The Registry is a great place for an attacker to establish persistence. Popular locations for this are the Run keys located in either the Software Hive, or in a User's ntuser.dat hive. For a list of run keys, check out the Forensic Wiki.
A technique I've seen in some cases I've worked is an attacker using PowerShell in the Run key to call another key that contains the base64 code that contains a payload.
Let's see what an example of this looks like. Using Eric Zimmerman's Registry Explorer I've navigated to the following registry key: HKLM\Software\Microsoft\Windows\CurrentVersion\Run. Underneath the value "hztGpoWa" the following entry is made:
You can also use Harlan's RegRipper's soft_run plugin to pull this information:
rip.exe -r SOFTWARE -p soft_run
(for the NTUSER.DAT hive, use the user_run plugin)
So what does this command do? %COMSPEC% is the system variable for cmd.exe. This uses cmd.exe to launch PowerShell in a hidden window. It then uses the PowerShell command "Get-Item" to get another registry key - HKLM:Software\4MX64uqR, and the value Dp8m09KD under that key.
Browsing to the HKLM:Software\4MX64uqR key in Registry Explorer reveals a whole mess of base64:
Another way to pull base64 like this from the registry is to use the "sizes" plugin from RegRipper. This will search the registry hive for values over a certain threshold and dump them out:
rip.exe -r SOFTWARE -p sizes
(A thanks to Harlan for updating this plugin! Make sure to update it if you haven't recently.)
To see the detailed steps of how to decode this base64, take a look at my earlier blog post on decoding malicious PowerShell scripts.
Here are the high-level steps to decode it:
- Decode unicode base64 in registry key
- Decode and decompress (gzip) embedded base64
- Decode another round of embedded base64
- payload = shellcode
- Try running scdb.exe or strings over shellcode for resulting IP address and port
Another way to find instances of malicious PowerShell in the registry is to search the registry for "%COMSPEC%".
I used Registry Explorer and it's handy Find command to do this. Make sure and have the right "Search in" boxes selected:
While this example showed registry keys and values with random names - this is not always the case. These names can be whatever the attacker wants and they will not always be an obvious tip off like a random name.
For my example, I used Metasploit to install this persistence mechanism in the registry. Check out all the options available. As mentioned above, the registry key/value names may be set to anything:
My next post on malicious PowerShell scripts will cover PowerShell logging and pulling information from memory. Happy Hunting!