autoruns – Oddvar Moe's Blog

Persistence using Universal Windows Platform apps (APPX)

Posted on 6 Sep 20187 Sep 2018 by Oddvar Moe [MVP]

TL;DR Persistence can be achieved with Appx/UWP apps using the debugger options. This technique will not be visible by Autoruns. Two different approaches exists (registry keys). Listed below are the two techniques for two different apps that starts at logon: Cortana app: reg add HKCU\Software\Microsoft\Windows\CurrentVersion\PackagedAppXDebug\Microsoft.Windows.Cortana_1.10.7.17134_neutral_neutral_cw5n1h2txyewy /d "C:\windows\system32\cmd.exe" OR reg add HKCU\Software\Classes\ActivatableClasses\Package\Microsoft.Windows.Cortana_1.10.7.17134_neutral_neutral_cw5n1h2txyewy\DebugInformation\CortanaUI.AppXy7vb4pc2dr3kc93kfc509b1d0arkfb2x.mca /v DebugPath /d "C:\windows\system32\cmd.exe" … Continue reading Persistence using Universal Windows Platform apps (APPX) →

GPscript.exe – another LOLBin to the list

Posted on 27 Apr 201830 Apr 2018 by Oddvar Moe [MVP]

TL;DR - GPO scripts can be defined for user and started with GPScript.exe /Logon - Logonscripts do not show up in Autoruns.exe I started to play around with GPscript.exe here the other day and found some interesting stuff and I want to have this documented for the future, so therefor I wrote this blogpost … Continue reading GPscript.exe – another LOLBin to the list →

Persistence using GlobalFlags in Image File Execution Options – Hidden from Autoruns.exe

Posted on 10 Apr 201811 Apr 2018 by Oddvar Moe [MVP]

TL;DR – Found a technique to execute any binary file after another application is closed without being detected by Autoruns.exe. – Requires administrator rights and does not belong in userland. – Can also be executed from alternate data streams – Plant file on disk and run these commands to create persistence that triggers everytime someone … Continue reading Persistence using GlobalFlags in Image File Execution Options – Hidden from Autoruns.exe →

Persistence using RunOnceEx – Hidden from Autoruns.exe

Posted on 21 Mar 201816 Dec 2019 by Oddvar Moe [MVP]

TL;DR - Found a technique to execute DLL files without being detected by autoruns.exe at logon. - Requires administrator rights and does not belong in userland. - Run this to Exploit: reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /d "C:\temp\messageBox64.dll" RunOnceEx I finally had some time to do some unstructured research. With unstructured research I mean going after … Continue reading Persistence using RunOnceEx – Hidden from Autoruns.exe →