Hello, and welcome to this course in which we're talking about using Python to maintain persistence on a target system. In this video, we're going to be talking about the use of auto run keys in the Windows Registry. So if you're not familiar, the Windows Registry acts as configuration database for a Windows computer. Lot of information stored in a registry that tells the Windows operating system and applications that are running on it what to do. One of these useful pieces of information on Windows, is the concept of auto run keys. And so, these are certain areas in the registry, where you can set certain programs to run when certain conditions are met. For example, you can have keys set so that a particular program runs every time the computer is rebooted, every time a particular user logs in, or just once in each of these cases. And so this is useful for our persistence because if we can set up an autorun key in the registry pointing to one of our malicious programs, then we can ensure that even if the computer has rebooted the program will achieve execution once again and maintain persistence. So, in this particular video, we're going to look at two different files that are related. One of them is our reg auto run that we've got open here, and this is designed to use Python to set up an autorun key within the Windows Registry, so causing a particular executable to be run automatically. The other file we'll look at is called build e xe. And so what the purpose of this other file is, is to create an executable from a Python file. This is happened earlier in this learning path as well, but we'll talk through it here, just in case you're not watching these videos out of Oregon, are in order. So, in this file, we're going to actually start out by using the build e xe program. But first, a few variable names are going to be using through the file. So our file directory is going to be the directory where we want to put our malicious executable that we're going to be using when we set our auto run key in the registry, so in this case, we're going to use the current directory and then a folder called temp inside of it as our final location. We're going to be creating a file called benign.exe. And here this file path is a complete path of that directory, the temp directory within the current working directory, and then concatenated with the benign.exe file. We have a bit of cleanup here to make sure that if the file already exists, if we've run this script before, it's not going to break by removing that particular file. And here at line 11, we're calling build exe, which is designed to convert a Python file into a malicious executable. And so switching over here, we're going to be using PyInstaller to perform this conversion from Python to executable. And so if you're not familiar PyInstaller can be run as a command line program, or as we see here, it can be embedded within a Python script. And it's designed to create a self contained executable that can run on the Windows system. As you know, probably with Python scripts, you need Python to be installed and to be running for the script to be usable. With PyInstaller we can wrap all of our dependencies, requirements et cetera within the executable, so this can run on systems that don't even have Python installed. So in this we're using this step in this particular example because we don't have a malicious executable, or script, et cetera, in mind or developed. And so we're going to be building one using PyInstaller. However, if you have a particular piece of malware that you want to achieve persistence for, you can skip this stage of the process entirely. So what this particular Python script does, is it takes a Python script file in this case it's just called malicious.py. It creates an executable called benign.exe. And we're setting the icon for that executable to the Firefox Icon. And so what this is going to do, is it's going to test to see if our executable exists, create an executable from our Python script. And then we're going to clean up after the fact by moving the executable we've created to the present working directory, which is what we expect in our auto run script. And then remove some of the temporary directories and files that are created by PyInstaller. So at the end of the day what we'll have is a self contained executable, with the Firefox icon that runs our malicious Python file, which just prints something saying, I am a malicious program. And so, this is build up for actually creating our autorun key in the Windows Registry. And so, once we have our malicious executable, we're going to move it to our desired target directory. So in this case, we're putting it in a folder called temp within the current working directory. However, we might want to hide this executable somewhere else on the system to make it harder to detect and delete, and so easily can change where that's going to go by changing this file DIR variable at the top of the program. And so at this point, we have an executable in a desired directory, and we're ready to start talking about the Windows Registry and how we're going to be using it in this particular application. So as I mentioned, Windows Registry is a lookup table with configuration information for the Windows operating system, and it's organized hierarchically. So at the top level you have registry hives, it's what they're called. Two of these hives are HKEY_ CURRENT_USER and HKEY_LOCAL_MACHINE, often abbreviated to HKCU and HKLM respectively. Inside of those you can have folders, inside folders organized similar to the file directories within Windows. And so here in this comment from line 17 to 21 we see the auto run keys that are enabled in Windows by default. You can create other