This is a real oldie, but still worth a mention…
Java gives us a lot of persistence possibilities and one of them are environment variables; when set, they will be adhered to, and as such, can be abused:
If you see these set on the system, keep an eye on what they are pointing to.
This one is a curious one. I actually don’t know how to trigger it!
Yet, I will document some bits and bobs, so that you may take these entry points into consideration, at least from a DFIR perspective.
So, edgehtml.dll and mshtml.dll are monsters of a library (23-25MB+). One of the things they do is they provide functions that work in so-called Diagnostic Mode. When Browser is in that mode, it checks a number of environment variables, and if they are set, it will load a COM library specified by one of these entries (JS_DM_CLSID).
And all these Java Script/Diagnostic Mode environment variables it checks are:
I know it’s not a lot, but if JS_DM_CLSID is set as an environmental variable, you better check it’s value as it may be loaded by the browser. If you know more about the Diagnostic Mode, please let me know.