Beyond good ol’ Run key, Part 32
September 12, 2015 in Anti-Forensics, Autostart (Persistence), Compromise Detection, Forensic Analysis, Malware Analysis
Updated 2018-12-15
Here are some more persistence tricks combined into a single post. I normally don’t post links, but sometimes it really makes sense and here is one of such cases. The below is a list of links covering many interesting persistence mechanisms that popped up on my radar and I don’t want to write about them in separate blog entries as others already did a great job researching and covering them – lots of very interesting concepts covered here:
- Windows Platform Binary Table (very clever persistence mechanism used by Lenovo and HP)
- Phantom DLL loading – MSDTC/oci.dll
- BIOS Computrace persistence mechanism
- File modification a.k.a. trojanizing (typically system) binaries (patching of the import table to add extra DLL)
- Windows 8 lsasrv.dll allows you to load some arbitrary .dll inside lsass process
- http://redplait.blogspot.com/2015/02/lsasrvdlllsaploadlsadbextensiondll.html (this is a very good reversing blog and worth following it)
- IME keylogging can be implemented via intercepting IME layouts; persistence is achieved on the way
- IME as a Possible Keylogger [PDF warning]
- WMI persistence (also including persistence using Managed Object Format (MOF))
– the below is a list of WMI-related documents that are a must-read & cover persistence as well- http://la.trendmicro.com/media/misc/understanding-wmi-malware-research-paper-en.pdf
- http://2014.hackitoergosum.org/slides/day1_WMI_Shell_Andrei_Dumitrescu.pdf
- https://dl.mandiant.com/EE/library/MIRcon2014/MIRcon_2014_IR_Track_There’s_Something_About_WMI.pdf
- https://media.defcon.org/DEF%20CON%2023/DEF%20CON%2023%20presentations/Matt%20Graeber%20&%20Willi%20Ballenthin%20&%20Claudio%20Teodorescu/DEFCON-23-Ballenthin-Graeber-Teodorescu-WMI-Attacks-Defense-.pdf
- https://www.blackhat.com/docs/us-15/materials/us-15-Graeber-Abusing-Windows-Management-Instrumentation-WMI-To-Build-A-Persistent%20Asynchronous-And-Fileless-Backdoor-wp.pdf
- https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-windows-management-instrumentation.pdf
- https://github.com/fireeye/flare-wmi
- https://msdn.microsoft.com/en-us/library/aa823192%28v=vs.85%29.aspx
- http://www.codeproject.com/Articles/28226/Creating-WMI-Permanent-Event-Subscriptions-Using-M
- http://poppopret.blogspot.com/2011/09/playing-with-mof-files-on-windows-for.html
- https://khr0x40sh.wordpress.com/2014/06/10/moftastic_powershell/
- https://khr0x40sh.wordpress.com/2015/01/13/meterpreter-post-module-persistence-via-mofpowershell/
- COM Object hijacking (persistence mechanisms discussed on this blog previously but here are good examples of it being used by the actual malware)
- Persistence via Application Compatibility Database (SDB) (Application Compatibility fixes (Fix It Patches) / Shim Database / Hot Patching persistence)
- Not really a persistence mechanism, but the write-up for malware that establishes persistence only during the system shutdown/reboot events
- Using Windows Script Host to maintain persistence by launching Java Script
- Persistence via Language Bar Add-in (Microsoft\CTF\LangBarAddin)
- Persistence Through Shell Extension Handlers
- Very good list of persistence mechanisms
- Totally not Windows-related, but very interesting extension of the whole ‘collect all autorun entries’ series – list of MAC OS/X autostart entries
Update
After I posted this entry redp (author of http://redplait.blogspot.com blog) pinged me (thanks!) to add one more item I missed:
- RPC Extensions
starting with Windows 7 rpcrt4.dll and RpcEpMap.dll enumerate HKLM\Software\Microsoft\Rpc\Extensions and load them
Update 2016
One more entry from the Adapt Forward web site:
- Netshell helper DLLs
Update 2017
- Turns out the Netshell helper DLLs have been already discussed online in 2010 and 2013 (Thx Stefan K.)
Update 2017 #2
- Persistence via Outlook
- Persistence via Microsoft Add-ins
Update 2017 #3
Comments are closed.