You are browsing the archive for Autostart (Persistence).

Beyond good ol’ Run key, Part 123

November 18, 2019 in Anti-Forensics, Autostart (Persistence)

Yet another quick post. This time about a subset of libraries (and possibly programs, but I only saw the libraries) that reference Intel® VTune™ Amplifier.

As explained in a linked article, one can define following environment variables to ensure the ITT libraries are loaded during the program run-time:

  • INTEL_LIBITTNOTIFY32=<DLL>
  • INTEL_LIBITTNOTIFY64 =<DLL>

It’s probably a poor choice for a potential persistence mechanism. I only saw these referenced by tbbmalloc.dll, but there may be more programs/libraries. Even Mozilla seems to be using it in some of its builds.

Beyond good ol’ Run key, Part 122

November 9, 2019 in Anti-Forensics, Autostart (Persistence)

This is another quickie: there is an established process for using the OCSetup program that is available on a couple of Windows versions. When this tool is executed it checks a number of Registry entries which it then interprets, and executes programs (.exe) or installers (.msi, .msp) listed under these entries.

The entries of interest are as follows:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\OptionalComponents\<ComponentName>\CustomSetup = <file>

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\OCSetup\Components\<ComponentName>\Component = <file>

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\OCSetup\Components\\PatchFiles = <file>

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\OCSetup\Components\\CustomSetup = <file>