Monitoring Silent Process Exit
Location:
HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\<ProcessName>
HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\<ProcessName>\
Classification:
| Criteria | Value |
|---|---|
| Permissions | Admin |
| Security context | User; System1 |
| Persistence type | Registry |
| Code type | EXE |
| Launch type | User initiated |
| Impact | None |
| OS Version | Windows 7 and newer |
| Dependencies | OS only |
| Toolset | Scriptable |
Description:
Monitoring Silent Process Exit mechanism allows executing an application or script (monitor application), when a process terminates after result of ExitProcess call or TerminateProcess called by another process. To achieve that, few conditions have to by met:
GlobalFlagfor monitored process should haveFLG_MONITOR_SILENT_PROCESS_EXITflag enabled (512 decimal),ReportingModefor monitored process should haveLAUNCH_MONITORPROCESSflag enabled (1 decimal),MonitorProcessfor a monitored process have to be set.
For example, to execute Powershell script that runs calculator after Notepad exit, we could use Powershell itself like this:
$monitoredApp = "notepad.exe"
$monitor = "powershell -c calc.exe #"
New-Item -Force -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\$monitoredApp" | Out-Null
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\$monitoredApp" -Name GlobalFlag -Value 512
New-Item -Force -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\$monitoredApp" | Out-Null
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\$monitoredApp" -Name ReportingMode -Value 1
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\$monitoredApp" -Name MonitorProcess -Value $monitor
References:
Credits:
- Entry added by @pawelmaziarz
See also:
Remarks:
-
Depends on the image being hijacked ↩