Auto Start Extensibility Points
What is That Running?
More importantly, why is that running?The Auto Start Extensibility Point
A hook-able configuration point allowing program execution without an explicit user call. Used by legitimate programs, such as system services and update agents, ASEPs are a key vector for threat persistence.
The Registry
As a core foundation of Windows, the registry stores 'hive' trees that refer to boot, system and user-specific software configuration on disk. At start-up, the hives are loaded into memory and further assembled with additional keys from running processes.
Some keys can be volatile, existing only in memory, without preservation on disk storage.
The mapping process occurs four times.
- Load boot drivers are read from on-disk HKLM\SYSTEM before the Windows kernel
- Winload populates the in-memory HKLM/HARDWARE with an initial hardware tree
- At user sign-in, on-disk HKLM\SAM, HKLM\SECURITY, and HKLM\SOFTWARE are mapped to memory
- At program start-up Winlogon maps the in-file keys from the signed-in user to HKCU
Legacy support is also important, where root keys exist primarily for 16-bit backwards compatibility.
The 4 Ways to Persist
System MechanismsRun keys, start-up folders, scheduled tasks, and services.
There are 3 types of Run Keys that all execute with each user sign-in. Run, which persists across sign-ins, RunOnce which self-deletes after the associated program has started, and RunOnceEx which clears all registry values after the associated program has finished.
There are 3 locations too. Either the HKCU or HKLM registry hives, or the CurrentVersion registry path. Run Keys registered to HKCU will be limited to a user scope, while HKLM Run Keys will have system-wide scope, but requiring admin privileges to do so.
For malware to persist via a Run Key, it must either write to registry during program execution, or return a program failure.
Start-up folders are similar to Run Keys, and have two scopes - programs executing from %APPDATA% that are user-restricted, and %ALLUSERPROFILE% with executions that are system-wide, requiring admin privileges.
Scheduled tasks are periodic processes that are triggered by conditions defined by the Windows Task Scheduler. There are two parts. The first is an XML file stored on-disk in System32\Tasks that defines the to-execute program with arguments, trigger conditions, and security context. The other part consists of the scheduled task name and checksum in registry. Execution is limited to the scheduled process/program, while the scope of configuration is system-wide.
Program LoadersThere are 5 program loading processes.
Image File Execution Options allow software debuggers to load programs. A key is registered with the executable name, with a debugger value pointing to another executable. This process can be abused due to the lack of verification - whether the debugger executable is in fact an executable. The execution scope is limited to the program, while configuration is system-wide. Also, writing registry keys requires admin privileges.
Extension hijacking is the manipulation of changing default programs, affecting either just the user session, or system-wide configuration.
Shortcut manipulation involves modifying an existing shortcut's target application to launch an additional, malicious program in parallel, through the simple concatenation of the two targets with the ';' character.
The Component Object Model (COM) enables developers to create inter-software such as DLLs, based on a server-client framework. Object paths can be hijacked without privilege to point to malicious DLLs. The subsequent execution scope is system-wide.
Shim Databases precede program execution, providing backwards compatibility with legacy software on updated systems. As Windows Loader applies the patch prior to program execution, any arbitrary code can be provided. Admin and write permissions are required however to pursue this form of persistence.
ApplicationsPlugin extensions have rendered some popular programs prime targets for threat persistence due to their ease of abuse.
Trojans are well known and excel in threat persistence through modified DLLs. The key reason is that a linked library is automatically loaded into the memory address space of the library-dependent process.
The DLL entry point is redirected to newly inserted and malicious assembly code. Admin privileges are required, inherited from the loading target program.
Office Add-ins 2013 onwards are a web app component, comprising of static HTML and JavaScript executed in a sandboxed browser. Prior, add-ins consisted of binary code and DLLs, acting similar to COM components. Add-in installation requires admin privileges, the execution scope is limited to the Office application, and the configuration scope is limited to the user.
Browser Helper Objects are another form of a DLL, with the use of a COM server, acting as plugins for Internet Explorer. Registering the COM server requires admin privileges to modify HKLM. The execution scope is inherited from Internet Explorer, with a configuration scope system-wide.
System BehaviourThe registry hives on-disk are last read by Winlogon, a process that can be configured to launch specific programs, including the default user initialisation, shell, and file explorer - all of which can be edited with enough privileges.
DLL Hijacking exploits the directory search order for DLLs.
- Working directory
- System32
- System
- Windows
- Current directory
- PATH environment variables
Genuine DLLs in these directories may be substituted with a malicious DLL. Execution privileges are inherited from the application with dependency on the hijacked DLL.
AppInit DLLs are a powerful feature that allows DLL injection into any application that has a UI, specifically a program that loads user32.dll. This feature can be found in the system-wide registry, HKLM, under the Windows kernel, CurrentVersion\Windows\AppInit_DLLs where the full paths of to-load DLLs are listed. Importantly, this feature is actually disabled if you are using secure boot in Windows 8 and later versions.
Active Setup is another feature which allows specific programs to be loaded at user sign-in. The extent to which this feature can be exploited is dependent on whether a user has admin privileges or not, which will dictate the root registry key used, HKCU or HKLM.
Conclusion
Windows operating systems provide unique features and extensions that allow for a huge expansion in functionality, but at the cost of requiring extensive knowledge to use them safely.