Beyond good ol’ Run key, Part 90

October 9, 2018 in Anti-Forensics, Autostart (Persistence)

After finding the ‘injection’ trick for Metro Apps I thought I will query the system files for any ‘inject’-ion related strings. This prove to be a fruitful exercise and I found one more possible key that I bet can be used for persistence. I say ‘bet’, because it’s one of the rare occasions in this series when I didn’t manage to successfully test it. It’s really late when I write it and I just found it  + I don’t really fully understand how to test it yet 🙂 More research is needed.

The key is loaded from DscCore.dll that in turn seems to be loaded by the Microsoft.Windows.DSC.CoreConfProviders.dll. The latter seems to be associated with the Desired State Configuration:

  • HKLM\SOFTWARE\Microsoft\
    Windows\CurrentVersion\
    WSMAN\NitsInjector=<DLL>

In any case, worth adding to your monitoring toolkit. If you manage to trigger it please let me know… Thanks!

Share this :)

Comments are closed.