see IOCs
There’re “AI and ML” motifs
We just use the ‘ifs’
If you believe in magic quadrant
We believe in Santa
If you want to QA our product
You could be the one

One and one, I’ve always heard
Defense in-depth
But one and one is only old tech
When that one is AV… meh
If you believe in magic quadrant
We believe in Santa
If you want to QA our product
You could be the one