{"id":4053,"date":"2017-01-07T01:12:38","date_gmt":"2017-01-07T01:12:38","guid":{"rendered":"http:\/\/www.hexacorn.com\/blog\/?p=4053"},"modified":"2017-01-07T01:20:21","modified_gmt":"2017-01-07T01:20:21","slug":"beyond-good-ol-run-key-part-52","status":"publish","type":"post","link":"https:\/\/www.hexacorn.com\/blog\/2017\/01\/07\/beyond-good-ol-run-key-part-52\/","title":{"rendered":"Beyond good ol\u2019 Run key, Part 52"},"content":{"rendered":"<p>When you google for &#8220;PSScripts.ini&#8221; you will find only around 200 results or so. This is a bit surprising, given the fact Microsoft documents this Powershell-based persistence mechanism on their <a href=\"https:\/\/msdn.microsoft.com\/en-us\/library\/gg258195.aspx\">web page<\/a> for quite some time and even describes in detail the <a href=\"https:\/\/msdn.microsoft.com\/en-us\/library\/dd303238.aspx\">syntax<\/a> of the PSScripts.ini file. Let alone the fact the mechanism &#8211; a close cousin of scripts.ini which I <a href=\"https:\/\/www.hexacorn.com\/blog\/2016\/05\/30\/beyond-good-ol-run-key-part-39\/\">described in the past<\/a> &#8211; is available on Windows 7 and Windows 2008 Server R2 for many years&#8230;<\/p>\n<p>To access the configuration of the PSScripts.ini we can launch gpedit.msc and find the familiar settings:<\/p>\n<p><a href=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2017\/01\/psscripts1.png\"><img decoding=\"async\" loading=\"lazy\" class=\"aligncenter wp-image-4054\" src=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2017\/01\/psscripts1-300x164.png\" width=\"501\" height=\"273\" srcset=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2017\/01\/psscripts1-300x164.png 300w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2017\/01\/psscripts1.png 695w\" sizes=\"(max-width: 501px) 100vw, 501px\" \/><\/a>Clicking &#8216;Startup&#8217; or &#8216;Shutdown&#8217; properties will open a new dialog box where we can see two tabs: one for scripts.ini (Windows Startup Scripts) and the second one for PSScripts.ini (PowerShell Startup Scripts):<\/p>\n<p><a href=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2017\/01\/psscripts2.png\"><img decoding=\"async\" loading=\"lazy\" class=\"aligncenter wp-image-4055 size-full\" src=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2017\/01\/psscripts2.png\" width=\"414\" height=\"461\" srcset=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2017\/01\/psscripts2.png 414w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2017\/01\/psscripts2-269x300.png 269w\" sizes=\"(max-width: 414px) 100vw, 414px\" \/><\/a>The information provided at the bottom of the dialog confirms that &#8216;PowerShell scripts require at least Windows 7 or Windows Server 2008 R2&#8217; &#8211; not a big problem nowadays.<\/p>\n<p>If we now add our own test script called malware.ps1:<\/p>\n<p><a href=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2017\/01\/psscripts3.png\"><img decoding=\"async\" loading=\"lazy\" class=\"aligncenter wp-image-4056 size-full\" src=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2017\/01\/psscripts3.png\" width=\"414\" height=\"461\" srcset=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2017\/01\/psscripts3.png 414w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2017\/01\/psscripts3-269x300.png 269w\" sizes=\"(max-width: 414px) 100vw, 414px\" \/><\/a><\/p>\n<p>we will notice that a number of artifacts have been added to the system:<\/p>\n<ul>\n<li>c:\\Windows\\System32\\GroupPolicy\\Machine\\Scripts\\psscripts.ini<\/li>\n<\/ul>\n<pre style=\"padding-left: 30px;\">[Startup]\r\n0CmdLine=malware.ps1\r\n0Parameters=<\/pre>\n<ul>\n<li>c:\\Windows\\System32\\GroupPolicy\\Machine\\Scripts\\Startup\\malware.ps1 (this is the test script; it just waits for a key to be pressed)<\/li>\n<\/ul>\n<pre style=\"padding-left: 30px;\">$null = $Host.UI.RawUI.ReadKey('NoEcho,IncludeKeyDown');<\/pre>\n<ul>\n<li>HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\<br \/>\nGroup Policy\\State\\Machine\\Scripts\\Startup\\0\\0<\/li>\n<\/ul>\n<pre style=\"padding-left: 30px;\">\"Script\"=\"malware.ps1\"\r\n\"Parameters\"=\"\"\r\n\"ExecTime\"=hex(b):00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00<\/pre>\n<ul>\n<li>HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\<br \/>\nGroup Policy\\Scripts\\Startup\\0\\0<\/li>\n<\/ul>\n<pre style=\"padding-left: 30px;\">\"Script\"=\"malware.ps1\"\r\n\"Parameters\"=\"\"\r\n\"IsPowershell\"=dword:00000001\r\n\"ExecTime\"=hex(b):00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00<\/pre>\n<ul>\n<li>HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Group Policy\\<br \/>\nHistory\\{42B5FAAE-6536-11d2-AE5A-0000F87571E3}\\0<\/li>\n<\/ul>\n<pre style=\"padding-left: 30px;\">\"Options\"=dword:00000000\r\n\"Version\"=dword:00010001\r\n\"DSPath\"=\"LocalGPO\"\r\n\"FileSysPath\"=\"C:\\\\Windows\\\\System32\\\\GroupPolicy\\\\Machine\"\r\n\"DisplayName\"=\"Local Group Policy\"\r\n\"Extensions\"=\"[{42B5FAAE-6536-11D2-AE5A-0000F87571E3}{40B6664F-4972-11D1-A7CA-0000F87571E3}]\"\r\n\"Link\"=\"Local\"\r\n\"GPOName\"=\"Local Group Policy\"\r\n\"GPOLink\"=dword:00000001\r\n\"lParam\"=dword:00000000<\/pre>\n<p>The &#8217;42B5FAAE-6536-11d2-AE5A-0000F87571E3&#8242; GUID is associated with a component named &#8216;ProcessScriptsGroupPolicy&#8217;.