Malware uses startup registry keys to make a program run when a user logs on.
Run Key makes the program run every time the user logs on.
RunOnce key makes the program run once, and then the key is deleted.
Both keys can be located at:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Run
Adversaries use services on the registry to implant their malware.
Services Registry stores information about each service on the system. Services can be used to load malicious drivers into the system.
Services in the system as a service can be registered by running:
SC.exe
REGSVR.exe
These Registry key is located at:
HKLM\SYSTEM\CurrentControlSet\Services
HKLM\SYSTEM\CurrentControlSet\Services\DriverName
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOne
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
Adversaries can achieve persistence by adding their malware to Winlogon.
Winlogon is a part of the Windows operating system that provides interactive logon support.
Winlogon Registry Key can be located at:
HKLM\Software\Microsoft\Windows NT\Current Version\Winlogon
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
One of the techniques adversaries use is to create a scheduled task to run their malware at a specific time and date.
Task Scheduler enables you to automatically perform routine tasks on a chosen computer.
Scheduled task can be added the the registry by performing the following script:
schtasks /Create /SC minute /TN “sample” “<location_of_exe>”/ST <time>
This Registry Key can be found at:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\Taskcache\Tasks
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\Taskcache\Tree
Adversaries tweak the IFEO Registry Key as persistence for them to run their malware by using legitimate software.
Image File Execution Option are often used to turn on debugging automatically when starting a process by setting the appropriate registry value for the “Tracing Flags” options.
This Registry Key can be found at:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Option
See Blog Post: Persistence AppInit_DLLs
Adversaries can also achieve persistence by hijacking a process in the form of a process injection technique.
AppInit_Dlls provides an easy way to hook system APIs by allowing custom DLLs to be loaded into the address space of every interactive application.
AppInit_Dlls is abused by malware for the same basic reason, which is to hook APIs; after the custom DLL is loaded, it can hook a well-known system API and implement alternate functionality.
#Note: If you are hunting for malicious DLLs, take a look at the registered DLL inside this key.
This Registry Key can be located at:
HKLM\Software\Microsft\Windows NT\CurrentVersion\Windows\Appinit_Dlls
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppCert DLls loaded into processes.
AppCert_Dlls the library entries in this registry key are loaded in each process that calls at least one of the following APIs.
- CreateProcess()
- CreateProcessAsUsers()
- CreateProcessWithLogonW()
- CreateProcesswithTokenW()
- WinExec()
This Registry Key can be located at:
HKLM\System\CurrentControlSet\Control\Session Manager\KnownDll
Adversaries use COM to interact with legitimate software components, even if they have no knowledge of each other’s tool.
COM is a platform-independent, distributed, object-oriented system for creating binary software components that can interact.
COM is a client/server framework. A COM Client is a program that uses the service of the COM server. A Server is an object that provides service to the clients.
This Registry Key is located at:
HKEY\Classes_root\CLSID
HKLM\Software\Classes\CLSID
KERNEL32.DLL -Core functionality of a program including,reading & writing file.
WS2_32.DLL – Network functionality (e.g. TCP/IP)
MSVCRT.DLL – Compiler wrapper code
USER32.DLL– Manipulates elements of the Windows interface(e.g. desktop,windows)
ADVAPI32.DLL – Registry and Encryption
NETAPI32.DLL – Functions for querying and managing network interfaces
OLE32.DLL – Provides the Component Object Model.
GDI32.DLL -Primitive drawing functions for graphics functionality
COMCTL32.DLL – Standard Windows controls, such as File Open, Save, and etc.
COMDLG32.DLL-Windows dialog boxes that perform ‘common application tasks’
WININET.DLL – Contains Internet-related functions used by Windows applications
MSI.DLL – Functions used to install MSI (Microsoft Installer) package
Adversaries use startup location in the disk to achieve persistence.
This location can be located at:
C:\Users\%AppData%\Microsoft\Windows\Start Menu\Programs\Startup
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
This location can be easily viewed On start menu:
First, search Run.
Next, type the following:
-
-
- shell:common startup
- shell:startup
-
Adversaries use Temp directory to store their malware and other artifacts.
Temp directory is a directory is used to store temporary files.
This directory can be located at:
%systemdrive%\Windows\Temp
%userprofile%\AppData\Local\Temp
#note: When a program is executed and is located at this directory and you observe that your system is behaving in an odd behavior, it maybe a malware and it requires double checking.