Tuesday, May 8, 2018

Persistence with Sticky Notes Registry Value


Sticky Notes is a Windows utility that can be used by users in order to keep track of notes. When Sticky Notes is started, it writes a registry value called "RESTART_STICKY_NOTES" to  "HKCU\Software\Microsoft\Windows\CurrentVersion\Run". This registry value contains the full path to the Sticky Notes executable (C:\Windows\System32\stikynot.exe), so that when a user logs in after logging off or system reboot, the Sticky Notes are visible automatically for the user. The registry value can be modified, so that upon a user logging in, it executes a program of your choosing rather than Sticky Notes. When the user starts their Sticky Notes application again to display their notes, it will restore the value back to the full path of the Sticky Notes application. This process needs repeated the next time persistence is desired (e.g., before the user will logoff or machine restarts again). 

This can be taken advantage of as a persistence trigger that will blend in with normal behavior on Windows 7 and Windows 8.1, especially if utilizing a signed Microsoft binary to execute a payload (e.g., MSBuild) to hide from utilities like Sysinternals Autoruns. This does not apply to Windows 10.

Procmon Analysis of Sticky Notes Running


 While analyzing the operations performed when running Sticky Notes with Sysinternals Procmon, an observation was made that it created a registry value of "RESTART_STICKY_NOTES" in the "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" registry key as seen below.

Procmon Analysis - Sticky Notes Creating Registry Value

 Additionally, it was also observed that upon closing any Sticky Notes that were up, the "RESTART_STICKY_NOTES" registry value was deleted. Therefore, this registry value only remains present when a user has active Sticky Notes displayed.
Procmon Analysis - Sticky Notes Deleting Registry Value


Sticky Notes Registry Value Upon Startup


 The below screenshot shows the initial registry value "RESTART_STICKY_NOTES" that is created and populated via Sticky Notes.
Registry Value When Sticky Notes is Started

You can see how this looks in Autoruns while showing Windows entries. Autoruns by default does not show Windows entries, so you have to change this filter.
Autoruns Showing Windows Entries w/ Sticky Notes Registry Value


Updating Sticky Notes Registry Value


 You can update the registry value with a program of your choosing. In this example, we are just updating it with the execution of calc. No elevated permissions are required in order to do this.

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v RESTART_STICKY_NOTES /t REG_SZ /d "C:\Windows\System32\cmd.exe /c calc.exe" /f
Modified Sticky Notes Registry Value


Program Execution Upon Login via Modified Sticky Notes Registry Value


 Now you can see upon the user logging in, calc runs via our registry change.
Calc Starting After Login


Automatic Reverting of Sticky Notes Registry Value


 Once the user interacts with (starts) Sticky Notes again, the registry value will be overwritten with the full path to the Sticky Notes executable again. If you need persistence after the next logoff/logon or system restart, then you will need to repeat the process of updating the registry value before that occurs.

Defensive Considerations


Although the "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" registry key should be actively monitored for abnormal entries along with other known registry persistence locations, the Sticky Notes entry may be ignored as it is normal behavior for Sticky Notes to populate its "RESTART_STICKY_NOTES" value. Therefore, additional monitoring of that registry value should be performed, in order to ensure that it remains the full path of the Sticky Notes executable. Any other file path that is populated should be investigated.

References

Posted by at