Persistence in Memory

Persistence mechanisms

Persistence can be easily achieved in Windows (by modifying registry keys) as it has a lot of AutoStart Extensibility Points (ASEP)

Run/RunOnce keys

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce

Other keys

https://resources.infosecinstitute.com/topic/common-malware-persistence-mechanisms/resources.infosecinstitute.com

BootExecute key
WinLogon process keys
Startup keys
Services keys
Browser Helper Objects(BHO)
AppInit_DLLs
File Association keys
DLL Search Order Hijacking (Windows follows a particular set of paths to load the necessary DLLs when a program is launched. Possible to abuse this method by placing a malicious DLL of the same name in a path that will be searched before the legit path)
Shortcut hijacking

Autoruns

The utility is a startup monitor that has extensive knowledge of auto-starting locations.
It provides information about programs configured to run during system bootup or login.
It also displays startup information for built-in Windows applications such as Internet Explorer, Explorer, and media players.

Global flags

can execute any binary file after another application is closed without being detected by Autoruns.exe (requires admin privileges)

Paste the below registry keys in an administrator cmd.exe
Run notepad and close it. You can see that the evil.exe is executed once the notepad is closed and it won’t be detected by Autoruns (search in filter).


reg add "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\notepad.exe" /v GlobalFlag /t REG_DWORD /d 512
reg add "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SilentProcessExit\\notepad.exe" /v ReportingMode /t REG_DWORD /d 1
reg add "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SilentProcessExit\\notepad.exe" /v MonitorProcess /d "C:\\temp\\evil.exe"

Winesap

./vol.py -f ./memdump_Win10x64_15063.mem --profile Win10x64_15063 winesap --match

(download the plugin and add it into the plugins directory to use it)

Autoruns plugin for volatility performed a cross-check of common ASEPs within running processes in memory dump file
Winesap checks for more ASEPs and applies custom rules to detect suspicious paths and filenames
Running without the --match flag shows all the ASEPs that it is pulling from the registr whereas using the flag will show the suspicious entries (might not be an exhaustive list)
It shows what this plugin thinks might not be legit in this system with warnings like “Suspicious path file”, “Suspicious shell execution” along with the full registry paths

PreviousPulling threads NextMemory Forensics Baselines

Last updated 2 years ago