<\/p>\n<p>After restarting the system we can immediately see that the script was launched:<\/p>\n<p><a href=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2017\/01\/psscripts4.png\"><img decoding=\"async\" loading=\"lazy\" class=\"aligncenter size-full wp-image-4057\" src=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2017\/01\/psscripts4.png\" alt=\"\" width=\"218\" height=\"56\" \/><\/a>We can confirm it&#8217;s indeed our script by inspecting the properties of powershell.exe process pointing to our test script (since it waits for the key to be pressed it just runs idle in a background):<\/p>\n<p><a href=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2017\/01\/psscripts5.png\"><img decoding=\"async\" loading=\"lazy\" class=\"aligncenter wp-image-4058 size-full\" src=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2017\/01\/psscripts5.png\" width=\"446\" height=\"207\" srcset=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2017\/01\/psscripts5.png 446w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2017\/01\/psscripts5-300x139.png 300w\" sizes=\"(max-width: 446px) 100vw, 446px\" \/><\/a>The good news is that Autoruns already detects these entries:<\/p>\n<p><a href=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2017\/01\/psscripts6.png\"><img decoding=\"async\" loading=\"lazy\" class=\"aligncenter wp-image-4059\" src=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2017\/01\/psscripts6-300x18.png\" width=\"501\" height=\"30\" srcset=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2017\/01\/psscripts6-300x18.png 300w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2017\/01\/psscripts6.png 685w\" sizes=\"(max-width: 501px) 100vw, 501px\" \/><\/a>We are now half way through, so bear with me :).<\/p>\n<p>There can be 2 PSScripts.ini on the system &#8211; the second configured for (all) the users. If you go back to to the gpedit.msc dialog box, you can browse the user configuration as well:<\/p>\n<p><a href=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2017\/01\/psscripts7.png\"><img decoding=\"async\" loading=\"lazy\" class=\"aligncenter wp-image-4060\" src=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2017\/01\/psscripts7-300x170.png\" width=\"501\" height=\"283\" srcset=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2017\/01\/psscripts7-300x170.png 300w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2017\/01\/psscripts7.png 683w\" sizes=\"(max-width: 501px) 100vw, 501px\" \/><\/a>The 2 events that Powershell scripts can be associated with are &#8216;Logon&#8217; and &#8216;Logoff&#8217;. When we now add a similar test script we will achieve persistence that will be attached to one or both of these events.<\/p>\n<p>I don&#8217;t describe it here, but it&#8217;s possible to decide in what sequence the script.ini and PSscript.ini should be processed.<\/p>\n<p>Back to our User-specific scripts. The artifacts can be found in the Registry under the following keys:<\/p>\n<ul>\n<li>HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Group Policy\\Scripts<\/li>\n<li>HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Group Policy\\<br \/>\nState\\[SID]\\Scripts<\/li>\n<\/ul>\n<p>and the files are in a pretty much same place as the system-specific scripts:<\/p>\n<ul>\n<li>c:\\Windows\\System32\\GroupPolicy<\/li>\n<\/ul>\n<p>The file system tree where the scripts are located looks like this:<\/p>\n<pre>\u251c\u2500\u2500\u2500Machine\r\n\u2502\u00a0\u00a0 \u2514\u2500\u2500\u2500Scripts\r\n\u2502\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 \u251c\u2500\u2500\u2500Shutdown\r\n\u2502\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 \u2514\u2500\u2500\u2500Startup\r\n\u2514\u2500\u2500\u2500User\r\n\u00a0\u00a0\u00a0 \u2514\u2500\u2500\u2500Scripts\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 \u251c\u2500\u2500\u2500Logoff\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 \u2514\u2500\u2500\u2500Logon<\/pre>\n<p>Last, but not least &#8211; the latest Autoruns doesn&#8217;t seem to be detecting the user-specific scripts.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>When you google for &#8220;PSScripts.ini&#8221; you will find only around 200 results or so. This is a bit surprising, given the fact Microsoft documents this Powershell-based persistence mechanism on their web page for quite some time and even describes in &hellip; <a href=\"https:\/\/www.hexacorn.com\/blog\/2017\/01\/07\/beyond-good-ol-run-key-part-52\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[13,35,15,19,46,9],"tags":[],"_links":{"self":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/4053"}],"collection":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/comments?post=4053"}],"version-history":[{"count":5,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/4053\/revisions"}],"predecessor-version":[{"id":4065,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/4053\/revisions\/4065"}],"wp:attachment":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/media?parent=4053"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/categories?post=4053"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/tags?post=4053"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}