{"id":3857,"date":"2016-09-29T01:16:25","date_gmt":"2016-09-29T01:16:25","guid":{"rendered":"http:\/\/www.hexacorn.com\/blog\/?p=3857"},"modified":"2018-10-09T01:16:41","modified_gmt":"2018-10-09T01:16:41","slug":"beyond-good-ol-run-key-part-47","status":"publish","type":"post","link":"https:\/\/www.hexacorn.com\/blog\/2016\/09\/29\/beyond-good-ol-run-key-part-47\/","title":{"rendered":"Beyond good ol\u2019 Run key, Part 47"},"content":{"rendered":"<p><strong>Update 2018-10-09<\/strong><\/p>\n<p>It looks like some of the entries also include ..\\IdentityStore\\Providers\\DLLPath value name that could be abused for persistence.<\/p>\n<p><strong>Old Post<\/strong><\/p>\n<p>The persistence mechanism that I am going to describe today is not for the faint-hearted.<\/p>\n<p>When Windows 10 starts, lsass.exe loads Authentication Packages (AP) from the following registry location:<\/p>\n<ul>\n<li>HKLM\\SOFTWARE\\Microsoft\\IdentityStore\\Providers<\/li>\n<\/ul>\n<p>The location contains a number of subkeys that use GUID-based naming convention. The default ones are:<\/p>\n<ul>\n<li>{B16898C6-A148-4967-9171-64D755DA8520}\n<ul>\n<li>ApPluginDLLPath=aadcloudap.dll<\/li>\n<\/ul>\n<\/li>\n<li>{D7F9888F-E3FC-49B0-9EA6-A85B5F392A4F}\n<ul>\n<li>ApPluginDLLPath=MicrosoftAccountCloudAP.dll<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>It&#8217;s tempting to add your own f.ex.<\/p>\n<pre>[HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\IdentityStore\\Providers\\{00000000-0000-0000-0000-000000000000}]\r\n\"ApPluginDLLPath\"=\"c:\\\\WINDOWS\\\\system32\\\\test_client.dll\"\r\n\r\n[HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\IdentityStore\\Providers\\{00000000-0000-0000-0000-000000000000}\\LoadParameters]\r\n\"Enabled\"=dword:00000001<\/pre>\n<p>The LoadParameters key must contain the Enabled value name &#8211; this ensures the DLL is loaded.<\/p>\n<p>However&#8230;. there is a little problem (yet it&#8217;s one that is good to have!) &#8211; the Microsoft developers had a foresight here and made it quite difficult for anyone to abuse these keys.<\/p>\n<p>Why?<\/p>\n<p>The DLLs are loaded using LoadLibraryEx with the LOAD_LIBRARY_SEARCH_SYSTEM32 and \u00a0LOAD_LIBRARY_REQUIRE_SIGNED_TARGET options on.<\/p>\n<ul>\n<li>This means that the DLL must be placed inside the c:\\windows\\system32 directory (LOAD_LIBRARY_SEARCH_SYSTEM32).<\/li>\n<li>Secondly, the DLL loaded from this location must be signed.<\/li>\n<li>Thirdly, the DLL not only must be signed, but also compiled with the \/INTEGRITYCHECK option on. This ensures that the Kernel-Mode Code Signing (KMCS) checks are enforced.<\/li>\n<\/ul>\n<p>Finally, the Registry key is owned by Trustedinstaller. One needs to change the owner to modify the access rights and grant the permissions to add\/modify the keys.<\/p>\n<p>Practical aspects of it mean that it&#8217;s relatively hard to test it (I may describe how to do it later).<\/p>\n<p>Here&#8217;s an example from the test system:<\/p>\n<p><a href=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2016\/09\/lsass.png\"><img decoding=\"async\" loading=\"lazy\" class=\"aligncenter wp-image-3858 size-full\" src=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2016\/09\/lsass.png\" alt=\"lsass\" width=\"536\" height=\"413\" srcset=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2016\/09\/lsass.png 536w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2016\/09\/lsass-300x231.png 300w\" sizes=\"(max-width: 536px) 100vw, 536px\" \/><\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Update 2018-10-09 It looks like some of the entries also include ..\\IdentityStore\\Providers\\DLLPath value name that could be abused for persistence. Old Post The persistence mechanism that I am going to describe today is not for the faint-hearted. When Windows 10 &hellip; <a href=\"https:\/\/www.hexacorn.com\/blog\/2016\/09\/29\/beyond-good-ol-run-key-part-47\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[13,35,15,19,9],"tags":[],"_links":{"self":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/3857"}],"collection":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/comments?post=3857"}],"version-history":[{"count":3,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/3857\/revisions"}],"predecessor-version":[{"id":5393,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/3857\/revisions\/5393"}],"wp:attachment":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/media?parent=3857"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/categories?post=3857"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/tags?post=3857"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}