The recipe is simple:<\/p>\n
Example:<\/p>\n
And add:<\/p>\n
Both Autoruns and Process Explorer (autorun location) won’t be able to locate the file, because they expand the environment variables. They will also mislead the user by showing a path to an executable that is definitely not on the system e.g. if the user’s name is JOHN, the entry I listed above will show up as ‘File not found: john.exe’. Looking for ‘john.exe’ on the system will not bring any relevant results.<\/p>\n
Bonus #1:<\/strong><\/p>\n You could concatenate a number of environment variables – the file will run, but the entry in the Autoruns will look like a bug. Only visiting the actual entry in the Registry will allow you to spot the trick.<\/p>\n Bonus #2:<\/strong><\/p>\n Using less common environment variables can give even more random misleading information eg. ‘%PROCESSOR_LEVEL%’ can resolve to ‘6.exe’. Finding that ‘6.exe’ on the system will be pretty tricky.<\/p>\n Bonus #3:<\/strong><\/p>\n Using ‘%ComSpec%’ gives the most intriguing result.<\/p>\n Autoruns will resolve it to ‘c:\\WINDOWS\\System32\\cmd.exe’ instead of ‘c:\\WINDOWS\\%ComSpec%.exe’ and… since the resolved binary is native OS signed executable… it will be hidden from the view, unless you Unhide the ‘Hide Windows Entries’.<\/p>\n","protected":false},"excerpt":{"rendered":" The recipe is simple: Pick up one of the environment variables. Name your executable as ‘%environment variable%.exe’ Drop it in a place where system will find it (as per PATH) Set e.g. Run key to point to it. Example: Drop … Continue reading