{"id":5782,"date":"2019-01-05T01:57:24","date_gmt":"2019-01-05T01:57:24","guid":{"rendered":"http:\/\/www.hexacorn.com\/blog\/?p=5782"},"modified":"2019-01-05T02:01:10","modified_gmt":"2019-01-05T02:01:10","slug":"beyond-good-ol-run-key-part-100","status":"publish","type":"post","link":"https:\/\/www.hexacorn.com\/blog\/2019\/01\/05\/beyond-good-ol-run-key-part-100\/","title":{"rendered":"Beyond good ol\u2019 Run key, Part 100"},"content":{"rendered":"\n<p>It&#8217;s actually 99th, because I <a href=\"https:\/\/www.hexacorn.com\/blog\/2017\/01\/28\/beyond-good-ol-run-key-all-parts\/\">forgot<\/a> one part on the way \ud83d\ude42<\/p>\n\n\n\n<p>This is one more persistence method based on a built-in set of features. This time the culprit is the Policy Manager.<\/p>\n\n\n\n<p>Browsing through the PolicyManager key located here:<\/p>\n\n\n\n<ul><li>HKLM\\Software\\Microsoft\\PolicyManager\\<\/li><\/ul>\n\n\n\n<p>we can spot many interesting entries, often multiple-level deep:<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" loading=\"lazy\" width=\"947\" height=\"401\" src=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2019\/01\/policymanager0.png\" alt=\"\" class=\"wp-image-5783\" srcset=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2019\/01\/policymanager0.png 947w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2019\/01\/policymanager0-300x127.png 300w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2019\/01\/policymanager0-768x325.png 768w\" sizes=\"(max-width: 947px) 100vw, 947px\" \/><\/figure>\n\n\n\n<p>Some of them include entries that are of our interest:<\/p>\n\n\n\n<ul><li>PreCheckDLLPath<\/li><li>transportDllPath<\/li><\/ul>\n\n\n\n<p>The good news is that not all entries have them a.k.a. they are optional. And it turns out that these allows to provide additional utility libraries that in turn will be loaded by Policy Manager components (policymanager.dll) when this DLL itself is utilized. <\/p>\n\n\n\n<p>I couldn&#8217;t come up with a quick&amp; dirty way to load the test dll, so I cheated by starting the procmon, setting up the filters, and letting it go for some time. After awhile I caught the first process accessing these entries:<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" loading=\"lazy\" width=\"1008\" height=\"609\" src=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2019\/01\/policymanager1.png\" alt=\"\" class=\"wp-image-5784\" srcset=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2019\/01\/policymanager1.png 1008w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2019\/01\/policymanager1-300x181.png 300w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2019\/01\/policymanager1-768x464.png 768w\" sizes=\"(max-width: 1008px) 100vw, 1008px\" \/><\/figure>\n\n\n\n<p>The harvesting may be easier on a system connected to the domain (policies deployment\/access is more frequent).<\/p>\n","protected":false},"excerpt":{"rendered":"<p>It&#8217;s actually 99th, because I forgot one part on the way \ud83d\ude42 This is one more persistence method based on a built-in set of features. This time the culprit is the Policy Manager. Browsing through the PolicyManager key located here: &hellip; <a href=\"https:\/\/www.hexacorn.com\/blog\/2019\/01\/05\/beyond-good-ol-run-key-part-100\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[43,35],"tags":[],"_links":{"self":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/5782"}],"collection":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/comments?post=5782"}],"version-history":[{"count":2,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/5782\/revisions"}],"predecessor-version":[{"id":5786,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/5782\/revisions\/5786"}],"wp:attachment":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/media?parent=5782"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/categories?post=5782"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/tags?post=5782"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}