Registry

Windows Registry Keys for Persistence

The Windows Registry is a critical database in Windows operating systems, storing configurations and options for the system. Among its many uses, it is a common target for malware and attackers seeking to maintain persistence on a compromised system. By inserting or modifying keys, malicious software can ensure it is executed at system startup or user logon, often without detection.

Key Insights:

• Run and RunOnce Keys:

  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

  • HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

  • HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

    • These keys are commonly used by both legitimate applications and malware to execute programs automatically at system startup or user login. Malware often adds entries here to maintain persistence.

• Shell Folders and UserInit Key:

  • HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders

  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit

    • These locations can be modified to execute scripts or applications, leveraging user logon processes to achieve persistence.

• Services and Drivers:

  • HKLM\SYSTEM\CurrentControlSet\Services

    • Malware can create or modify existing service entries to execute malicious code as part of a service or driver's startup routine.

• Logon Scripts:

  • HKCU\Environment\

    • This user environment variable specifies a script to be executed during logon, a less common but potential vector for persistence.

• Office Add-ins:

  • Varies by Office application, e.g., HKCU\Software\Microsoft\Office\[Office Version]\Word\Addins

    • Malicious Office add-ins can be registered here, ensuring they are loaded at application startup.

• Winlogon Shell:

  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell

    • This key specifies the program launched after user login, which should default to explorer.exe. Modifications here can indicate malware attempting to run alongside the Windows shell.

• Image File Execution Options (IFEO):

  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options

    • Used to debug or alter executable behaviors, this key can be exploited by malware to hijack legitimate processes.

• AppInit_DLLs:

  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs

    • Allows DLLs to be loaded with any process using User32.dll, a method that can be used by malware for process injection, achieving persistence and potential privilege escalation.

• Scheduled Tasks:

  • Located through Task Scheduler and in the registry under HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree

    • Malware can utilize scheduled tasks for execution at predetermined times or events, providing a reliable persistence method.

Quick Dive

Run and RunOnce Keys:

Malicious entries in these keys can be identified by paths that are unusual or point to executable files in suspicious locations. Analyzing these paths and the executables they point to can reveal unauthorized persistence mechanisms.

Shell Folders and UserInit Key:

Changes to these keys that do not align with known software installations or system configurations can indicate tampering for persistence. Scripts or executables set to run from these keys warrant further investigation.

Services and Drivers:

Entries for non-standard services or drivers, especially those with obfuscated or unusual names, paths, and descriptions, can be a sign of malware. Analyzing service configuration, including executable paths and parameters, is crucial for identifying persistence.

Logon Scripts:

This key is infrequently used by legitimate software, making unauthorized entries particularly suspicious. Monitoring for unexpected scripts set to execute at logon can uncover hidden persistence mechanisms.

Office Add-ins:

Given the widespread use of Office applications, malicious add-ins represent a stealthy persistence tactic. Analysts should scrutinize unfamiliar add-in entries, particularly in environments where Office applications are frequently used.

Winlogon Shell:

Any deviation from the default explorer.exe in this key is highly suspect and warrants immediate investigation. Such changes may indicate an attempt to establish persistence or control over the user's session.

Image File Execution Options (IFEO):

Malware leveraging IFEO for persistence can significantly alter the behavior of legitimate applications. Identifying unexpected debugger entries linked to executables can help in detecting and mitigating such threats.

AppInit_DLLs:

Given its capability to inject code into a wide array of processes, entries in this key should be carefully validated. Unauthorized DLLs listed here can be indicative of malware seeking to maintain a presence or escalate privileges.

Scheduled Tasks:

Though not exclusively a registry-based mechanism, scheduled tasks are often used for legitimate purposes, making the detection of malicious tasks challenging. Analyzing task configurations and triggers can reveal abuse of this feature for persistence.

Analyzing The Artifact

• Identifying Unauthorized Entries: Use Registry Editor (regedit) or command-line tools (reg query) to inspect specified keys for entries that do not correspond to known, legitimate applications or system processes.

• Analyzing Executable Paths: For any suspicious entry, locate the executable path and analyze the file. This can involve checking digital signatures, file properties, and running malware scans.

• Cross-Referencing with Logs: System and application logs can provide context for when and by whom a registry entry was created or modified, offering insights into potentially malicious activity.

Tools for Analysis

• RegRipper: A powerful tool for extracting and analyzing information from the Windows Registry, especially useful for forensic investigations.

• Autoruns: Part of Sysinternals Suite, it provides a comprehensive overview of all startup items, including those configured via the Registry, allowing for easy identification of suspicious entries.

• Process Explorer and Process Monitor: Also from Sysinternals, these tools can be used to monitor system activity, including processes started at boot or logon, which may be initiated by Registry entries.