FaresMorcy
  • Whoami
  • Footprinting Labs
    • Lab - Easy
    • Lab - Medium
    • Lab - Hard
  • Shells & Payloads
    • The Live Engagement
  • Password Attacks
    • Lab - Easy
    • Lab - Medium
    • Lab - Hard
  • SOC Hackthebox Notes & Labs
    • Security Monitoring & SIEM Fundamentals Module
    • Windows Event Logs & Finding Evil Module
    • Introduction to Threat Hunting & Hunting With Elastic Module
    • Understanding Log Sources & Investigating with Splunk Module
      • Introduction To Splunk & SPL
      • Using Splunk Applications
      • Intrusion Detection With Splunk (Real-world Scenario)
      • Detecting Attacker Behavior With Splunk Based On TTPs
      • Detecting Attacker Behavior With Splunk Based On Analytics
      • Skills Assessment
    • Windows Attacks & Defense
      • Kerberoasting
      • AS-REProasting
      • GPP Passwords
      • GPO Permissions/GPO Files
      • Credentials in Shares
      • Credentials in Object Properties
      • DCSync
      • Golden Ticket
      • Kerberos Constrained Delegation
      • Print Spooler & NTLM Relaying
      • Coercing Attacks & Unconstrained Delegation
      • Object ACLs
      • PKI - ESC1
      • Skills Assessment
    • Intro to Network Traffic Analysis Module
    • YARA & Sigma for SOC Analysts Module
      • Developing YARA Rules
      • Hunting Evil with YARA (Windows Edition)
      • Hunting Evil with YARA (Linux Edition)
      • Sigma and Sigma Rules
      • Developing Sigma Rules
      • Hunting Evil with Sigma (Chainsaw Edition)
      • Hunting Evil with Sigma (Splunk Edition)
      • Skills Assessment
  • TryHackme SOC 1
    • TShark
      • TShark: The Basics
      • TShark: CLI Wireshark Features
      • TShark Challenge I: Teamwork
      • TShark Challenge II: Directory
    • Tempest
    • Boogeyman 1
    • Boogeyman 2
    • Boogeyman 3
  • TryHackme SOC 2
    • Advanced Splunk
      • Splunk: Exploring SPL
      • Splunk: Setting up a SOC Lab
      • Splunk: Dashboards and Reports
      • Splunk: Data Manipulation
      • Fixit
    • Advanced ELK
      • Slingshot
    • Threat Hunting
      • Threat Hunting: Foothold
      • Threat Hunting: Pivoting
      • Threat Hunting: Endgame
  • TryHackme Rooms
    • Investigating Windows
    • Splunk 2
    • Windows Network Analysis
  • Powershell Scripting Fundamentals
  • SANS SEC504 & Labs
    • Book one
      • Live Examination
      • Network Investigations
      • Memory Investigations
      • Malware Investigations
      • Accelerating IR with Generative AI
      • Bootcamp: Linux Olympics
      • Bootcamp: Powershell Olympics
    • Book Two
      • Hacker Tools and Techniques Introduction
      • Target Discovery and Enumeration
      • Discovery and Scanning with Nmap
      • Cloud Spotlight: Cloud Scanning
      • SMB Security
      • Defense Spotlight: Hayabusa and Sigma Rules
    • Book Three
      • Password Attacks
      • Cloud Spotlight: Microsoft 365 Password Attacks
      • Understanding Password Hashes
      • Password Cracking
      • Cloud Spotlight: Insecure Storage
      • Multipurpose Netcat
    • Book Four
      • Metasploit Framework
      • Drive-By Attacks
      • Command Injection
      • Cross-Site Scripting
      • SQL Injection
      • Cloud Spotlight: SSRF and IMDS
    • Book Five
      • Endpoint Security Bypass
      • Pivoting and Lateral Movement
      • Hijacking Attacks
      • Establishing Persistence
      • Defense Spotlight: RITA
      • Cloud Spotlight: Cloud Post-Exploitation
  • SANS SEC511 & Labs
    • Resources
      • Primers
      • References
      • Tools
        • Network
        • Elastic Stack
      • Printable Versions
    • Book One
      • Part One
      • Part Two
      • Part Three
    • Book Two
      • Part One
      • Part Two
      • Part Three
      • Part Four
    • Book Three
      • Part One
      • Part Two
      • Part Three
      • Part Four
    • Book Four
      • Part One
      • Part Two
      • Part Three Lab
      • Part Four Lab
    • Book Five
      • Part One Lab
      • Part Two Lab
      • Part Three Lab
  • CyberDefenders
    • XXE Infiltration Lab
    • T1594 Lab
    • RetailBreach Lab
    • DanaBot Lab
    • OpenWire Lab
    • BlueSky Ransomware Lab
    • Openfire Lab
    • Boss Of The SOC v1 Lab
    • GoldenSpray Lab
    • REvil Lab
    • ShadowRoast Lab
    • SolarDisruption Lab
    • Kerberoasted Lab
    • T1197 Lab
    • Amadey Lab
    • Malware Traffic Analysis 1 Lab
    • Insider Lab
    • Volatility Traces Lab
    • FalconEye Lab
    • GitTheGate Lab
    • Trident Lab
    • NerisBot Lab
  • Practical Windows Forensics
    • Data Collection
    • Examination
    • Disk Analysis Introduction
    • User Behavior
    • Overview of disk structures, partitions and file systems
    • Finding Evidence of Deleted Files with USN Journal Analysis
    • Analyzing Evidence of Program Execution
    • Finding Evidence of Persistence Mechanisms
    • Uncover Malicious Activity with Windows Event Log Analysis
    • Windows Memory Forensic Analysis
  • Hackthebox Rooms
    • Campfire-1
    • Compromised
    • Brutus
    • Trent
    • CrownJewel-1
  • WEInnovate Training
    • Weinnovate - Active Directory Task One
    • Build ELK Lab
      • Configure Elasticsearch and Kibana setup in ubuntu
      • Configure Fluent-Bit to send logs to ELK
      • Set up Winlogbeat & Filebeat for log collection
      • Send Logs from Winlogbeat through Logstash to ELK
      • Enable Windows Audit Policy & Winlogbeat
      • Elasticsearch API and Ingestion Pipeline
    • SOAR
      • Send Alerts To Email & Telegram Bot
      • Integrate Tines with ELK
    • SOC Practical Assessment
    • Lumma C2
    • Network Analysis
  • Build ELK Lab
    • Configure Elasticsearch and Kibana setup in ubuntu
    • Configure Fluent-Bit to send logs to ELK
    • Set up Winlogbeat & Filebeat for log collection
    • Send Logs from Winlogbeat through Logstash to ELK
    • Enable Windows Audit Policy & Winlogbeat
    • Elasticsearch API and Ingestion Pipeline
  • Build Home Lab - SOC Automation
    • Install & configure Sysmon for deep Windows event logging
    • Set up Wazuh & TheHive for threat detection & case management
    • Execute Mimikatz & create detection rules in Wazuh
    • Automate everything with Shuffle
    • Response to SSH Attack Using Shuffle, Wazuh, and TheHive
  • Home Lab (Attack & Defense Scenarios)
    • Pass-the-Hash Attack & Defense
    • Scheduled Task Attack & Defense
    • Kerberoasting Attack & Defense
    • Kerberos Constrained Delegation
    • Password Spraying Attack & Defense
    • Golden Ticket Attack & Defense
    • AS-REProasting Attack & Defense
    • DCSync Attack & Defense
  • Home Lab (FIN7 (Carbanak Group) – Point of Sale (POS) Attack on Hospitality Chains)
  • Home Lab (Lumma Stealer)
Powered by GitBook
On this page
  • Persistence Mechanism
  • Startup Folders
  • Windows Services
  • Scheduled Tasks
  • Persistence Analysis with Sysinternals Autoruns
  1. Practical Windows Forensics

