Intro
Suppose, a cyber criminal group has compromised a bank's whole computer
system. Now, you are an incident responder. You found a PC, which has some
opened or running programs. Those programs are known as legitimate
(i.e. notepad.exe). Now, the question is- will you close those programs?
Let's jump into the answer.
Registry Keys
I know- you won't believe any process, which are running on a compromised
system. Even if, it is a well-known legitimate process i.e. notepad.exe.
Because, malware can inject malicious code to another legitimate process
(or, inject shellcode at the entrypoint of a DLL) and then execute that code.
But, suppose the malware has not injected code to any of the opened programs.
So now, is it safe to close the opened programs? No, it's not safe in some cases.
But, why? Okay, first see the below cmd commands-
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\notepad.exe" /v GlobalFlag /t REG_DWORD
/d 512
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
SilentProcessExit\notepad.exe" /v ReportingMode /t REG_DWORD /d 1
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
SilentProcessExit\notepad.exe" /v MonitorProcess /d
"C:\Users\Admin\malware.exe"
If an attacker run the above 3 commands with Administrative privilege then,
whenever you will close the opened notepad.exe, the malware.exe will be
executed. Even, the more dangerous thing is that, attacker can first enumerate
opened programs and then, run the above commands for those opened program
(by simply replacing 'notepad.exe' with the opened program's executable name).
So, closing programs without checking these registry keys may result bad.
Attacker can also add command line arguments after the executable name.
More info about these registry keys will be found at HERE.
In addition, the above used registry key can be used for another purpose.
The registry key is- "HKLM\SOFTWARE\Microsoft\Windows NT\
CurrentVersion\Image File Execution Options". Attacker will have to
simply run the below cmd command-
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image
File Execution Options\notepad.exe" /v Debugger /t REG_SZ /d cmd.exe
Now, whenever you will open the notepad.exe, the cmd.exe will run
(as a debugger). Attacker can write malicious executable's name in place
of cmd.exe and also add command line arguments.
Summary
In an incident response operation, you may get some still-opened programs.
But, attackers can take advantage of registry keys to run a malicious program,
as soon as the opened program is closed. So, closing an opened program can
give a bad result. Further more, opening any program in a compromised system
can also give a quite similar result. So, an investigator should be aware of that.
![Netflix MOD APK Download v7.62.0 [Premium, 100% Working]](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhmqCRDX3h9oH_7T2sLkE_mXzjj-tChOFY4KojyVNFEWYK2UW__MJGXOmpxzCO7_8ZaHM1Eq67G8Q9CW0XhbkKXHUoVh-Oj2pXlzGjMZEJlt52UtTB-4_DTUp5IrDIgBc25LZawhz164ym7/s72-w625-c-h329/netflix-mod-apk.jpg "Netflix MOD APK Download v7.62.0 [Premium, 100% Working]")
![Robot 2.0 (2018) Hindi Movie 720p HDRip – [400MB] || Shubham Yadav Ethical Hacker ||](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgNmMDW6_YnFFh990FoPa1zIkFvTDMhbqwB-qWoRo4aYIuAmZYcZHk61s2jl9rnfMpwHWXcVFM_YycSbBmpgOQ8M37Ue8EBRzzL07hr865fgadtEUnvEhRoy3qObYRWhALCKZM17eJxI-U/s72-c/video.jpg "Robot 2.0 (2018) Hindi Movie 720p HDRip – [400MB] || Shubham Yadav Ethical Hacker ||")
![[100%OFF]Data Analysis & Statistics: practical course for beginners](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjwirRc1KirUdGawxwPDhGVhsVGJUkO54Ho2okn4I2pz1ZgozCCcnUSiggiRjFH-XCtWKe-P3euTYzVuA_TlsMQTbXXn0ARTJ-vwXbnqWzCseF2S18g3HRm9blLcsdLZmiAIex2n7V931r0/s72-c/Data-Analysis-Statistics-practical-course-for-beginners.jpg "[100%OFF]Data Analysis & Statistics: practical course for beginners")
No comments:
Post a Comment