Persistence Mechanisms

Persistence Mechanisms

With the Kape modules containing the word ASEP, some but not all of the persistence mechanisms mentioned can be processed and searched very quickly.1

1. https://www.sans.org/blog/finding-registry-malware-persistence-with-recmd/

Auto-Run

Description: Windows Auto-run is a feature that automatically executes specified programs or scripts when removable media, such as CDs, DVDs, or USB drives, are inserted into a computer. This functionality is often used to provide a seamless installation or launch experience but can also be exploited by malicious software to spread infections.

Registry:

  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run
  • HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
  • HKLM\Software\Microsoft\Windows\CurrentVersion\Run
  • HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

Path:

  • C:\Users\\AppData\NTUser.dat
  • C:\Windows\System32\config\SOFTWARE

Analysis:

  • Search suspicious run keys.
  • Focus on specific time period of attacker activity.

Software: RegRipper (Plugin: run), Sysinternals Autoruns, kape (Module: *ASEP*)

Scheduled Tasks

Description: Scheduled tasks in Windows allow users and administrators to automate the execution of programs or scripts at specific times or in response to particular events. This feature, managed through the Task Scheduler, is often used for routine maintenance, backups, and updates, but can also be exploited by malware to maintain persistence on a system.

Important information:

  • N/A

Registry:

  • HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks
  • HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree

Path:

  • C:\Windows\System32\Tasks

Analysis:

  • Search for suspicious tasks.

Software: RegRipper (Plugin: taskcache, task), schtasks -help

Service

Description: In Windows, a service is a type of application that runs in the background and performs specific functions without requiring user interaction. Services can be configured to start automatically at boot, manually by a user, or triggered by specific events, making them a common method for ensuring persistent operation of critical system processes or third-party applications.

Important information:

  • N/A

Registry: HKLM\SYSTEM\CurrentControlSet\Services

Analysis:

  • Which service is started or not.

Software: RegRipper (Plugin: services, svc v.)

Startup Folder

Description: The Startup Folder in Windows contains shortcuts to programs that are configured to run automatically when the system boots up. This folder allows users and applications to specify which programs should launch during the startup process, enabling the customization of the system’s initial operational environment.

Important information:

  • If you used kape to backup the autorun folder and there was no content, check the result using $MFT file analysis for that folder.

Path:

  • C:\Users\\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
  • C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp

Analysis:

  • Search for suspicious applications.

Software: N/A

Other Registry Keys:
  • Command Processor Autorun
    • Load malware without knowledge of the user each time the cmd.exe was started.
    • HKLM\SOFTWARE\Microsoft\Command Processor
    • HKCU\Software\Microsoft\Command Processor
    • Search for AutoRun values inside the key.
  • Winlogon
    • Load malware without the user’s knowledge at every login.
    • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
    • Search for manipulated userinit or shell values in the key.