Common persistence techniques registries lookup for blue-team..

====================

REGISTRY LOOKUP’S

====================

HKEY_CURRENT_USER\Volatile Environment — User Details

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\Security Layer — Make it 2 ; 0=disable

DLL LOADING IN LSASS

HKEY_*\SYSTEM\CurrentControlSet\Services\NTDS\LsaDbExtPt

HKEY_*\SYSTEM\CurrentControlSet\Services\NTDS\DirectoryServiceExtPtr

SHIM CACHE:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache

BAM(Background Activity Moderator)-Win 10 only

BAM is a Windows service that Controls activity of background applications.

It provides full path of the executable file that was run on the system and last execution date/time, and its located in this registry path:

HKLM\SYSTEM\CurrentControlSet\Services\bam\UserSettings\{SID}

AMCAHCE:

ProgramDataUpdater (a task associated with the Application Experience Service) uses the registry file Amcache.hve to store data during process creation, located in

C:\Windows\AppCompat\Programs\Amcache.hve

****REMOTE ACCESS:-*****

REMOTELY MAPPED SHARES:

NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2

REMOTE DESKTOP:

NTUSER\Software\Microsoft\TerminalServer Client\Servers

********REMOTE EXECUTION*******

PsEXec:

HKCU\Software\SysInternals\PsExec\EulaAccepted

New service creation configured in

SYSTEM\CurrentControlSet\Services\PSEXESVC

“-r” option can allow attacker to rename service

Scheduled Tasks:

Microsoft\WindowsNT\CurrentVersion\Schedule\TaskCache\Tasks

Microsoft\WindowsNT\CurrentVersion\Schedule\TaskCache\Tree

Services:

SYSTEM\CurrentControlSet\Services

The following Registry keys can be used to set startup folder items for persistence:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders

HKEY_USERS\S-1–5–18\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders

*****UserAssist:******

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\GUID\Count

Look mainly 2 subkeys (CEBFF*** = .exe , F4E57C4B** = .lnk)

(The UserAssist key contains information about the exe files and links that programs launched from the desktop are tracked in this registry key)

weakly encrypted using ROT-13 algorithm , exe = .RKR .lnk = .YAX

***SRUM***

SRUM is used to monitor desktop application programs, services, Windows applications and network connections.

System Resource Usage Monitor (SRUM) uses the Extensible Storage Engine (ESE) Database File (EDB) to store its folder data.

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SRUM\Extensions

****Most recently used:****

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU

**Jump Lists***

The Windows 7–10 task bar (Jump List) is engineered to allow users to “jump” or access items they have frequently or recently used quickly and easily.

This functionality cannot only include recent media files; it must also include recent tasks.

The data stored in the folder

%USERPROFILE%\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations

will each have a unique file prepended with the AppID of the associated application.

The AutomaticDestinations Jump List files are OLE Compound Files containing multiple streams of which:

a)hexadecimal numbered, e.g. “1a”

b)DestList

Each of the hexadecimal numbered streams contains data similar of that of a Windows Shortcut: data can be extracted and analyzed with a LNK parser,

such as lnk-parse (https://github.com/lcorbasson/lnk-parse).

******Prefetch******

Windows Prefetch files, are designed to speed up the application startup process. The Prefetch files are stored into the path “%windir%\Prefetch”

********BHO*******

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\(random alphanumerical value)

That alphanumerical value will be pointed to below registry

HKLM\SOFTWARE\Classes\CLSID\(above forementioned alphanumerical value)

{Link : http://www.greyhathacker.net/?cat=5&paged=3 }

****HIDDEN FILES & EXTENSIONS*****

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\piffile and delete the “NeverShowExt” entry. Once deleted you will need the system to be rebooted to take effect.(In my win10,no params)

For example virus.exe could be renamed to virus.txt.pif.

Since it ends in a PIF extension it will not be visible to the user and only virus.txt will be displayed fooling the user as being a text file.

LIST OF FILE EXTENSIONS AS FYR:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts

*********SYSTEM LOGGED IN***********

HKEY_CURRENT_USER\Software\Microsoft\Windows\Winlogon\PasswordExpiryNotification

*****WMIC Maliciuos***

HKLM\SOFTWARE\Microsoft\Wbem\CIMOM

Look 4 suspicous files in Autorecovery MOF Data like temp files

Windows Security Service Provider(SSP)

HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages

HKLM\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig\Security Packages

*******Installed Folders*********

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders

***HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store****

HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated

****DISABLES REMOTE UAC****

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f

If UAC remote restrictions are enabled, they prevent local malicious software from being executed remotely over a network logon, even when using an account with administrative rights. The user essentially has no elevation potential on the remote computer when UAC remote restrictions are active.

****WPA & Universal apps Persistence***

HKCU\Software\Microsoft\Windows\CurrentVersion\PackagedAppXDebug

HKCU\Software\Classes\ActivatableClasses\Package\<PackageName>\DebugInformation

list out all the packages with the Get-AppxPackage cmdlet.

Get-AppxPackage | fl name,packagefullname

https://oddvar.moe/2018/09/06/persistence-using-universal-windows-platform-apps-appx/

*****SPOOLSV.EXE PERSISTENCE***

HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors

HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\%package name%

https://stackoverflow.com/questions/16221250/add-a-key-to-hkey-current-user-for-all-users

\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89B4C1CD-B018–4511-B0A1–5476DBF70820} (CHECK RUNDLL)

stop the extension from installing automatically for users without blacklisting it completely.

32-bit Windows: HKEY_LOCAL_MACHINE\Software\Google\Chrome\Extensions\efaidnbmnnnibpcajpcglclefindmkaj

64-bit Windows: HKEY_LOCAL_MACHINE\Software\Wow6432Node\Google\Chrome\Extensions\***

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wow64\x86

http://www.hexacorn.com/blog/2019/07/11/beyond-good-ol-run-key-part-108-2/

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\

Meterpretr webcam_snap — can find which app used

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\DirectDraw\MostRecentApplication\Name

Microsoft Office ‘TrustRecords’ Registry Key Protection Bypass

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Word\Security\Trusted Documents\TrustRecords

FIND OPENED DOCUMENTS

HKEY_USERS\S-1–5–21–7685537535–0266685168–1086028618–1001\Software\Microsoft\Office\16.0\Word\Reading Locations\

RDP Connected ipaddress

HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default

REG CHECK ACCESSIBILITY

HKEY_CURRENT_USER\Control Panel\Accessibility /V

Trojan adds the Registry key to establish persistence — Lateral Movements — LOGON SCRIPTS

If the script is stored on a central server and pushed to many systems.

HKCU\Environment\UserInitMprLogonScript