Persistence in Memory

Persistence mechanisms

Persistence can be easily achieved in Windows (by modifying registry keys) as it has a lot of AutoStart Extensibility Points (ASEP)

Run/RunOnce keys

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce

Other keys

  • BootExecute key

  • WinLogon process keys

  • Startup keys

  • Services keys

  • Browser Helper Objects(BHO)

  • AppInit_DLLs

  • File Association keys

  • DLL Search Order Hijacking (Windows follows a particular set of paths to load the necessary DLLs when a program is launched. Possible to abuse this method by placing a malicious DLL of the same name in a path that will be searched before the legit path)

  • Shortcut hijacking

Autoruns

  • The utility is a startup monitor that has extensive knowledge of auto-starting locations.

  • It provides information about programs configured to run during system bootup or login.

  • It also displays startup information for built-in Windows applications such as Internet Explorer, Explorer, and media players.

Global flags

can execute any binary file after another application is closed without being detected by Autoruns.exe (requires admin privileges)

  • Paste the below registry keys in an administrator cmd.exe

  • Run notepad and close it. You can see that the evil.exe is executed once the notepad is closed and it won’t be detected by Autoruns (search in filter).


reg add "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\notepad.exe" /v GlobalFlag /t REG_DWORD /d 512
reg add "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SilentProcessExit\\notepad.exe" /v ReportingMode /t REG_DWORD /d 1
reg add "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SilentProcessExit\\notepad.exe" /v MonitorProcess /d "C:\\temp\\evil.exe"

Winesap

./vol.py -f ./memdump_Win10x64_15063.mem --profile Win10x64_15063 winesap --match

(download the plugin and add it into the plugins directory to use it)

  • Autoruns plugin for volatility performed a cross-check of common ASEPs within running processes in memory dump file

  • Winesap checks for more ASEPs and applies custom rules to detect suspicious paths and filenames

  • Running without the --match flag shows all the ASEPs that it is pulling from the registr whereas using the flag will show the suspicious entries (might not be an exhaustive list)

  • It shows what this plugin thinks might not be legit in this system with warnings like “Suspicious path file”, “Suspicious shell execution” along with the full registry paths

PreviousPulling threadsNextMemory Forensics Baselines

Last updated