Common persistence techniques registries lookup for blue-team..
====================
REGISTRY LOOKUP’S
====================
HKEY_CURRENT_USER\Volatile Environment — User Details
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\Security Layer — Make it 2 ; 0=disable
DLL LOADING IN LSASS
HKEY_*\SYSTEM\CurrentControlSet\Services\NTDS\LsaDbExtPt
HKEY_*\SYSTEM\CurrentControlSet\Services\NTDS\DirectoryServiceExtPtr
SHIM CACHE:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache
BAM(Background Activity Moderator)-Win 10 only
BAM is a Windows service that Controls activity of background applications.
It provides full path of the executable file that was run on the system and last execution date/time, and its located in this registry path:
HKLM\SYSTEM\CurrentControlSet\Services\bam\UserSettings\{SID}
AMCAHCE:
ProgramDataUpdater (a task associated with the Application Experience Service) uses the registry file Amcache.hve to store data during process creation, located in
C:\Windows\AppCompat\Programs\Amcache.hve
****REMOTE ACCESS:-*****
REMOTELY MAPPED SHARES:
NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2
REMOTE DESKTOP:
NTUSER\Software\Microsoft\TerminalServer Client\Servers
********REMOTE EXECUTION*******
PsEXec:
HKCU\Software\SysInternals\PsExec\EulaAccepted
New service creation configured in
SYSTEM\CurrentControlSet\Services\PSEXESVC
“-r” option can allow attacker to rename service
Scheduled Tasks:
Microsoft\WindowsNT\CurrentVersion\Schedule\TaskCache\Tasks
Microsoft\WindowsNT\CurrentVersion\Schedule\TaskCache\Tree
Services:
SYSTEM\CurrentControlSet\Services
The following Registry keys can be used to set startup folder items for persistence:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
HKEY_USERS\S-1–5–18\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
*****UserAssist:******
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\GUID\Count
Look mainly 2 subkeys (CEBFF*** = .exe , F4E57C4B** = .lnk)
(The UserAssist key contains information about the exe files and links that programs launched from the desktop are tracked in this registry key)
weakly encrypted using ROT-13 algorithm , exe = .RKR .lnk = .YAX
***SRUM***
SRUM is used to monitor desktop application programs, services, Windows applications and network connections.
System Resource Usage Monitor (SRUM) uses the Extensible Storage Engine (ESE) Database File (EDB) to store its folder data.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SRUM\Extensions
****Most recently used:****
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU
**Jump Lists***
The Windows 7–10 task bar (Jump List) is engineered to allow users to “jump” or access items they have frequently or recently used quickly and easily.
This functionality cannot only include recent media files; it must also include recent tasks.
The data stored in the folder
%USERPROFILE%\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations
will each have a unique file prepended with the AppID of the associated application.
The AutomaticDestinations Jump List files are OLE Compound Files containing multiple streams of which:
a)hexadecimal numbered, e.g. “1a”
b)DestList
Each of the hexadecimal numbered streams contains data similar of that of a Windows Shortcut: data can be extracted and analyzed with a LNK parser,
such as lnk-parse (https://github.com/lcorbasson/lnk-parse).
******Prefetch******
Windows Prefetch files, are designed to speed up the application startup process. The Prefetch files are stored into the path “%windir%\Prefetch”
********BHO*******
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\(random alphanumerical value)
That alphanumerical value will be pointed to below registry
HKLM\SOFTWARE\Classes\CLSID\(above forementioned alphanumerical value)
{Link : http://www.greyhathacker.net/?cat=5&paged=3 }
****HIDDEN FILES & EXTENSIONS*****
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\piffile and delete the “NeverShowExt” entry. Once deleted you will need the system to be rebooted to take effect.(In my win10,no params)
For example virus.exe could be renamed to virus.txt.pif.
Since it ends in a PIF extension it will not be visible to the user and only virus.txt will be displayed fooling the user as being a text file.
LIST OF FILE EXTENSIONS AS FYR:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts
*********SYSTEM LOGGED IN***********
HKEY_CURRENT_USER\Software\Microsoft\Windows\Winlogon\PasswordExpiryNotification
*****WMIC Maliciuos***
HKLM\SOFTWARE\Microsoft\Wbem\CIMOM
Look 4 suspicous files in Autorecovery MOF Data like temp files
Windows Security Service Provider(SSP)
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig\Security Packages
*******Installed Folders*********
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders
***HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store****
HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated
****DISABLES REMOTE UAC****
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f
If UAC remote restrictions are enabled, they prevent local malicious software from being executed remotely over a network logon, even when using an account with administrative rights. The user essentially has no elevation potential on the remote computer when UAC remote restrictions are active.
****WPA & Universal apps Persistence***
HKCU\Software\Microsoft\Windows\CurrentVersion\PackagedAppXDebug
HKCU\Software\Classes\ActivatableClasses\Package\<PackageName>\DebugInformation
list out all the packages with the Get-AppxPackage cmdlet.
Get-AppxPackage | fl name,packagefullname
https://oddvar.moe/2018/09/06/persistence-using-universal-windows-platform-apps-appx/
*****SPOOLSV.EXE PERSISTENCE***
HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors
HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\%package name%
https://stackoverflow.com/questions/16221250/add-a-key-to-hkey-current-user-for-all-users
\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89B4C1CD-B018–4511-B0A1–5476DBF70820} (CHECK RUNDLL)
stop the extension from installing automatically for users without blacklisting it completely.
32-bit Windows: HKEY_LOCAL_MACHINE\Software\Google\Chrome\Extensions\efaidnbmnnnibpcajpcglclefindmkaj
64-bit Windows: HKEY_LOCAL_MACHINE\Software\Wow6432Node\Google\Chrome\Extensions\***
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wow64\x86
http://www.hexacorn.com/blog/2019/07/11/beyond-good-ol-run-key-part-108-2/
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Meterpretr webcam_snap — can find which app used
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\DirectDraw\MostRecentApplication\Name
Microsoft Office ‘TrustRecords’ Registry Key Protection Bypass
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Word\Security\Trusted Documents\TrustRecords
FIND OPENED DOCUMENTS
HKEY_USERS\S-1–5–21–7685537535–0266685168–1086028618–1001\Software\Microsoft\Office\16.0\Word\Reading Locations\
RDP Connected ipaddress
HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default
REG CHECK ACCESSIBILITY
HKEY_CURRENT_USER\Control Panel\Accessibility /V
Trojan adds the Registry key to establish persistence — Lateral Movements — LOGON SCRIPTS
If the script is stored on a central server and pushed to many systems.
HKCU\Environment\UserInitMprLogonScript