Here’s another trick you can pull off.<\/p>\n
There is a way to add cascading menus<\/a> for different file types – it enables everyone to enrich the GUI experience, and of course, can be abused.<\/p>\n Say… we want to change the handling of .txt files to ‘default’ to our own Cascading menu which we call, well… ‘Open’ and make it look like this:<\/p>\n Except it will launch Calculator.<\/p>\n All we have to do is:<\/p>\n It’s pretty simple and may fool some users.<\/p>\n Then there is an additional bonus entry. As if there was not enough confusion yet…<\/p>\n It looks like there is another way to add cascading menus – via ExtendedSubCommandsKey.<\/p>\n Again, it’s documented<\/a>, but I couldn’t make it work at first, until I started toying around with the existing entries in Registry – they used ‘ExtendedSubCommandsKey’ not as a key, but as a value.<\/p>\n This is how it works…<\/p>\n So.. the ‘ExtendedSubCommandsKey’ key tells Shell where to look for the definition of the cascading menu – note the nested ‘shell\\extsub\\shell\\notepad\\command’ key (case insensitive) vs ‘shell\\open\\command’:<\/p>\n And because of that… there is more.<\/p>\n Instead of dropping the definition of the cascading menu under the obvious location ‘txtfile’, one could define it like this:<\/p>\n So… the malware could add a new ‘filetype’ called ‘foofile’ and use it as a definition for the cascading menu that is referenced by the ‘ExtendedSubCommandsKey’ entry.<\/p>\n I think you might have noticed that the demos show the multiple ‘Open’ entries on the menu. One could remove the definition of the ‘Open’ verb from the respective keys, but while it’s easy, it could trigger some EDR\/AV alerts. I may be a bit too optimistic, but I bet many people will still follow the ‘bold’ menu item first, despite menu item duplications (‘it’s Windows, after all’).<\/p>\n And yes, there is more…<\/p>\n Shell uses at least 2 more mechanisms to add menus or redefine how the verbs are used on the selected items in Windows Explorer.<\/p>\n I am not describing the first one (you need to develop a COM DLL), but the second one deserves some attention.<\/p>\n Turns out that there is a way to implement conditional menu items for Windows Explorer. Yup. Windows Explorer understands a language called Advanced Query Syntax<\/a>. There are not too many practical examples of its usage online, the best (practical) information I could find is in this post<\/a>. Plus, there are default Windows 10 Registry settings we can explore.<\/p>\n Have a look at these keys:<\/p>\n The AppliesTo includes this query:<\/p>\n and others… (just search for ‘AppliesTo’ under HKCR).<\/p>\n Every single one that is ‘predefined’ (command is set) can be modified and help to establish yet another persistence mechanism that is triggered only when conditions are met (e.g. as per the above – when drive is encrypted malware could be launched when the user tries to change the passphrase).<\/p>\n I guess it’s yet another not-so-much-explored area in case you are looking for forensics\/malware topics for your final thesis \ud83d\ude42<\/p>\n","protected":false},"excerpt":{"rendered":" I love Windows Explorer. It offers so many opportunities for persistence. In my older post I described how you can modify the HCKR shell entries by adding a new verb and changing the default behavior of Windows Explorer to use … Continue reading ![\"\"](\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2018\/07\/SubCommandsKey1.png\")
<\/a>
\nI bet users seeing such change will still go for the ‘bold’ default action and Launch the Notepad.<\/p>\n![\"\"](\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2018\/07\/SubCommandsKey2.gif\")
<\/a>How did we get there?<\/p>\n\n
\n
\n
\nHKLM\\SOFTWARE\\Microsoft\\Windows\\
\nCurrentVersion\\Explorer\\CommandStore\\
\nshell\\Windows.testverb<\/p>\n\n
\n
![\"\"](\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2018\/07\/ExtendedSubCommandsKey.gif\")
<\/a>
\nAnd this is how to set it up:<\/p>\n\n
\n
\n
\n
![\"\"](\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2018\/07\/ExtendedSubCommandsKey1.png\")
<\/a><\/p>\n\n
\n
\n
\n
\n
\n
System.StorageProviderId:<>\"network\" AND \r\nSystem.StorageProviderProtectionMode:<>1 AND \r\nSystem.StorageProviderProtectionMode:<>2<\/pre>\n
\n
System.Devices.LaunchDeviceStageFromExplorer:=\r\nSystem.StructuredQueryType.Boolean#True<\/pre>\n
\n
(\r\nSystem.Volume.BitLockerProtection:=\r\nSystem.Volume.BitLockerProtection#On OR \r\nSystem.Volume.BitLockerProtection:=\r\nSystem.Volume.BitLockerProtection#Encrypting OR\r\nSystem.Volume.BitLockerProtection:=\r\nSystem.Volume.BitLockerProtection#Suspended\r\n)\r\nAND \r\nSystem.Volume.BitLockerCanChangePassphraseByProxy:=\r\nSystem.StructuredQueryType.Boolean#True<\/pre>\n