Hancitor has added Registry Run keys to establish persistence. Helminth establishes persistence by creating a shortcut in the Start Menu folder. Hi-Zor creates a Registry Run key to establish persistence. Higaisa added a spoofed binary to the start-up folder for persistence. Honeybee uses a batch file that configures the ComSysApp service to autostart in order to establish persistence.
IcedID has established persistence by creating a Registry run key. InvisiMole can place a lnk file in the Startup Folder to achieve persistence. JCry has created payloads in the Startup directory to maintain persistence. Kasidet creates a Registry Run key to establish persistence. Kazuar adds a sub-key under several Registry run keys. Several Ke3chang backdoors achieved persistence by adding a Run key.
Kimsuky has placed scripts in the startup folder for persistence. Lazarus Group malware attempts to maintain persistence by saving itself in the Start menu folder or by adding a Registry Run key. Leviathan has used JavaScript to create a shortcut file in the Startup folder that points to its main backdoor. LookBack sets up a Registry Run key to establish a persistence mechanism. Machete used the startup folder for persistence. Magic Hound malware has used Registry Run keys to establish persistence.
MarkiRAT can drop its payload into the Startup directory to ensure it automatically runs when the compromised system is started. Matryoshka can establish persistence by adding Registry Run keys. LNK files in the startup folder to achieve persistence. MoleNet can achieve persitence on the infected machine by setting the Registry run key.
Molerats saved malicious files within the AppData and Startup folders to maintain persistence. Naikon has modified a victim's Windows Run registry to establish persistence. NavRAT creates a Registry key to ensure a file gets executed upon reboot in order to establish persistence. Nebulae can achieve persistence through a Registry Run key.
ObliqueRAT can gain persistence by a creating a shortcut in the infected user's Startup directory. Octopus achieved persistence by placing a malicious executable in the startup directory. Okrum establishes persistence by creating a. Patchwork has added the path of its second-stage malware to the startup folder to achieve persistence. One of its file stealers has also persisted by adding a Registry Run key. Pisloader establishes persistence via a Registry Run key.
PlugX adds Run key entries in the Registry to establish persistence. PoetRAT has added a registry key in the hive for persistence. PoisonIvy creates run key Registry entries pointing to a malicious executable dropped to disk. PowerDuke achieves persistence by using various Registry Run keys. PowerShower sets up persistence with a Registry run key. Pteranodon copies itself to the Startup folder to establish persistence.
QakBot can maintain persistence by creating an auto-run Registry key. Ramsay has created Registry Run keys to establish persistence.
Reaver creates a shortcut file and saves it in a Startup folder to establish persistence. RedLeaves attempts to add a shortcut file in the Startup folder to achieve persistence. If this fails, it attempts to add Registry Run keys. RogueRobin created a shortcut in the Windows startup folder to launch a PowerShell script each time the user logs in to establish persistence.
S-Type may create a. SDBbot has the ability to add a value to the Registry Run key to establish persistence if it detects it is running with regular user privilege. SeaDuke is capable of persisting via the Registry Run key or a. SharpStage has the ability to create persistence for the malware using the Registry autorun key and startup folder.
Sidewinder has added paths to executables in the Registry to establish persistence. Smoke Loader adds a Registry Run key for persistence and adds a script in the Startup folder to deploy the payload. Sykipot has been known to establish persistence by adding programs to the Run Registry key. TeamTNT has added batch scripts to the startup folder. TinyZBot can create a shortcut in the Windows startup folder for persistence.
TrickBot establishes persistence in the Startup folder. Karagany can create a link to itself in the Startup folder to automatically start itself upon system restart.
Tropic Trooper has created shortcuts in the Startup folder to establish persistence. Truvasys adds a Registry Run key to establish persistence. Turian can establish persistence by adding Registry Run keys. Additionally, a Turla custom executable containing Metasploit shellcode is saved to the Startup folder to gain persistence. Ursnif has used Registry Run keys to establish automatic execution at system startup.
Vasport copies itself to disk and creates an associated run key Registry entry to establish. Windshift has created LNK files in the Startup folder to establish persistence. Xbash can create a Startup item for persistence if it determines it is on a Windows system. Zebrocy creates an entry in a Registry Run key for the malware to execute on startup. Zeus Panda adds persistence by creating Registry Run keys.
