Config Abuse

Created: 03.06.2023

Some persistence and escalation techniques don’t require an exploit but only a little tweaking of some config.

Windows

๐Ÿ“‚ File System

%AppData%\Roaming\Micorsoft\Windows\Start Menu\Programs\Startup

โš™๏ธ Registry

The list of reg keys that could be abused for persistence and escalation.

๐Ÿ”‘ C:\Users\[Username]\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup (default)
๐Ÿ”‘ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp (default)
๐Ÿ”‘ HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run (default)
๐Ÿ”‘ HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce (default)
๐Ÿ”‘ HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run (default)
๐Ÿ”‘ HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce (default)
๐Ÿ”‘ HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx: reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /d "C:\temp\evil[.]dll"
๐Ÿ”‘ HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
๐Ÿ”‘ HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
๐Ÿ”‘ HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
๐Ÿ”‘ HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
๐Ÿ”‘ HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
๐Ÿ”‘ HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
๐Ÿ”‘ HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
๐Ÿ”‘ HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices
๐Ÿ”‘ HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run (when specified in the policy settings)
๐Ÿ”‘ HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run (when specified in the policy settings)

๐Ÿ”‘ HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit # Usually, only userinit.exe is referenced here. Winlogon.exe will launch all executables mentioned when the user logs on. In case we have C:\Windows\System32\userinit.exe,C:\Temp\userinit.exe here, userinit.exe will be run from the Temp folder as well.

๐Ÿ”‘ HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shellย 
๐Ÿ”‘ HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windowsย # run when any user logs on.

# multistringย BootExecuteย value of the registry
๐Ÿ”‘ HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Managerย # toย autocheck autochk *. This value causes Windows, at startup, to check the file-system integrity of the hard disks if the system has been shut down abnormally. Adversaries can add other programs or processes to this registry value which will automatically launch at boot. Adversaries can use the autostart mechanism provided by LSA authentication packages for persistence by placing a reference to a binary in the Windows Registry locationย HKLM\SYSTEM\CurrentControlSet\Control\Lsa\ย with the key value ofย "Authentication Packages"=<target binary>. The binary will then be executed by the system when the authentication packages are loaded. Time providers are implemented as dynamic-link libraries (DLLs) that are registered in the subkeys ofย HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\TimeProviders\.ย The time provider manager, directed by the service control manager, loads and starts time providers listed and enabled under this key at system startup and/or whenever parameters are changed. 

๐Ÿ”‘ HKLM\Software[\Wow6432Node\]\Microsoft\Windows NT\CurrentVersion\Winlogon\ย 
๐Ÿ”‘ย HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ย # are used to manage additional helper programs and functionalities that support Winlogon.
	๐Ÿ”‘ Winlogon\Notify points to notification package DLLs that handle Winlogon events.
	๐Ÿ”‘ Winlogon\Userinit points to userinit.exe, the user initialisation program executed when a user logs on
	๐Ÿ”‘ Winlogon\Shell points to explorer.exe, the system shell executed when a user logs on
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages, HKLM\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig\Security Packages load into LSA space, meaning having access to unencrypted password info. 

# Boot execute. Not sure what that means https://www.tenable.com/plugins/nessus/70615. It could be [this](https://github.com/beahunt3r/Windows-Hunting/blob/master/Persistence/Registry%20Autoruns/Boot%20Execute):

๐Ÿ”‘ HKLM\System\CurrentControlSet\Control\ServiceControlManagerExtension
๐Ÿ”‘ HKLM\System\CurrentControlSet\Control\Session Manager\BootExecute
๐Ÿ”‘ HKLM\System\CurrentControlSet\Control\Session Manager\Execute
๐Ÿ”‘ HKLM\System\CurrentControlSet\Control\Session Manager\S0InitialCommand
๐Ÿ”‘ HKLM\System\CurrentControlSet\Control\Session Manager\SetupExecute

Policies

More about it here. This could be used to allow some legit software.

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run (when specified in the policy settings)

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run (when specified in the policy settings)

Linux

/etc/systemd/system  
/usr/lib/systemd/system 
/etc/init*

macOS

Login Items

System Preferences -> Users & Groups -> Login Items. Additional: SDF podcast.

How to determine if it’s malicious? Well, the sure way is only to reverse engineer it, but it is time consuming. So, you need to narrow down the candidates first. There are a couple of indicators that are commonly seen in malware.

Login items run within the userโ€™s desktop session, inheriting the userโ€™s permissions, and start automatically at user login. Due to this afforded persistence, Mac malware will commonly install itself as a login item. You can find examples of this technique in malware like Kitm, NetWire, and WindTail. Wardle, Patrick. The Art of Mac Malware (p. 24). No Starch Press. Kindle Edition.

โ—๏ธ macOS doesnโ€™t readily show the full path to a persisted login item in its interface (unless you hover over the item for a few seconds)

๐Ÿ‘ป backgroundtaskmanagementagent is a daemon that is running in the background and thus also manages login items. The list of the items is stored in a file โš™๏ธ named backgrounditems.btm.

Programming persistence

โš™๏ธ LSSharedFileListCreate (returns the reference to the list) -> LSSharedFileListInsertItemURL (adds a new item, requires a full path to the item).

To view the APIs used run nm WindTail/Final_Presentation.app/Contents/MacOS/usrnode. The above two APIs in the list suggest the binary used this persistence mechanism.

๐Ÿฅท๐Ÿผ (stealthy) SMLoginItemSetEnabled - the โ€œModern Login Itemsโ€ blog post or Appleโ€™s documentation. This allows application-specific helper login items. They don’t show up in the Preferences. Those items are stored in LoginItems subdirectory of an applicationโ€™s bundle.

References

Expand… Something here