Context Menu Handler Persistence Searcher

I recently came across an awesome method of persistence that takes advantage of context menu handlers by using DLL hijacking. The article by Raphael Karger gives a great overview with screenshots and proof-of-concept code. Definitely read through his article as this post is directly related.

As I was re-creating this technique, I was thinking through how I would execute this from a Cobalt Strike beacon entirely on a red team. The piece that stuck out to me was using AutoRun from SysInternals to find the DLL that handles the context menu. After understanding the process I decided to find an easier way to do this.

The first option is using reg query to find the correct DLL. The following command will display all of the programs that have context menu handlers and their corresponding CLSID.

reg query HKLM\Software\Classes\*\ShellEx\ContextMenuHandlers /s

After finding the target program’s CLSID, you need to perform another registry query to locate the correct DLL. In this case, I am targeting 7-zip. As a result, the default value will return with the correct DLL. In this case, 7-zip.dll.

reg query HKLM\Software\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32

Thinking through this scenario, this isn’t a bad option. However, the reg command can be viewed as an IOC, especially if it is correlated with other potentially malicious activity. I decided to write a quick C# program that would enumerate all of this information for you by using the Registry Class. I ended up with a tool that will provide all of the same information and will not need to touch disk as it can be executed through beacon’s execute-assembly functionality.

There you have it; the DLLs that can be targeted for this method of persistence without any command line indicators. The code can be found on my github at https://github.com/BoredSecGuy/Scripts/blob/master/ContextMenuFinder.cs