{"id":7361,"date":"2020-07-30T23:07:12","date_gmt":"2020-07-30T23:07:12","guid":{"rendered":"https:\/\/www.hexacorn.com\/blog\/?p=7361"},"modified":"2020-07-31T09:38:50","modified_gmt":"2020-07-31T09:38:50","slug":"beyond-good-ol-run-key-part-125","status":"publish","type":"post","link":"https:\/\/www.hexacorn.com\/blog\/2020\/07\/30\/beyond-good-ol-run-key-part-125\/","title":{"rendered":"Beyond good ol\u2019 Run key, Part 125"},"content":{"rendered":"\n<p><strong>Update<\/strong><\/p>\n\n\n\n<p>Turns out <a href=\"https:\/\/twitter.com\/0gtweet\">@0gtweet<\/a> posted about it in <a href=\"https:\/\/twitter.com\/0gtweet\/status\/1289062885608620032?s=20\">January<\/a> and I missed that!!! <\/p>\n\n\n\n<p><strong>Old Post<\/strong><\/p>\n\n\n\n<p>Been awhile since I posted in this series, so here comes a new trick.<\/p>\n\n\n\n<p>It is not your typical executable for sure, <em>change.exe<\/em> that is. When I looked at it for the first time I was perplexed &#8212; within first few lines of code it literally executes other executables. Must be something good I thought, and good it was indeed.<\/p>\n\n\n\n<p>When launched, change.exe does something very strange &#8211; it enumerates Registry entries under this location:<\/p>\n\n\n\n<ul><li>HKLM\\System\\CurrentControlSet\\Control\\Terminal Server\\Utilities\\change<\/li><\/ul>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" loading=\"lazy\" width=\"675\" height=\"147\" src=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2020\/07\/change.png\" alt=\"\" class=\"wp-image-7362\" srcset=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2020\/07\/change.png 675w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2020\/07\/change-300x65.png 300w\" sizes=\"(max-width: 675px) 100vw, 675px\" \/><\/figure>\n\n\n\n<p>These entries are &#8230; interesting, because they look like some stringified flags followed by executable names. Possible abuse opportunity?<\/p>\n\n\n\n<p>When you run &#8216;change \/?&#8217; you get the following help information:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">CHANGE { LOGON | PORT | USER }<\/pre>\n\n\n\n<p>Do you see the pattern? &#8212; no? look at these Registry entries again.<\/p>\n\n\n\n<p>In my first attempt I added &#8216;foo|0 1 NOTEPAD notepad.exe&#8217;:<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" loading=\"lazy\" width=\"400\" height=\"122\" src=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2020\/07\/change2.png\" alt=\"\" class=\"wp-image-7363\" srcset=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2020\/07\/change2.png 400w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2020\/07\/change2-300x92.png 300w\" sizes=\"(max-width: 400px) 100vw, 400px\" \/><\/figure>\n\n\n\n<p>I then ran &#8216;change notepad&#8217; and &#8230; notepad executed.<\/p>\n\n\n\n<p>Now, if you paid attention there are other registry keys listed on the first screenshot:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">change -&gt; change.exe \nquery -&gt; query.exe \nreset -&gt; reset.exe<\/pre>\n\n\n\n<p>They all follow the same pattern and fetch command list from Registry!<\/p>\n\n\n\n<p>So you can either add a new entry, or modify an existing one. Access rights are in place and the key is owned by TrustedInstaller, but&#8230; well&#8230; once on the box, always on the box.<\/p>\n\n\n\n<p>Last, but not least  &#8211; it&#8217;s a persistence mechanism and a LOLBIN in one.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Update Turns out @0gtweet posted about it in January and I missed that!!! Old Post Been awhile since I posted in this series, so here comes a new trick. It is not your typical executable for sure, change.exe that is. &hellip; <a href=\"https:\/\/www.hexacorn.com\/blog\/2020\/07\/30\/beyond-good-ol-run-key-part-125\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[35,56,64],"tags":[],"_links":{"self":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/7361"}],"collection":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/comments?post=7361"}],"version-history":[{"count":4,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/7361\/revisions"}],"predecessor-version":[{"id":7367,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/7361\/revisions\/7367"}],"wp:attachment":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/media?parent=7361"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/categories?post=7361"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/tags?post=7361"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}