Finding Evidence of Persistence Mechanisms

PreviousAnalyzing Evidence of Program ExecutionNextUncover Malicious Activity with Windows Event Log Analysis

Last updated 4 months ago

Persistence Mechanism

AutoRun keys: They are a common persistence mechanism used by attackers to maintain access to a compromised system. They are registry entries that specify programs or scripts that are automatically executed upon system boot or user login.

  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

  • HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

  • HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

Let's open SOFTWARE and NTUSER.DAT hives using Registry Explorer.

And for NTUSER.DAT hive.

We can also review the results previously obtained from RegRipper.

Startup Folders

In Windows, Startup Folders are directories where shortcuts to programs or scripts can be placed to execute automatically when the system boots or a user logs in. These folders are commonly used by legitimate applications but are also abused by attackers to establish persistence.

  • System-Wide Startup Folder Applies to all users on the system:

    • Path: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp

  • Per-User Startup Folder Applies only to a specific user:

    • Path: C:\Users\<Username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp

Q) What is the name of the suspicious script in the Startup folder?

First, let's review the System Startup folder to identify any relevant findings.

Next, for the Per-User Startup Folder.

The $MFT can be analyzed to track the contents and modifications of Startup Folders during a forensic investigation. We already have an MFT.csv file available for this purpose.

Let's use Ubuntu on Windows.

cd /mnt/c/Cases/Analysis/NTFS
ls -l
grep StartUp MFT.csv

Let's verify if it still exists on the disk.

Windows Services

Windows services is a critical part of a forensic investigation, as services are often abused by attackers to maintain persistence, execute malicious payloads, or escalate privileges.

  • Persistence Mechanism: Attackers may create malicious services or hijack legitimate ones to ensure their payloads are executed on boot.

  • Privilege Escalation: Services often run with SYSTEM privileges, making them a target for abuse.

  • Indicator of Compromise (IOC): Unusual or unauthorized services can indicate malware or an adversary's presence.

Registry: HKLM\SYSTEM\CurrentControlSet\Services

Let's open the System hive using Registry Explorer.

We can also review the results previously obtained from RegRipper.

Scheduled Tasks

Registry:

  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks

  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree

Scheduled Tasks are a critical mechanism in Windows often used for legitimate purposes such as system maintenance or application updates. However, they are frequently exploited by attackers as a persistence method or to execute malicious payloads at specified intervals.

  • Persistence Mechanism: Attackers use tasks to ensure payloads are executed repeatedly or at system startup.

  • Privilege Escalation: Tasks can run with elevated privileges, making them a potential target for exploitation.

  • Malware Execution: Tasks may run scripts or executables associated with malicious activity.

Path: C:\Windows\System32\Tasks

Let's load the SOFTWARE hive into Registry Explorer.

Or using RegRipper.

Let's check the path also C:\Windows\System32\Tasks.

Let's open them in Notepad.

Persistence Analysis with Sysinternals Autoruns

Sysinternals Autoruns is a powerful tool for analyzing persistence mechanisms on a Windows system.

Autoruns identifies and enumerates all programs configured to run automatically when the system starts or when a user logs in. This includes entries from various persistence locations like registry keys, startup folders, scheduled tasks, and more.

Detects all startup items, including those from known persistence mechanisms (e.g., registry Run keys, startup folders, services, and scheduled tasks).

  • Logon: Includes startup folder items and Run/RunOnce registry keys.

  • Services: Displays Windows services configured to run at startup.

  • Scheduled Tasks: Shows scheduled tasks, including hidden or malicious ones.

  • Explorer: Identifies shell extensions and browser helper objects.

Let's analyze the E:\ drive using Autoruns.