This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features. Monitor Registry for changes to run keys that do not correlate with known software, patch cycles, etc. Monitor the start folder for additions or changes. Tools such as Sysinternals Autoruns may also be used to detect system changes that could be attempts at persistence, including listing the run keys' Registry locations and startup folders.
Changes to these locations typically happen under normal conditions when legitimate software is installed. To increase confidence of malicious activity, data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement.
Active Scanning. Scanning IP Blocks. Vulnerability Scanning. Gather Victim Host Information. Client Configurations.
Gather Victim Identity Information. Email Addresses. Employee Names. Gather Victim Network Information. Domain Properties. Network Trust Dependencies. Network Topology. IP Addresses. Network Security Appliances. Gather Victim Org Information. Determine Physical Locations. Business Relationships. Identify Business Tempo.
Identify Roles. Phishing for Information. Spearphishing Service. Spearphishing Attachment. Spearphishing Link. Search Closed Sources. Threat Intel Vendors. Purchase Technical Data. Search Open Technical Databases. Digital Certificates. Scan Databases. Social Media. Search Engines. Search Victim-Owned Websites.
Resource Development. Acquire Infrastructure. DNS Server. Virtual Private Server. Web Services. Compromise Accounts. Social Media Accounts. Email Accounts. Compromise Infrastructure. Develop Capabilities. Code Signing Certificates. Establish Accounts. Obtain Capabilities. Stage Capabilities. Upload Malware.
Upload Tool. Install Digital Certificate. Drive-by Target. Link Target. Initial Access. Drive-by Compromise. Exploit Public-Facing Application. External Remote Services.
Hardware Additions. Spearphishing via Service. Replication Through Removable Media. Supply Chain Compromise. Compromise Software Dependencies and Development Tools.
Compromise Software Supply Chain. Compromise Hardware Supply Chain. Trusted Relationship. Valid Accounts. Default Accounts. Domain Accounts. Local Accounts. Cloud Accounts. Command and Scripting Interpreter. Windows Command Shell. Unix Shell. Visual Basic. Network Device CLI. Container Administration Command. Deploy Container. Exploitation for Client Execution. Inter-Process Communication. Component Object Model. Dynamic Data Exchange. Native API. At Linux.
At Windows. Scheduled Task. Systemd Timers. Container Orchestration Job. Shared Modules. Software Deployment Tools. System Services. Service Execution. User Execution.
Malicious Link. Malicious File. Malicious Image. Windows Management Instrumentation. Account Manipulation. Additional Cloud Credentials. Exchange Email Delegate Permissions. Add Office Global Administrator Role. SSH Authorized Keys. BITS Jobs. Boot or Logon Autostart Execution.
Authentication Package. Time Providers. Winlogon Helper DLL. Security Support Provider. Kernel Modules and Extensions. Re-opened Applications. Shortcut Modification. Port Monitors. Plist Modification. Print Processors. XDG Autostart Entries. Active Setup.
Login Items. Boot or Logon Initialization Scripts. Logon Script Windows. Logon Script Mac. Network Logon Script. RC Scripts. Startup Items. Browser Extensions. Compromise Client Software Binary. Create Account. Local Account. Domain Account. Cloud Account. Create or Modify System Process. Launch Agent. Systemd Service. Windows Service. Launch Daemon. Event Triggered Execution.
Change Default File Association. Windows Management Instrumentation Event Subscription. Unix Shell Configuration Modification. Netsh Helper DLL. Accessibility Features. AppCert DLLs. AppInit DLLs. Application Shimming. Image File Execution Options Injection. PowerShell Profile. Component Object Model Hijacking. Hijack Execution Flow. DLL Side-Loading. Dylib Hijacking. Executable Installer File Permissions Weakness.
Dynamic Linker Hijacking. Path Interception by Search Order Hijacking. Path Interception by Unquoted Path. Services File Permissions Weakness. Services Registry Permissions Weakness.
Implant Internal Image. Modify Authentication Process. Domain Controller Authentication. Password Filter DLL. Pluggable Authentication Modules. Network Device Authentication. Office Application Startup. Office Template Macros. Office Test. Outlook Forms. Outlook Home Page. Outlook Rules. Pre-OS Boot. System Firmware. Component Firmware. TFTP Boot. Server Software Component. SQL Stored Procedures. Transport Agent.
