TTPs

avatar
Created by
GiganticAngonoka72710

Cards (6)

  • Malware Persistence
    • Malware persistence refers to the strategies and techniques employed by malicious software to maintain its presence on an infected system, even after events such as system reboots.
    • This capability ensures that the malware can continue to operate and execute its payload over time, allowing attackers to maintain control and further exploit the compromised system.
  • Malware Persistence: Common Persistence Techniques
    • Modifying the Boot Sector: Altering the Master Boot Record (MBR) or other boot sectors to load malware during the system startup process.
    • Installing Malicious Configurations: Changing system settings or configurations to ensure malware execution at boot or logon.
    • Hijacking Execution Flow: Injecting or altering code in legitimate processes to run malicious code.
  • Malware Persistence: Windows Registry Run Keys
    • These keys are part of the Windows Registry, a hierarchical database that stores low-level settings for the operating system and applications. The Run keys are designed to execute specified programs automatically when a user logs on to the system-
  • Malware Persistence: Windows Registry Run Keys
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run - Run path when the current user logs in
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run - Run path when any user logs in
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce - Run path when the current user logs in, then delete
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce - Run path when any user logs in, then delete
  • Malware Persistence: Windows Registry Run Keys
    • The misuse of Run keys for persistence can have significant security implications. Detecting unauthorized entries in these keys is crucial for identifying and mitigating malware infections.
    • Security professionals often monitor these keys as part of incident response and system hardening processes to ensure that only legitimate applications are allowed to persist through system reboots.
  • Malware Persistence: AutoRuns Powershell Module
    • A widely-used tool from Microsoft called AutoRuns checks all possible locations where a program can automatically run on start-up or when a user logs in.