Leveraging Microsoft Text Services Framework (TSF) for Red Team Operations

The Praetorian Labs team was tasked with identifying novel and previously undocumented persistence mechanisms for use in red team engagements. Our primary focus was on persistence techniques achievable through modifications in HKCU, allowing for stealthy, user-level persistence without requiring administrative privileges. Unfortunately, while we identified an interesting persistence technique, the method we discuss in this article requires administrative privileges in order to register new text services framework plugins.

During this research, we discovered the concept of Text Services Framework (TSF) plugins while analyzing the Windows registry. The Microsoft\CTF\TIP\ key contained references to COM CLSIDs, initially leading us to believe this could execute code within CTFMon.exe. Further investigation revealed that TSF plugins are loaded into any process utilizing the Text Services Framework, offering a stealthy method of persistence.

This technique allows for injecting code into virtually any process displaying a graphical user interface (GUI) or accepting user input, making it an exceptionally flexible attack vector in terms of targeted persistence within specific processes.

Understanding Microsoft Text Services Framework (TSF)

TSF is integral to Windows’ text input processing, facilitating input method editors (IMEs), handwriting recognition, and speech recognition. It operates with high privileges, making it a prime candidate for persistence mechanisms.

Key Components of TSF:

  • Text Services Manager (TSM): Oversees text input services.
  • TSF Clients: Applications utilizing TSF for text input processing.
  • TSF Text Services: Dynamic-link libraries (DLLs) registered to provide text processing.
  • Registry Entries: TSF relies on registry-based configurations to load and execute text services.

Abusing TSF for Persistence

Step 1: Identifying the TSF Persistence Mechanism

TSF enables the registration of custom text services via COM objects, which execute when text input is used. By registering a rogue TSF text service, red teams can achieve stealthy persistence.

Step 2: Registering a Custom Text Service

We start by creating a custom DLL implementing the ITfTextInputProcessor interface and register it via the Windows Registry. Note that administrative privileges are required to register a new TSF text service. The following registry keys will be modified during the registration process where GUID is the GUID associated with the registered COM object and LANG is the identifier of the language associated with the text services framework plugin (e.g. English):

Registry Keys Involved:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{GUID}\LanguageProfile\{LANG}

HKEY_CLASSES_ROOT\CLSID\{GUID}\InProcServer32

Observations on Registration Locations

While registry entries for TSF plugins can technically exist under HKCU, our testing revealed that such entries do not result in functional plugins. TSF plugins must be registered under HKLM to work properly. 

High-Value Target Processes

TSF-based implants are particularly effective because they are loaded into various high-value processes that frequently interact with the framework, including:

  • msedge.exe
  • chrome.exe
  • firefox.exe
  • taskmgr.exe
  • explorer.exe
  • msedgewebview2.exe

Web browsers are particularly interesting targets since they interact with the network, allocate executable code as part of the just-in-time (JIT) compiler, and are relatively complex to analyze or baseline. Additionally, web browsers often spawn subprocesses with the same process name, which benefits attackers utilizing a fork-and-run model in C2 frameworks like Cobalt Strike. This makes it easier to blend into normal operations and evade detection.

Indicators of Compromise (IoCs)

  • Registry Modifications: Unexpected changes in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\.
  • Unknown DLLs: Suspicious DLLs registered under HKEY_CLASSES_ROOT\CLSID\{GUID}\InProcServer32.
  • Unsigned DLLs in Critical Processes: Look for unsigned or unfamiliar DLLs being loaded into critical processes like msedge.exe or explorer.exe that have not been observed elsewhere on the network.
  • Unusual Text Input Behavior: Irregularities in IMEs or language input settings.

Example Code for Registry Modification

The example code linked below demonstrates the registry modification and DLL registration process. Note that the provided code simply shows a message box when DllMain is executed to indicate that the DLL has been loaded. However, additional modifications will likely need to be made to execute code safely outside of the loader lock. The compiled DLL can then be installed on the system by using regsvr32.exe.

Full Example Code

Step 3: Deploying the Custom DLL

The DLL must be placed in a suitable directory to ensure execution and proper evasion:

  • System32 or SysWOW64 directories (for administrative access).
  • User’s AppData or another writable directory (for limited privileges).

Step 4: Achieving Execution

Once registered, Windows automatically loads the text service into applications leveraging TSF, such as explorer.exe and text input handlers. This allows for seamless execution without raising alarms.

Detection and Evasion Techniques

Given the obscurity of TSF persistence, many security tools may overlook this particular method of persistence on a system.

Detection Techniques:

  1. Monitor Registry Changes – Track modifications to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\.
  2. Review Registered TSF Plugins – Perform a review of registered TSF plugins to identify suspicious entries if concerned about this particular technique.
  3. Process Monitoring – Observe processes loading unexpected TSF-related DLLs.
  4. Detect Unsigned DLLs: Focus on identifying unsigned or previously unseen DLLs loaded into high-value processes across the network.

Evasion Techniques:

  1. Masquerading as a Legitimate Service – Use naming conventions mimicking legitimate text services.
  2. Code Injection and Obfuscation – Conceal malicious functionality within benign-looking code, file names, etc. Consider recompiling and backdooring an open source text services framework plugin for added evasion.
  3. Sign Malicious DLL File – Consider signing the malicious DLL file either with a stolen certificate or one purchased through a provider through a shell corporation. Alternatively, in some cases simply ripping the signature from a legitimate signed binary and applying it onto a malicious binary can evade certain security tools even though the signature is invalid.

Conclusion

Abusing the Microsoft Text Services Framework (TSF) for persistence offers red teams a stealthy, low-profile method for maintaining access to compromised systems. Understanding and testing this technique enables better adversary simulation while equipping defenders with insights to fortify their detection strategies.

icon-praetorian-

See Praetorian in Action

Request a 30-day free trial of our Managed Continuous Threat Exposure Management solution.

Let's Get Started

About the Authors

Adam Crosser

Adam Crosser

Adam is an operator on the red team at Praetorian. He is currently focused on conducting red team operations and capabilities development.

Catch the Latest

Catch our latest exploits, news, articles, and events.

Leveraging Microsoft Text Services Framework (TSF) for Red Team Operations

Read More

Introducing Nosey Parker Explorer

Read More

ETW Threat Intelligence and Hardware Breakpoints

Read More

Ready to Discuss Your Next Continuous Threat Exposure Management Initiative?

Praetorian’s Offense Security Experts are Ready to Answer Your Questions

Get Started