Notes on Evidence of Persistence - davepo/AKA GitHub Wiki

Evidence of Malware Persistence

Notes on items to consider when investigating evidence of malware persistence. This is not an all-encompassing list and is presented in no particular order.

For a more in-depth explanation of the items listed below, please see Andrea Fortuna's awesome blog post Malware Persistence Techniques.

Run/RunOnce

  • Multiple keys named 'Run' and 'RunOnce' located in the SOFTWARE registry hives
  • The Run key will run a task every time there's a login. The RunOnce keys will run once and then delete the key.

UserInit

  • Located in the SOFTWARE registry hive under '...\WinLogon'
  • Used by Winlogon to launch login scripts. The value should be 'UserInit.exe,'
  • Malware can be appended after the comma

WinLogon Notify

  • Located in the SOFTWARE registry hive under '...\WinLogon\Notify'
  • Used by WinLogon to notify event handles when Secure Attention Sequence (Ctrl+Alt+Del) occurs and loads a DLL.
  • The DLL can be edited to launch whenever the event occurs.

Startup Keys

  • Located in the SOFTWARE registry hive as '...\Explorer\Shell Folders' and 'Explorer\User Shell Folders'
  • Contains entries for any shortcuts placed in the 'Startup' folder

Browser Helper Objects

  • Located in the SOFTWARE registry hive under '...\Explorer\Browser Helper Objects'
  • Contains subkeys that specify DLL's to load when Internet Explorer starts.

Boot Execute Key

  • Located as the '...\Session Manager' key in the SYSTEM registry hive.
  • smss.exe will launch anything in the key.

Services

  • Located in the system hive under the '...\CurrentControlSet\services' key.
  • Located in the SOFTWARE hive under '...Run\Services\Once' and '...Run\Services' keys.
  • Malicious files can be placed in the key or setup to run when a service in the key fails to start.

DLL search order hijacking

  • Executables look for required DLL's in a particular order.
  • First it checks if the DLL is in memory or listed in the known DLL registry key
    • Located in the SYSTEM hive under '...\Session Manager\KnownDLLs' key.
  • If not found, it will then check the following locations (in the following order)
    • The same directory as the executable
    • The Windows System32 directory
    • The Windows directory
    • The current working directory
    • Directories defined in the PATH variable

COM (Component Object Model) object hijacking

  • COM is a Windows system that enables interaction between software components through the operating system.
  • Adversaries can replace a reference to a legitimate system component with malicious code, which will be executed instead of the legitimate component.
  • Can be detected in the SOFTWARE hive under the '...\Classes\CLSID' keys

Scheduled Tasks

  • Files located in '...\Windows\System32\Tasks'
  • Jobs will run at scheduled times

MS Office Add-In

  • Folder pointed to in SOFTWARE hive "...\Microsoft\Office\16.0\Word\Security\Trusted Locations"
  • The folder is checked for helper DLL's when Office loads.