Notes on Evidence of Persistence - davepo/AKA GitHub Wiki
Evidence of Malware Persistence
Notes on items to consider when investigating evidence of malware persistence. This is not an all-encompassing list and is presented in no particular order.
For a more in-depth explanation of the items listed below, please see Andrea Fortuna's awesome blog post Malware Persistence Techniques.
Run/RunOnce
Multiple keys named 'Run' and 'RunOnce' located in the SOFTWARE registry hives
The Run key will run a task every time there's a login. The RunOnce keys will run once and then delete the key.
UserInit
Located in the SOFTWARE registry hive under '...\WinLogon'
Used by Winlogon to launch login scripts. The value should be 'UserInit.exe,'
Malware can be appended after the comma
WinLogon Notify
Located in the SOFTWARE registry hive under '...\WinLogon\Notify'
Used by WinLogon to notify event handles when Secure Attention Sequence (Ctrl+Alt+Del) occurs and loads a DLL.
The DLL can be edited to launch whenever the event occurs.
Startup Keys
Located in the SOFTWARE registry hive as '...\Explorer\Shell Folders' and 'Explorer\User Shell Folders'
Contains entries for any shortcuts placed in the 'Startup' folder
Browser Helper Objects
Located in the SOFTWARE registry hive under '...\Explorer\Browser Helper Objects'
Contains subkeys that specify DLL's to load when Internet Explorer starts.
Boot Execute Key
Located as the '...\Session Manager' key in the SYSTEM registry hive.
smss.exe will launch anything in the key.
Services
Located in the system hive under the '...\CurrentControlSet\services' key.
Located in the SOFTWARE hive under '...Run\Services\Once' and '...Run\Services' keys.
Malicious files can be placed in the key or setup to run when a service in the key fails to start.
DLL search order hijacking
Executables look for required DLL's in a particular order.
First it checks if the DLL is in memory or listed in the known DLL registry key
Located in the SYSTEM hive under '...\Session Manager\KnownDLLs' key.
If not found, it will then check the following locations (in the following order)
The same directory as the executable
The Windows System32 directory
The Windows directory
The current working directory
Directories defined in the PATH variable
COM (Component Object Model) object hijacking
COM is a Windows system that enables interaction between software components through the operating system.
Adversaries can replace a reference to a legitimate system component with malicious code, which will be executed instead of the legitimate component.
Can be detected in the SOFTWARE hive under the '...\Classes\CLSID' keys
Scheduled Tasks
Files located in '...\Windows\System32\Tasks'
Jobs will run at scheduled times
MS Office Add-In
Folder pointed to in SOFTWARE hive "...\Microsoft\Office\16.0\Word\Security\Trusted Locations"
The folder is checked for helper DLL's when Office loads.