Intro
User and System Shell folders are a bunch of folders in Windows used to store a lot of the user’s personal data and settings. You most likely know these as Desktop, Start Menu, My Documents, and Startup folders. There are many others but those are some of the most popular. These locations are also prime targets for hackers and attackers who want to infiltrate a system, and one way they can do that is by changing the default paths of these folders to make them harder to detect.
Explained
To understand what this means, entertain this scenario.
An attacker managed to get initial access by sending a phishing email with a malicious attachment, which an unsuspecting employee opened. Taking advantage of the employee’s user privileges, the attacker snoops around and finds a security loophole, allowing them to gain administrator-level access. With admin privileges, the attacker aims to keep their malware running by altering the default startup path in the Windows Registry so that the malware launches every time the system restarts or a user logs in.
The attacker tweaks the registry key “HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
” to set the default startup path to a less obvious location like “C:\Temp
“.
They then place their custom malware in this folder, naming it “C:\Temp\Updater.exe
“. This way, the malware runs at startup, staying hidden from security tools that only check the default startup folder locations for suspicious activity.
Script
This script identifies the values on the system for both machine level and user. It then checks against the known good list to identify if certain values have been modified and what those values are. It is probably a good idea to mention these values were obtained from inside a virtual machine and likely won’t match up with all your default values 1:1.
While this script aims to provide a quick glance into the default known mappings for each value, it is possible your environment is different or has custom values that would need to be accounted for in the code below.
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
# SOFTWARE.
$RegistryKeys_ShellFolders = @(
"HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders",
"HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders",
"HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders",
"HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"
)
$Results = @()
$ExcludedProperties = @("PSPath", "PSParentPath", "PSChildName", "PSDrive", "PSProvider")
$DefaultPaths = @{
"HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Administrative Tools" = '%APPDATA%\Microsoft\Windows\Start Menu\Programs\Administrative Tools';
"HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Personal" = '%USERPROFILE%\Documents';
"HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache" = '%LOCALAPPDATA%\Microsoft\Windows\INetCache';
"HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Templates" = '%APPDATA%\Microsoft\Windows\Templates';
"HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Fonts" = '%SystemRoot%\Fonts';
"HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Common Administrative Tools" = '%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Administrative Tools';
"HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Common AppData" = '%ALLUSERSPROFILE%';
"HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Common Desktop" = '%PUBLIC%\Desktop';
"HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Common Documents" = '%PUBLIC%\Documents';
"HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Common Programs" = '%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs';
"HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Common Start Menu" = '%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu';
"HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Common Startup" = '%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Startup';
"HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Common Templates" = '%ALLUSERSPROFILE%\Microsoft\Windows\Templates';
"HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\CommonMusic" = '%PUBLIC%\Music';
"HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\CommonPictures" = '%PUBLIC%\Pictures';
"HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\CommonVideo" = '%PUBLIC%\Videos';
"HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Common AppData" = '%ALLUSERSPROFILE%';
"HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Common Desktop" = '%PUBLIC%\Desktop';
"HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Common Documents" = '%PUBLIC%\Documents';
"HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Common Programs" = '%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs';
"HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Common Start Menu" = '%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu';
"HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Common Startup" = '%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Startup';
"HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Common Templates" = '%ALLUSERSPROFILE%\Microsoft\Windows\Templates';
"HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\CommonMusic" = '%PUBLIC%\Music';
"HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\AppData" = '%APPDATA%';
"HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Cache" = '%LOCALAPPDATA%\Microsoft\Windows\INetCache';
"HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Cookies" = '%LOCALAPPDATA%\Microsoft\Windows\INetCookies';
"HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Desktop" = '%USERPROFILE%\Desktop';
"HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Favorites" = '%USERPROFILE%\Favorites';
"HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\History" = '%LOCALAPPDATA%\Microsoft\Windows\History';
"HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Local AppData" = '%LOCALAPPDATA%';
"HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\My Music" = '%USERPROFILE%\Music';
"HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\My Pictures" = '%USERPROFILE%\Pictures';
"HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\My Video" = '%USERPROFILE%\Videos';
"HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\NetHood" = '%APPDATA%\Microsoft\Windows\Network Shortcuts';
"HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Personal" = '%USERPROFILE%\Documents';
"HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\PrintHood" = '%APPDATA%\Microsoft\Windows\Printer Shortcuts';
"HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Programs" = '%APPDATA%\Microsoft\Windows\Start Menu\Programs';
"HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Recent" = '%APPDATA%\Microsoft\Windows\Recent';
"HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\SendTo" = '%APPDATA%\Microsoft\Windows\SendTo';
"HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Start Menu" = '%APPDATA%\Microsoft\Windows\Start Menu';
"HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Startup" = '%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup';
"HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Templates" = '%APPDATA%\Microsoft\Windows\Templates';
"HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\{374DE290-123F-4565-9164-39C4925E467B}" = '%USERPROFILE%\Downloads';
"HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Local AppData" = '%LOCALAPPDATA%';
"HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\CD Burning" = '%LOCALAPPDATA%\Microsoft\Windows\Burn\Burn';
"HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}" = '%APPDATA%\Microsoft\Windows\Libraries';
"HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\My Video" = '%USERPROFILE%\Videos';
"HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\My Pictures" = '%USERPROFILE%\Pictures';
"HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Desktop" = '%USERPROFILE%\Desktop';
"HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\History" = '%LOCALAPPDATA%\Microsoft\Windows\History';
"HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\NetHood" = '%APPDATA%\Microsoft\Windows\Network Shortcuts';
"HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cookies" = '%LOCALAPPDATA%\Microsoft\Windows\INetCookies';
"HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Favorites" = '%USERPROFILE%\Favorites';
"HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\SendTo" = '%APPDATA%\Microsoft\Windows\SendTo';
"HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Start Menu" = '%APPDATA%\Microsoft\Windows\Start Menu';
"HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\My Music" = '%USERPROFILE%\Music';
"HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Programs" = '%APPDATA%\Microsoft\Windows\Start Menu\Programs';
"HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Recent" = '%APPDATA%\Microsoft\Windows\Recent';
"HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\PrintHood" = '%APPDATA%\Microsoft\Windows\Printer Shortcuts';
"HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\{374DE290-123F-4565-9164-39C4925E467B}" = '%USERPROFILE%\Downloads';
"HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Startup" = '%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup';
"HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\{BFB9D5E0-C6A9-404C-B2B2-AE6DB6AF4968}" = '%USERPROFILE%\Links';
"HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\{4C5C32FF-BB9D-43B0-B5B4-2D72E54EAAA4}" = '%USERPROFILE%\Saved Games';
"HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\CommonPictures" = '%PUBLIC%\Pictures';
"HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\CommonVideo" = '%PUBLIC%\Videos';
"HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\{3D644C9B-1FB8-4f30-9B45-F670235F79C0}" = '%PUBLIC%\Downloads';
"HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\OEM Links" = 'C:\ProgramData\OEM\Links';
"HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\AppData" = '%APPDATA%';
"HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders{56784854-C6CB-462B-8169-88E350ACB882}" = '%USERPROFILE%\Contacts';
"HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders{00BCFC5A-ED94-4E48-96A1-3F6217F21990}" = '%APPDATA%\Microsoft\Windows\Cookies';
"HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders{7D1D3A04-DEBB-4115-95CF-2F29DA2920DA}" = '%USERPROFILE%\Searches';
"HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders{A520A1A4-1780-4FF6-BD18-167343C5AF16}" = '%LOCALAPPDATA%\Low';
}
function Test-IsSuspicious($KeyPath, $PropertyName, $PropertyValue) {
$KeyAndProperty = $KeyPath + '\' + $PropertyName
if ($DefaultPaths.ContainsKey($KeyAndProperty)) {
$DefaultPath = $DefaultPaths[$KeyAndProperty]
$ExpandedDefaultPath = [Environment]::ExpandEnvironmentVariables($DefaultPath)
return ($PropertyValue -ne $ExpandedDefaultPath)
} else {
return $true
}
}
$Results = @()
$ExcludedProperties = @("PSPath", "PSParentPath", "PSChildName", "PSDrive", "PSProvider")
foreach ($KeyPath in $RegistryKeys_ShellFolders) {
try {
$KeyItems = Get-Item -Path $KeyPath -ErrorAction Stop
$KeyProperties = $KeyItems | Get-ItemProperty
foreach ($PropertyName in $KeyProperties.PSObject.Properties.Name) {
if ($ExcludedProperties -notcontains $PropertyName) {
$PropertyValue = $KeyProperties.$PropertyName
$IsSuspicious = Test-IsSuspicious $KeyPath $PropertyName $PropertyValue
$Result = New-Object PSObject -Property @{
RegistryKey = $KeyPath
PropertyName = $PropertyName
PropertyValue = $PropertyValue
Suspicious = $IsSuspicious
}
$Results += $Result
}
}
}
catch {
Write-Host "Error accessing registry key: $KeyPath" -ForegroundColor Red
}
}
$Results = $Results | Sort-Object -Property Suspicious -Descending
$Results | Select-Object RegistryKey, PropertyName, Suspicious, PropertyValue | Export-Csv -Path "C:\temp\shell_folder_registry_keys.csv" -NoTypeInformation
The output received will be like:
RegistryKey | PropertyName | Suspicious | PropertyValue |
“HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders” | Startup | True | C:\temp |
… | … | … | … |
Conclusion
These shell folder values are important to monitor from a blue team perspective, as adversaries can potentially bypass security software or monitoring tools that focus on inspecting default folder locations if changed. By maintaining a watchful eye on any modifications to these values, blue teams can identify attempts to exploit system configurations for malicious purposes. If you can detect these changes, it becomes easier to spot suspicious activities early on, allowing you to respond quickly, protect your system, and minimize the potential damage caused.