![]() REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe" /t REG_SZ /v Debugger /d “C:\windows\system32\cmd.exe” /fĪn important detail about this vulnerability is the attacker must have prior access to the system. The attack is identical to the sethc.exe registry debugger modification seen above, except the binary is now Utilman.exe and a simple Windows key U combination will present a LOCAL_SYSTEM privileged shell. REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe" /t REG_SZ /v Debugger /d “C:\windows\system32\cmd.exe” /fĪnother common variant takes advantage of a different part of the accessibility suite, Utilman. One simple addition to the Windows registry and the attack works just as before, except there is no longer a need to perform file replacement. This reduces the logging footprint (no compromised account logon necessary!) and gives the added bonus of providing a shell running with LOCAL_SYSTEM privileges.Īs new versions of Windows introduced slightly better protection mechanisms for the System32 folder, a new variant emerged – setting cmd.exe as a debugger to the sethc.exe process. ![]() Since sethc.exe is executed pre-login, the attacker effectively gets a shell without needing to authenticate. After the switch, all it takes is five presses of the Shift-key from the logon screen and cmd.exe is executed. The original Sticky Keys attack involved replacing the C:\Windows\System32\sethc.exe binary with something that could provide access to the underlying OS, such as cmd.exe. With a high success rate in most Windows environments, it is not surprising that we still see even some of our more advanced adversaries putting it into play. The Sticky Keys attack is one of those vulnerabilities that is nearly too simple to believe. ![]() c Verify digital signature of discovered files If the file exists on disk, file information, hash, and digital signature details are recorded. ![]() ![]() RegFile searches for registry string values (REG_SZ and REG_EXPAND_SZ) and identifies file path data. Valid registry hive names are: HKLM, HKCU, HKCR, HKU, and HKAU (pseudo key representing all users) RegDump recursively extracts Windows registry key and value data. We’ll show how to identify this attack while demonstrating the new additions. Our inspiration for this release was one of those vulnerabilities that just won’t die – Windows Sticky Keys. The third release of the free CrowdResponse incident response collection tool is now available! This time around we include plugins that facilitate the collection of Windows registry data. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |