Incident Response - Endpoint Analysis

Malware Registry Persistence Techniques

Malware uses startup registry keys to make a program run when a user logs on. 

Run Key makes the program run every time the user logs on.

RunOnce key makes the program run once, and then the key is deleted. 

Both keys can be located at: 

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows

 

HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Run

Adversaries use services on the registry to implant their malware. 

 

Services Registry stores information about each service on the system. Services can be used to load malicious drivers into the system.

Services in the system as a service can be registered by running: 

SC.exe

REGSVR.exe

These Registry key is located at:

HKLM\SYSTEM\CurrentControlSet\Services

HKLM\SYSTEM\CurrentControlSet\Services\DriverName

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOne

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

Adversaries can achieve persistence by adding their malware to Winlogon.

Winlogon is a part of the Windows operating system that provides interactive logon support.

Winlogon Registry Key can be located at:

HKLM\Software\Microsoft\Windows NT\Current Version\Winlogon

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell

One of the techniques adversaries use is to create a scheduled task to run their malware at a specific time and date.

Task Scheduler enables you to automatically perform routine tasks on a chosen computer.

Scheduled task can be added the the registry by performing the following script:

schtasks /Create /SC minute /TN “sample” “<location_of_exe>”/ST <time>

This Registry Key can be found at:

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\Taskcache\Tasks

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\Taskcache\Tree

Adversaries tweak the IFEO Registry Key as persistence for them to run their malware by using legitimate software.

Image File Execution Option are often used to turn on debugging automatically when starting a process by setting the appropriate registry value for the “Tracing Flags” options.

This Registry Key can be found at: 

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Option

See Blog Post: Persistence AppInit_DLLs

Adversaries can also achieve persistence by hijacking a process in the form of a process injection technique.

AppInit_Dlls provides an easy way to hook system APIs by allowing custom DLLs to be loaded into the address space of every interactive application.

AppInit_Dlls is abused by malware for the same basic reason, which is to hook APIs; after the custom DLL is loaded, it can hook a well-known system API and implement alternate functionality.

#Note: If you are hunting for malicious DLLs, take a look at the registered DLL inside this key.

This Registry Key can be located at:

HKLM\Software\Microsft\Windows NT\CurrentVersion\Windows\Appinit_Dlls

Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppCert DLls loaded into processes.

AppCert_Dlls the library entries in this registry key are loaded in each process that calls at least one of the following APIs.

      • CreateProcess()
      • CreateProcessAsUsers()
      • CreateProcessWithLogonW()
      • CreateProcesswithTokenW()
      • WinExec()

This Registry Key can be located at: 

HKLM\System\CurrentControlSet\Control\Session Manager\KnownDll

Adversaries use COM to interact with legitimate software components, even if they have no knowledge of each other’s tool.

COM is a platform-independent, distributed, object-oriented system for creating binary software components that can interact.

COM is a client/server framework. A COM Client is a program that uses the service of the COM server. A Server is an object that provides service to the clients.

This Registry Key is located at: 

HKEY\Classes_root\CLSID

HKLM\Software\Classes\CLSID

Windows Common Libraries

KERNEL32.DLL -Core functionality of a program including,reading & writing file.

WS2_32.DLL – Network functionality (e.g. TCP/IP)

MSVCRT.DLL – Compiler wrapper code

USER32.DLL– Manipulates elements of the Windows interface(e.g. desktop,windows)

ADVAPI32.DLL – Registry and Encryption

NETAPI32.DLL – Functions for querying and managing network interfaces

OLE32.DLL – Provides the Component Object Model.

GDI32.DLL -Primitive drawing functions for graphics functionality

COMCTL32.DLL – Standard Windows controls, such as File Open, Save, and etc.

COMDLG32.DLL-Windows dialog boxes that perform ‘common application tasks’

WININET.DLL – Contains Internet-related functions used by Windows applications

MSI.DLL – Functions used to install MSI (Microsoft Installer) package 

Malware Disk Persistence Techniques

Adversaries use startup location in the disk to achieve persistence.

This location can be located at:

C:\Users\%AppData%\Microsoft\Windows\Start Menu\Programs\Startup

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup

This location can be easily viewed On start menu:

First, search Run

Next, type the following: 

      • shell:common startup 
      • shell:startup

Adversaries use Temp directory to store their malware and other artifacts.

Temp directory is a directory is used to store temporary files.

This directory can be located at: 

%systemdrive%\Windows\Temp

%userprofile%\AppData\Local\Temp

#note: When a program is executed and is located at this directory and you observe that your system is behaving in an odd behavior, it maybe a malware and it requires double checking.