Section 1.4: Malware Persistence Flashcards
Name the persistence mechanisms malware use.
AutoStart, Service Creation/Replacement, Service Recovery, DLL hijacking, Scheduled Tasks, WMI Event Consumers. More Advanced: MS Add-ons, Local Group Policy, and BIOS Flashing.
What persistence mechanisms reside more than 80% in the wild?
AutoStart locations and services.
What are AutoStart Extension Points (ASEP) and why are they hard to secure? Is there any other locations besides the registry?
Microsoft has over 50 of them. They are mostly found in the registry. They can also be found in the filesystem which can be an advantage to an adversary since they wont need admin rights to create persistence.
What is a good method to find compromised AutoStart data across many systems in the enterprise?
Stacking.
Name two methods ASEP keys run in a system.
When the user logs in and/or when a system boots.
List the registry key paths that run once a user logs in.
NTUSER.DAT\Software\Microsoft\Windows\Currentversion\Run(Runonce)_
Software\Microsoft\Windows\Currentversion\Runonce
Software\Microsoft\Windows\Currentversion\policies\Explorer\Run
Software\Microsoft\Windows\Currentversion\Run
Software\Microsoft\Windows NT\Currentversion\Winglogon\Userinit
Describe a feature Winlogon folder has for userinit.exe that can be dangerous adversary usage.
Winlogon executes userinit.exe and launches explorer.exe. The key can be modified to include a reference to load an binary that can be found elsewhere to also load at boot.
What folder location can an adversary place a shortcut to maintain an ASEP persistence?
%AppData%\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
What are services?
They are designed to run applications in the background without user interaction. Many are required at system boot such as: DHCP Client, Windows Event Log, Server, and Workstation services. They can be executables or loaded DLLs.
What is svchost.exe?
A Windows-generic service host process and it is typical to see 5 or more of them.
Where can I do service configurations?
Inside the registry: HKLM\SYSTEM\CurrentControlSet\Services. Here I can find the parameters to the name, display name, start value, required priviledges, dependencies, and more. Start values can be (0x00 for Boot Start), (0x02 for Automatic). Be cautious because start type can also be triggered through events such as IP address or hardware connections.
What is so dangerous about the “sc” command?
It can create a service that auto-loads a malicious DLL or executable. Type sc in powershell for help.
Name three ways services can be abused by the adversary.
New service creation, Service replacement, and service failure recovery.
How did Mandiant APT1 use services to load malware?
They replaced the rarely used RIP Listener Service (IPRIP) and loaded their malware instead. Another service to lookout for is RasAuto service.
What is a technique to find new services in a system?
Baselining system services and stacking them throughout the enterprise.