Persistence methods used by malware

Bangaly Koita — Thu, 19 Jan 2023 17:17:59 +0000

Many malware used the persistence method to maintain the foothold on the system that was infected even when the system is restarted.

They are many technics often used by malware to maintain the persistency such as: registry keys, the startup folder, account manipulation, device registration and others Persistence, Tactic TA0003 – Enterprise | MITRE ATT&CK®.

Registry Keys used for persistency.

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce

Startup folder used for persistency.

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders

Tools used to detect and remove malware using persistence method.

Autoruns Autoruns for Windows – Sysinternals | Microsoft Learn
Sysmon Sysmon – Sysinternals | Microsoft Learn
Endpoint Detection and Response such as:
Crowdstrike CrowdStrike: Stop breaches. Drive business
Sophos Intercept X Endpoint https://www.sophos.com/
SentinelOne SentinelOne | Autonomous AI Endpoint Security Platform | s1.ai
Microsoft Defender Microsoft Defender for Individuals | Microsoft 365
PowerShell logging, PowerShell GetWmi-Object, OSQuery, Antimalware Scan Interface How to detect persistence mechanisms with seven different tools (redcanary.com)

In conclusion, the persistence method is one of the favorites methods used by the threats actors to compromise the system. They are many malware that used the technics described above to maintain the foothold to the system. Following the best practices such as using tools to detect and remove the malware is the key to stay protected.

Bangaly Koita

Bangaly Koita is a SOC Analyst and Cyber Security researcher . As a passionate in cyber security, he spends most of the time writing articles and making videos online to share his knowledge and experience to the vast community of IT but in general Cyber Security. Feel free to contact me in case.

osintafrica.net

The post Persistence methods used by malware first appeared on osintafrica.

device registration - osintafrica

Persistence methods used by malware