Persistence

AppInit

For each application using User32.dll - most of the GUI ones - Windows will also load the DLLs registered AppInit during the DLL_PROCESS_ATTACH process.

Location

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs

AT Jobs

A scheduled task created via the at.exe utility. The utility allows to also create a remote task.

Location

C:\Windows\Tasks\*.job

Active Setup

Holds references of applications that need to be run at startup. Similar to RunOnce, they are only started once at the session opening and are executed before any Run or RunOnce.

Location

HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{GUID}\StubPath

HKCU\SOFTWARE\Microsoft\Active Setup\Installed Components\{GUID}\StubPath

IFEO

Image File Execution Options - Allow to specify multiple interesting options for an executable.

Location

debuger indicates an executable to attach as a debugger into the target.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\{executable}\debuger\{target_executable}

GlobalFlag gives a means to start another process when a specific application stops.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\{executable}\GlobalFlag

SilentProcessExit indicates what to launch upon process exit.

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\{executable}\ReportingMode

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\{executable}\MonitorProcess

Run keys

One of the most known persistence mecanism. A set of applications that need to be run at session opening. They can be associated at the user or at the machine level.

By default, the value of a RunOnce key is deleted before the command line is run. Adding a ! before the command will delete it after the run.

These keys are ignored when the computer is started in Safe Mode. Adding a * before the RunOnce keys will make the commands to run even in Safe Mode.

Location

HKLM:\Software\Microsoft\Windows\CurrentVersion\Run HKCU:\Software\Microsoft\Windows\CurrentVersion\Run HKLM:\Software\Microsoft\Windows\CurrentVersion\RunOnce HKCU:\Software\Microsoft\Windows\CurrentVersion\RunOnce

Available on Vista or newer but not set by default

• HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

• HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

Services

Services are commonly used to persistence. Any service with scripting capabilities (vbs, js, powershell, cmd, etc) should raise a suspicion.

Location

HKLM\System\CurrentControlSet\services

Shell Open Commands

Handles the files associations - for instance one could associate the opening of an .exe with a specific application.

Location

HKEY_CLASSES_ROOT\batfile\shell\runas\command

HKEY_CLASSES_ROOT\exefile\shell\open\command

HKEY_CLASSES_ROOT\exefile\shell\runas\command

HKEY_CLASSES_ROOT\batfile\shell\open\command

HKEY_CLASSES_ROOT\batfile\shell\runas\command

HKEY_CLASSES_ROOT\comfile\shell\open\command

HKEY_CLASSES_ROOT\comfile\shell\runas\command

User Windows Shell

A setting allowing to change the shell by default - explorer.exe.

Location

HKCU\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon\Shell

SvcHosts

They are hosting process grouping service DLL that need the same resources (network, etc).

Location

HKLM:\Software\Microsoft\Windows NT\CurrentVersion\SvcHost

Scheduled Tasks

Scheduled Tasks are also commonly used to persistence. Any service with scripting capabilities (vbs, js, powershell, cmd, etc) should raise a suspicion and be analysed.

Location

%windir%\System32\Tasks

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree - the value ID refers to the GUID of the key below, which holds more information.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks - the action value contains the task content.

Shells

Point to the executable / scripts to be launch at user logon. This key is queried by winlogon.exe.

Location

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit

WMI

Windows Management Instrumentation - It the Microsoft implementation of WBEM. It has 2 majors components :

• Events: These are sort of triggers. They can be linked to the creation of a new process, the termination, the plug of USB key, etc.

• Consumers : They are the actions to execute upon an event (start a program, a script, etc)

• Filters: They are the bind between events and consumers

Location

%windir\%system32\wbem\Repository\OBJECTS.DATA

Powershell profiles

When Powershell starts, it looks for the following files and execute their content. Once can add Powershell commands here for persistence.

Location

All Users, All Hosts $PSHOME\Profile.ps1 All Users, Current Host $PSHOME\Microsoft.PowerShell_profile.ps1 Current User, All Hosts $Home\Documents\PowerShell\Profile.ps1 Current user, Current Host $Home\Documents\PowerShell\Microsoft.PowerShell_profile.ps1

LNK

LNKs are one of the most used system to persiste and propagate over external devices. LNKs can be abused in 2 main ways.

• Legitimate LNK can be either weaponised by replacing the target to point towards a malicious command before starting the real target application

• Applications can be put in a hidden state, and then a LNK with the same icon created. Upon user interaction, the LNK would trigger the execution of the malicious payload and then launch the real application

AMSI

AntiMalware Scan Interface - is an interface provided by Windows, allowing access to files, memory and stream scanning, etc. Security providers can register a DLL to the AMSI in order to scan the contents and detect malicious attemptd. This can be abused by registering a malicious provider (needs Administrative rights).

Location

The following path show the registered providers.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AMSI\Providers

COM Objects

Component Object Model - is a standard of Microsoft for creating components that can interacts together, accross processes. As it is a standard, multiple languages can be used to build COM objects. They can be referenced by name or CLSID.

This system can be abused by looking for Services or Tasks that are using missing COM Objects, pretty much like a DLL Hijacking. The interesting part is that Windows will look for the CLSIDs in HKCU before HKLM, hence removing the need for administrative rights.

Location

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CLSID}\InProcServer32 - for DLL

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CLSID}\LocalServer32 - for exe

DCOM

DCOM is an extension of COM, offering COM access remotely. It uses RPC to start the new processes remotely. This is done on the target via the process DCOMLaunch , which runs under the svchost.exe -k DcomLaunch.

If a process has for parent DCOMLaunch and listens on high port, then it was most probably started using DCOM.

Shim Database

Application compatibility shiming is a feature of Windows allowing to redirect API calls towards the appropriate code. The purpose is to ensure backward/forward compatiblity for applications.

These compatibility fixes are stored in database files .sdb and amanged by the utility sdbinst.exe.

Location

Once registered, the custom shiming file can be found in:

• Windows\AppPatch\Custom - For 32bit

• Windows\AppPatch\Custom\Custom64 - For 64bit

Parser

https://github.com/williballenthin/python-sdb