{"id":3802,"date":"2016-08-19T23:21:31","date_gmt":"2016-08-19T23:21:31","guid":{"rendered":"http:\/\/www.hexacorn.com\/blog\/?p=3802"},"modified":"2016-08-19T23:24:32","modified_gmt":"2016-08-19T23:24:32","slug":"beyond-good-ol-run-key-part-44","status":"publish","type":"post","link":"https:\/\/www.hexacorn.com\/blog\/2016\/08\/19\/beyond-good-ol-run-key-part-44\/","title":{"rendered":"Beyond good ol\u2019 Run key, Part 44"},"content":{"rendered":"<p>In my <a href=\"https:\/\/www.hexacorn.com\/blog\/2016\/07\/28\/beyond-good-ol-run-key-part-43\/\">previous post<\/a> I described a persistence mechanism that is triggered when someone is connecting to the infected system via RDP.<\/p>\n<p>This is an interesting way to stay alive, but it would be probably much better if we could apply the same logic not to the server, but to the client.<\/p>\n<p>That is &#8211; launch a DLL of our choice anytime someone tries to use mstsc.exe&#8230;<\/p>\n<p>Impossible?<\/p>\n<p>Not really.<\/p>\n<p>Did I mention testing?<\/p>\n<p>Yet another artifact that seems to be testing-related is this:<\/p>\n<ul>\n<li>HKLM\\SOFTWARE\\Microsoft\\Terminal Server Client<br \/>\nClxDllPath=&lt;path to DLL&gt;<\/li>\n<\/ul>\n<p>Yup.<\/p>\n<p>Adding this to the Windows 10 Registry:<\/p>\n<p><a href=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2016\/08\/test_client2.png\"><img decoding=\"async\" loading=\"lazy\" class=\"aligncenter wp-image-3807\" src=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2016\/08\/test_client2-300x49.png\" alt=\"test_client2\" width=\"550\" height=\"90\" srcset=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2016\/08\/test_client2-300x49.png 300w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2016\/08\/test_client2.png 738w\" sizes=\"(max-width: 550px) 100vw, 550px\" \/><\/a><\/p>\n<p>will give us the following result:<\/p>\n<p><a href=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2016\/08\/test_client.png\"><img decoding=\"async\" loading=\"lazy\" class=\"aligncenter wp-image-3804\" src=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2016\/08\/test_client-300x178.png\" alt=\"test_client\" width=\"549\" height=\"325\" srcset=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2016\/08\/test_client-300x178.png 300w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2016\/08\/test_client.png 649w\" sizes=\"(max-width: 549px) 100vw, 549px\" \/><\/a>The c:\\test\\test_client.dll is loaded anytime we start mstsc.exe.<\/p>\n<p>We don&#8217;t even need to connect to the real system. Just launching mstsc.exe is enough,<\/p>\n","protected":false},"excerpt":{"rendered":"<p>In my previous post I described a persistence mechanism that is triggered when someone is connecting to the infected system via RDP. This is an interesting way to stay alive, but it would be probably much better if we could &hellip; <a href=\"https:\/\/www.hexacorn.com\/blog\/2016\/08\/19\/beyond-good-ol-run-key-part-44\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[13,35,15,19,46],"tags":[],"_links":{"self":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/3802"}],"collection":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/comments?post=3802"}],"version-history":[{"count":5,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/3802\/revisions"}],"predecessor-version":[{"id":3810,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/3802\/revisions\/3810"}],"wp:attachment":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/media?parent=3802"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/categories?post=3802"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/tags?post=3802"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}