To see Lab setup, click here.
Planting “clues”:
I’m practicing how to find evidence of persistence using Windows built-in tools, logs, and cmd commands. Clues to plant:
- sus Scheduled Task
- sus Run registry key
- (Planning to add more clues, that are more interesting)
Clue 1: Sus Scheduled task
Create persistence that looks shady but doesn’t actually do anything harmful. On Switch to Admin user account:
– Task Scheduler > Action > Create Task> Description: Windows Health Monitor > Setting: Run when the user is logged on or not
– Triggers Tab > Begin the task: At log on > Settings: any user (on) > Click OK
– Actions Tab > New > Action: Start a program > Program/script: cmd.exe > Add arguments: /c echo test > Click OK
– Save the new test and verify it exists: Left Pane > Task Schedule Library (refresh the windows) > Check if Windows Health Monitor is on the list. Click on it to verify settings.
Clue 2: Sus Run key in HKCU
Switch to Miss Moneybags (local user) – we want only user Moneybags to be experiencing this symptoms.
Open cmd.exe as administrator (I need to enter my admin pw) > type:
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v SyncManager /t REG_SZ /d “C:\Windows\System32\cmd.exe /c echo test”
Can you spot where I messed up? I certainly didn’t until I posted this lab. Look at my path: HKEY_CURRENT_USER\Software\Microsoft\Current\Version\Run but that path does not exist. That path is a figment of my imagination. The correct path is HKEY_CURRENT_USER\Software\Microsoft\Windows\Current Version\Run
So, later on, when I “tested” my clue it returned to me , I assumed that it worked. Except, I never added the key to the correct path. Windows apparently will create a key, it literally doesn’t care. But if you’re not paying attention and ASSUME something, you’ll compromise the whole lab. This is an important lesson. Check the details, then check them again.
On with explanation of the commands, because we don’t blindly paste commands we don’t understand. Right?
reg= built-in Windows registry tool
add = create new key or value
I’m adding something to the registry. This will happen silently, without prompts or GUI.
HKCU\Software\Microsoft\Windows\CurrentVersion\Run = this is the path in Windows Registry that I’m modifying (no I’m not)
HKCU = Hkey Current user, the registry hive for the currently logged-in user only. This modification doesn’t require admin rights. When I’m logged into Miss Moneybags user account, it points to C:\Users\Moneybags\NTUSER.dat
If I’m logged into another user then it will point to THAT user’s NTUSER.dat
\Software\Microsoft\Windows\CurrentVersion\Run = this is the “Run at startup” setting. Any value inside this key will launch when the user logs on. This is one of the most common persistence points on Windows.
/v = value. This selects the value inside the Run Key
SyncManager = the name of the startup entry. NOTE: this looks like something Windows would run legitimately but it’s my own name. I pretend my little “script” to be a legitimate startup process. Malware developers may use similar names like “UpdateManager, DriverHelper, SystemSync, etc.” The name helps it to blend in.
/t REG_SZ = sets the type of the registry value,
REG_SZ = this registry values stores plain text. Malware often uses this type, because it’s human readable, Windows automatically executes whatever strong is in there, sus commands can hide in plain sight, and it blends with normal startup entries. There are other registry value types (REG_DWORD, REG_BINARY) but I’m not digging into these here.
/d “C:\Windows\System32\cmd.exe /c echo test” – this is the actual command Windows will run at login.
/d = data. We use “ “ to encapsulate data that has spaces between multiple commands to make sure it’s treated as one command.
C:\Windows\System32\cmd.exe = the program we want Windows to execute
/c = run the following command, then exit
echo test = prints “test” on the terminal screen, then closes. Completely harmless here. Real malware might have sussier things like “poweshell -nop -w hidden -encodedCommand…” (out of scope for this lab).
What should happen in practice with this command:
When user logs in > Windows checks Run key > Sees SyncManager entry > executes the command > opens cmd.exe > runs “echo test” > closes > User never sees anything
Verify the key by running this command in cmd:
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Success!
Relogged into the user Moneybags – I didn’t see any “black box” flicker, because generally a user will NOT see that. The command is tiny and it happens quicker than I’m able to perceive. With a lot of startup programs, or more involved scripts, I may see one or several console flashes. This can be both – a sign of normal operation AND a sign of malware. NOTE: As discovered while posting this lab, this IS possible but in my case – grossly incorrect. I did not plant my clue in the correct location. Windows did not execute a thing on startup.
Conclusion:
I have created a simulation environment that can be scaled based on the type of lab. This is actually fun and helps me simulate plausible situations. Created a new Virtual machine, designed Lab 001, prepared the environment (users, premise, planted clues). Practice labs documentation, screenshots for blog posting.
Lessons learned:
- Methodology is EVERYTHING. Have a defined consistent process, it’ll make your life so much easier.
- Define the purpose and desired learning outcome for the lab. This was a bit chaotic, but it worked.
- It’s OK if some very basic things seem confusing. Difference between HKCU and HKLM.
- Learning new cmd commands – writing out what each means helps me remember what they actually do, rather than copy/paste. Prep the long commands in notepad first to avoid awkward editing in cdm.
- Registry keys: still learning basics, getting familiar with values and value types.
- Do NOT have spaces in path when working in cmd/powershell – it will be a pain in the ass. Wrap things with spaces in quotes.
- Verify your paths, codes, notes, and screenshots. I am leaving this in, because real labs are supposed to be chaotic and messy and embarrassing later on. You bet your bottom dollar, I’ll remember the HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run (NO SPACES)
Plan:
Think of more simple but interesting clues to plant and find.
To fix my registry keys. Verify my clues for realsies. THEN worry about adding new clues. Ok, maybe one more little clue.
Additional study resources: