LOLBINed — Abusing Sysinternals BgInfo
In 2017 Oddvar Moe published a blog post on how he was able to use BgInfo to bypass application whitelisting. This finding is documented on LOLBAS and it still works today.
While looking at this Lolbin this past week. I found that you can achieve the same effect by using the registry instead of a “.bgi” file.
Note: for a better reading experience its best to give Oddvar’s blog a read and then come back :)
Custom User Fields Via Registry
While reading the help menu provided by BgInfo. I came across this section about “Security Issues”
This section actually highlights the potential misuse as describe by Oddvar, along with some other interesting points. One such point is that BgInfo stores the default config in the registry under a user controlled key “HKEY_CURRENT_USER\Software\Winternals\BGInfo\”.
Using the same technique of adding a custom VBScript we can add a new value to the “UserFields” key using the following notation.
The “4” is required and indicates the type of the custom field. In this case it indicates a “Script File”.
That’s pretty much it. The next time a user opens BgInfo it’ll load the default config if none was provided and the script will load. (No CLI required)
Executing WMI Queries
We can use a similar technique to execute WMI queries for recon purposes (for whatever reason someone choose this).
We can create a similar registry value, but this time we use “6” instead of “4” to indicate “WMI Query”
After running BgInfo.exe, we can verify that the query worked by checking the WMI ETW providers for logs
We can combine this “feature” with the database option that “BgInfo.exe” provides to dump the results of these queries into a CSV/TXT after every execution. Sorta like an indirect WMI client :)
Conclusion
Thanks for reading. From the detection side, I’ll be providing a couple SIGMA rules for detecting the behavior described in this post in the coming days.
If you have any comments, ideas, or just want to discuss then I’m on Twitter @nas_bench