ones as well, but these ones already exist. And so we see that there's two in HKEY_CURRENT_USER and two in an HKEY_LOCAL_MACHINE. And the overall path to each of these is the same. It goes top level hive, to software, to Microsoft, to Windows, to current version. And then we see that we have one called run and one called run once in each of the two hives that we're looking at. And so as their name suggests, the run one will occur multiple different times, while the run once will only be executed once. And so we've set up this particular Python script so that you can easily select one of the four auto run keys. So numbering these from zero to three, we're going to be using the HKEY_CURRENT_USER or run once auto run key in this demonstration. And so set this reg key variable to one. This pair of if statements below it is designed to set the variables that we're going to need to actually add this register auto run key. So the first two have a high value of current user, the second two have a hive of HKEY_LOCAL_MACHINE. The first and third, use the run key, while the second and fourth use run once. And so, at the end of setup pair of if else statements, we now have our hive and our path set so that we can specify the exact key that we want to create and use on the system to achieve persistence for executable. Down here, we're going to actually use Python and use the win drag package in python to interact with the Windows Registry. So the first step in this process is to connect to the Registry. And we're going to use the Connect registry function to accomplish that. So the first variable here specifies which registry to connect to. If we use none, it's going to be on the local machine. However, you could set this to a remote machine as well. We're also going to specify which hive we want to access. And so in this particular case, we're going to connect to the windows registry, and be accessing each KEY_CURRENT_USER. So the one associated with this user account. With that connection, we can open a particular key specified by a path within that registry hive. So we're going to use our connection to the registry named reg. We're going to specify our path. So in this case, we're going to be using software slash Microsoft slash windows slash current version slash run once. This value of zero here in the middle is a reserved value, it always has to be zero. And then, we can specify the level of access that we want. So in this particular case, we want key right access because we want to modify things within the key. Since we're only dealing with values, we could do a more granular level of access specifying write access to values, but this will work for now. And then finally, we're going to use the set value ex function to create the value that we want within the registry. So we use the key that we've just opened. We're going to name this particular value security scan. We again have a reserved value of zero. We need to specify the type of value that we're going to use. The default within the registry as we'll see is reg underscore s z. And then finally we need to specify the value. So since this is an autorun key, we want to specify the path to the file that should be automatically run. So in this case, it's going to be the file path variable that we define up towards the top of the file. And so if we run this particular Python file, it's going to take another Python file, create an executable from it using the build.exe or build exe python file, placed that at a desired location, and then create a registry auto run key to have that particular executable run automatically once when the current user account is logged in next. And so let's see this in action. So, going to minimize this and open up a instance of the command prompt. And so currently, we're going to be working in the downloads folder. And if I run Pythonregautorun.py, this is the program that we've just created. And on the right side of the screen here, we see a view of the Windows Registry. So you can access this simply by typing reg edit into the command prompt hitting Enter. It'll ask you if you're sure that you want to access it, and then it'll open up this viewer for viewing and editing the registry. So right now as we see here, we're at the HKEY_ CURRENT_USER or HKCU hive SOFTWARE\Microsoft\Windows\CurrentVersion- \RunOnce. So this is the exact location and key where we're planning on adding a value with our auto run.py file. And so if I execute this file, it will take a few seconds to build our executable and generate the auto run key in the Windows Registry. Once it's complete, we'll be able to see that autorun key value included in the registry. And so running it now. [BLANK AUDIO] And so now that we've completed the run, we need to refresh, so we go to view refresh here and we see that our security scan value has been added to the registry. So this is the name associated with it. We see that it's reg underscores s z type. And then we have our specified executable directory. So the location of the executable we created and that we want to run automatically. And so, like I said, this is the run once key, right above it in our viewer is the run key, where we can see a couple of existing registry keys. And then if we explore up to the top here, and open up HKEY_LOCAL_MACHINE. We see that similar registry keys can exist for the machine in general, rather than this particular user. And so why this is useful to us, is that it allows us to achieve persistence more easily or achieve persistence on the system by taking advantage of this built in auto run functionality in Windows. And so, as we saw no special permissions were needed to accomplish this, and we've successfully added an autorun key to the registry. Thank you.