Web Shell. IIS Components. Traffic Signaling. Port Knocking. Privilege Escalation. Abuse Elevation Control Mechanism. Setuid and Setgid. Bypass User Account Control. Sudo and Sudo Caching. VirusTotal also offers an API for programs such as Autoruns that makes it possible not only to scan many files at once, but also to do so much more efficiently by uploading only file hashes rather than entire files. If VirusTotal has recently received a file with the same hash, it returns the results from the most recent scan rather than performing the scan again.
You can analyze all autostart entries by enabling Check VirusTotal. Autoruns uploads file hashes to VirusTotal. As results come back, Autoruns replaces the text in that column with the number of engines that flagged the file out of the total number of engines that returned results, rendered as a hyperlink, as shown in Figure As an additional visual indicator, the link is colored red if any engines flagged the file as suspicious.
Click the link to open the webpage where you can see details of the results. Click that link to view the progress of the analysis. You can also analyze items one at a time by right-clicking an autostart and choosing Check VirusTotal from the popup menu.
On first use of VirusTotal, Autoruns will open your default web browser to the VirusTotal terms of service page and prompt you in a message box to agree with the terms before proceeding. None of these options requires rescanning the system; they manipulate the previously-collected results and can show hidden entries again instantly on demand. The Hide Windows Entries option is enabled by default. If the entry is a hosting process such as Cmd. The behavior of these two options depends on whether Verify Code Signatures is also enabled.
As mentioned earlier, it is easy for anyone to create a program that gets past this check, so the Verify Code Signatures option is highly recommended. If signature verification is enabled, Hide Windows Entries omits entries that are signed with the Microsoft Windows code-signing certificate. Windows components are signed with a different certificate from other Microsoft products. Hide Microsoft Entries omits entries that are signed with any Microsoft code-signing certificate that chains to a trusted root certificate authority on the computer.
Consequently, these entries can be hidden when signature verification is enabled but displayed when verification is not enabled. The SigCheck utility described in Chapter 9 reports both the Company Name and the name from the signing certificate.
The AutorunsC utility described later in this chapter can report both also. On a typical system, this option should hide most entries. Note that when a small number of the VirusTotal engines report an issue, it is usually a false positive. Another great way to find items of interest is to type search text in the Filter text entry field in the toolbar, as shown in Figure As you type, Autoruns limits the displayed entries to rows that contain the exact case-insensitive text that you type.
To remove the filter, simply delete the text from the entry field. By default, Autoruns displays a shaded row only for ASEPs that have entries configured within them and that are not hidden. Autoruns scans a tremendous number of ASEPs, so this increases the amount of output dramatically. Disabling this option can be useful to verify whether particular ASEPs are scanned, or to satisfy curiosity.
Scan and filter selections from the Options menu are displayed in the status bar and are saved in the registry. Right-clicking an entry displays the Entry submenu as a popup context menu.
Quick access. Search related threads. Remove From My Forums. Asked by:. Archived Forums. Configuration Manager - Operating System Deployment. Post questions here that are appropriate for the operating system deployment feature of Configuration Manager Before posting, please search for your answer in these forums and the TechNet documentation.
Our assessment is designed to be very low impact on the thousands of computers in your enterprise on which it runs. It is also designed to run on a regular basis perhaps quarterly as a means of quickly identifying abnormal behavior.
We take this data and analyze it in SQL and Excel which gives us the ability to identify the "low frequency" outliers. For example, below we see the DLLs loaded by svchost. We routinely see unusual DLLs that are part of a targeted attack and that endpoint AV is completely blind to.
Other tools that rely on "known indicators" will miss them too. We do this same process for files, network IPs, prefetch files, services, scheduled tasks, etc.
We look for the "few" by leveraging the "many". As a Windows computer powers up, the Session Manager smss. As far as locations in the registry where malicious processes or modules can be configured to launch from, the BootExecute key is the earliest. If instead you see an entry such as the following in your BootExecute key, there are problems. The oddly named file will be sitting in your system32 folder, unless it has been removed by AV.
Search the web for other samples of this technique by using this as your search term: site:threatexpert. I use this utility from the command line on machines where some behavioral or configuration anomaly has been observed. This technique is true for all registry settings covered in this article so I'll just use this first one as an example. The first process to launch during startup is winload. Use the following command as Administrator to view the drivers configured to load during startup:.
Review of the entries under this subkey for any drivers running out of a user profile location or a temp directory.
0コメント