Section 1.4: Malware Persistence Flashcards
Name the persistence mechanisms malware use.
AutoStart, Service Creation/Replacement, Service Recovery, DLL hijacking, Scheduled Tasks, WMI Event Consumers. More Advanced: MS Add-ons, Local Group Policy, and BIOS Flashing.
What persistence mechanisms reside more than 80% in the wild?
AutoStart locations and services.
What are AutoStart Extension Points (ASEP) and why are they hard to secure? Is there any other locations besides the registry?
Microsoft has over 50 of them. They are mostly found in the registry. They can also be found in the filesystem which can be an advantage to an adversary since they wont need admin rights to create persistence.
What is a good method to find compromised AutoStart data across many systems in the enterprise?
Stacking.
Name two methods ASEP keys run in a system.
When the user logs in and/or when a system boots.
List the registry key paths that run once a user logs in.
NTUSER.DAT\Software\Microsoft\Windows\Currentversion\Run(Runonce)_
Software\Microsoft\Windows\Currentversion\Runonce
Software\Microsoft\Windows\Currentversion\policies\Explorer\Run
Software\Microsoft\Windows\Currentversion\Run
Software\Microsoft\Windows NT\Currentversion\Winglogon\Userinit
Describe a feature Winlogon folder has for userinit.exe that can be dangerous adversary usage.
Winlogon executes userinit.exe and launches explorer.exe. The key can be modified to include a reference to load an binary that can be found elsewhere to also load at boot.
What folder location can an adversary place a shortcut to maintain an ASEP persistence?
%AppData%\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
What are services?
They are designed to run applications in the background without user interaction. Many are required at system boot such as: DHCP Client, Windows Event Log, Server, and Workstation services. They can be executables or loaded DLLs.
What is svchost.exe?
A Windows-generic service host process and it is typical to see 5 or more of them.
Where can I do service configurations?
Inside the registry: HKLM\SYSTEM\CurrentControlSet\Services. Here I can find the parameters to the name, display name, start value, required priviledges, dependencies, and more. Start values can be (0x00 for Boot Start), (0x02 for Automatic). Be cautious because start type can also be triggered through events such as IP address or hardware connections.
What is so dangerous about the “sc” command?
It can create a service that auto-loads a malicious DLL or executable. Type sc in powershell for help.
Name three ways services can be abused by the adversary.
New service creation, Service replacement, and service failure recovery.
How did Mandiant APT1 use services to load malware?
They replaced the rarely used RIP Listener Service (IPRIP) and loaded their malware instead. Another service to lookout for is RasAuto service.
What is a technique to find new services in a system?
Baselining system services and stacking them throughout the enterprise.
Explain service recovery mode and the best way to detect it.
It gives the service the option to run a binary when a specific service crashes. An example would be to crash RDP service and make it run malware. Use Kansa Svcfail.ps1 script to find suspicious services.
Methods to collect service information through live and offline systems.
Through live systems: sc command and powershell.
Through offline systems: Registry and Autoruns tools.
Look into service crashing as well.
For what purposes would an adversary use scheduled tasks to establish persistence?
To continuously run credential dumping or lateral movement usage remotely or locally.
What are the binary names of scheduled tasks?
at..exe (recorded as at*.job files and schdlgu.txt (XP)) and schtasks.exe.
Where can scheduled tasks files be found in the filesystem?
Windows\Tasks or Windows\System32\Tasks
Attack methods used for DLL hijacking.
DLL search order hijacking, Phantom DLL hijacking, DLL side-loading, and relative path DLL hijacking.
What is the main issue with DLLs loading once an executable is run inside Windows?
DLLs, with the exception of KnownDLLs registry key, are not required to be hardcoded to a specific location. Instead, it is done through search order. Adversaries will try to find DLLs that aren’t located inside System32 and the registry key in order to run their executable from the same folder to trump the search order.
Explain a live example of DLL search order hijacking.
Explorer.exe is found inside the Windows folder and one of its DLLs (ntshrui.dll) is found inside the System32 folder. This DLL isn’t protected by the key so adversary placed a malware DLL by the same name inside the Windows folder to beat the search order.
Name the SafedllSearchMode list.
DLLs already loaded in memory, SxS components, KnownDLL list, Directory of the binary, System32 folder, System folder, Windows folder, Current directory, and System %PATH%.
