Finding Evidence of Persistence Mechanisms
Last updated
Last updated
AutoRun keys: They are a common persistence mechanism used by attackers to maintain access to a compromised system. They are registry entries that specify programs or scripts that are automatically executed upon system boot or user login.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Let's open SOFTWARE
and NTUSER.DAT
hives using Registry Explorer.
And for NTUSER.DAT
hive.
We can also review the results previously obtained from RegRipper.
In Windows, Startup Folders are directories where shortcuts to programs or scripts can be placed to execute automatically when the system boots or a user logs in. These folders are commonly used by legitimate applications but are also abused by attackers to establish persistence.
System-Wide Startup Folder Applies to all users on the system:
Path:
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp
Per-User Startup Folder Applies only to a specific user:
Path:
C:\Users\<Username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp
Q) What is the name of the suspicious script in the Startup folder?
First, let's review the System Startup folder to identify any relevant findings.
Next, for the Per-User Startup Folder.
The $MFT can be analyzed to track the contents and modifications of Startup Folders during a forensic investigation. We already have an MFT.csv file available for this purpose.
Let's use Ubuntu on Windows.
Let's verify if it still exists on the disk.
Windows services is a critical part of a forensic investigation, as services are often abused by attackers to maintain persistence, execute malicious payloads, or escalate privileges.
Persistence Mechanism: Attackers may create malicious services or hijack legitimate ones to ensure their payloads are executed on boot.
Privilege Escalation: Services often run with SYSTEM privileges, making them a target for abuse.
Indicator of Compromise (IOC): Unusual or unauthorized services can indicate malware or an adversary's presence.
Registry: HKLM\SYSTEM\CurrentControlSet\Services
Let's open the System hive using Registry Explorer.
We can also review the results previously obtained from RegRipper.
Registry:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree
Scheduled Tasks are a critical mechanism in Windows often used for legitimate purposes such as system maintenance or application updates. However, they are frequently exploited by attackers as a persistence method or to execute malicious payloads at specified intervals.
Persistence Mechanism: Attackers use tasks to ensure payloads are executed repeatedly or at system startup.
Privilege Escalation: Tasks can run with elevated privileges, making them a potential target for exploitation.
Malware Execution: Tasks may run scripts or executables associated with malicious activity.
Path: C:\Windows\System32\Tasks
Let's load the SOFTWARE
hive into Registry Explorer.
Or using RegRipper.
Let's check the path also C:\Windows\System32\Tasks
.
Let's open them in Notepad.
Sysinternals Autoruns is a powerful tool for analyzing persistence mechanisms on a Windows system.
Autoruns identifies and enumerates all programs configured to run automatically when the system starts or when a user logs in. This includes entries from various persistence locations like registry keys, startup folders, scheduled tasks, and more.
Detects all startup items, including those from known persistence mechanisms (e.g., registry Run keys, startup folders, services, and scheduled tasks).
Logon: Includes startup folder items and Run/RunOnce registry keys.
Services: Displays Windows services configured to run at startup.
Scheduled Tasks: Shows scheduled tasks, including hidden or malicious ones.
Explorer: Identifies shell extensions and browser helper objects.
Let's analyze the E:\ drive using Autoruns.