Once executed on target system, a malware try to hide itself and achieving persistence on the exploited machine, in order to continue to act even after system reboot.

Today let’s try to focus on Windows systems, which have a lot of areas through which the persistence can be achieved.


The Windows Registry


https://xkcd.com/694/

Run/RunOnce Keys

As I stated above windows has a lot of AutoStart Extension Points(ASEP). When it comes to malware, most of them would like to achieve persistence by editing the below registry keys at User Level:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce

If the malware gains admin privileges, it can edit some keys at admin/system level privileges:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

Update 2019/03/25

Jerry Cooke, in the comments, correctly suggest another location:

HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run
HKCU\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce

As other locations where malware might persistently start from.
I spent ages looking for where malware was starting from when doing a training course for incident response before realising that location existed for 64-bit apps.

Thanks, Jerry!

BootExecute Key

Since smss.exe launches before windows subsystem loads, it calls configuration subsystem to load the hive present at

HKLM\SYSTEM\CurrentControlSet\Control\hivelist

Also smss.exe will launch anything present in the BootExecute key at

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Session Manager

It should always have the value of autocheck autochk*. If there are more values in it, then probably the malware is likely to launch at boot.

Userinit Key

Winlogon process uses the value specified in the Userinit key to launch login scripts etc.
This key is location at

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

Usually, userinit key points to userinit.exe but if this key can be altered, then that exe will also launch by Winlogon.

Notify

Since Winlogon handles Secure Attention Sequence (SAS) (Ctrl+Alt+Del), notify subkeys found at

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify

are used to notify event handles when SAS happens and loads a DLL. This DLL can be edited to launch whenever such SAS event occurs.

Explorer.exe

Pointed by key located at

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell

this key points to explorer.exe and should only be string explorer.exe rather than complete path as it is supposed to launch from windows.

The boot key at

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\system.ini\boot

points to the location under Winlogon only.

Startup Keys

Placing a malicious file under the startup directory is often used by malware authors.
Any shortcut created to the location pointed by subkey Startup will launch the service during logon/reboot.
Start up location is specified both at Local Machine and Current User.

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders

Services

Many windows services are required to run at boot like Workstation/server services, Windows Event Log, and other Win drivers. These are located at

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services

Along with placing a malicious file in the above-listed registry key, there is another way to load malicious files. Malicious files can be loaded if a service fails to start.

There are some other keys which are used to start background services like remote registry service. These are located at:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Services\Once

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Services

Browser Helper Objects

It is essentially a DLL module loaded when Internet Explorer starts up. Various data theft types malware affect Browser Helper Objects.
They are located at

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects

There are various subkeys under BHO which tell the browser to load which DLLs.

AppInit_DLLs

Key located at

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs

will show the DLLs loaded by the User32.dll.

As most executables load User32.dll, this is a good place for malicious DLLs to reside.

File Association

There are various keys which are used to specify the action when a certain type of files are open, located at

HKEY_LOCAL_MACHINE\Software\Classes

HKEY_CLASSES_ROOT


DLL Search Order Hijacking

Another common method used by malware is to hijack a concept about how the OS loads DLLs. Whenever an exe loads (even explorer.exe), it follows a certain path search to load the required DLLs.

Because DLLs are loaded in the order the directories are parsed, it is possible to add a malicious DLL with the same name in a directory earlier than the directory where the legit DLL resides.

If Safe DLL search mode is enabled (which is by default on most versions) then OS will check whether the DLL is already loaded in memory or is it a part of Known DLLs registry key located at

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\KnownDLLs.

If OS cannot find the DLL at either of these, then DLL search starts in the following order

  • Directory from where application was launched
  • System Directory(WindowsSystem32)
  • Windows Directory
  • Current Working Directory
  • Directories defined in the PATH variable.

So a malware can easily place a malicious DLL in the search order.
More information can be found here

https://msdn.microsoft.com/en-us/library/windows/desktop/ms682586(v=vs.85).aspx


Shortcut Hijacking

Simple but very effective technique: hijack the shortcut icons Target attribute. Along with a normal application to be launched, shortcut icon can be forced to download content from an evil site.

Note that there are various other methods like infecting MBR, COM object hijack, etc. are also by malware, but above are some of the common method used by malware to achieve persistence.


Bootkit

A bootkit is a malware variant that modifies the boot sectors of a hard drive, including the Master Boot Record (MBR) and Volume Boot Record (VBR).

Malicious programs may use bootkits to persist on systems at a layer below the operating system, which may make it difficult to perform full remediation unless an organization suspects one was used and can act accordingly.

Master Boot Record

The MBR is the section of disk that is first loaded after completing hardware initialization by the BIOS. It is the location of the boot loader. An adversary who has raw access to the boot drive may overwrite this area, diverting execution during startup from the normal boot loader to adversary code.

Volume Boot Record

The MBR passes control of the boot process to the VBR. Similar to the case of MBR, an adversary who has raw access to the boot drive may overwrite the VBR to divert execution during startup to adversary code.


COM Hijacking

The Microsoft Component Object Model (COM) is a system within Windows to enable interaction between software components through the operating system.

Malware can use this system to insert malicious code that can be executed in place of legitimate software through hijacking the COM references and relationships as a means for persistence.

Hijacking a COM object requires a change in the Windows Registry to replace a reference to a legitimate system component which may cause that component to not work when executed.

When that system component is executed through normal system operation the adversary’s code will be executed instead.