[QUESTION] What are the different ways malware becomes persistant for Windows?
#1
Hello! So I've been studying about persistency in malware. I've realized there are different methods to persistency as well. I've seen a couple of examples with editing the Window's registry; but those all look really easy to detect (anyone can look and see if some random program they downloaded and executed edited their registry). I'm curious if there are other ways to achieving malware persistency that would be less obvious to a user?
Reply
#2
(02-07-2021, 05:13 AM)ueax Wrote: I'm curious if there are other ways to achieving malware persistency that would be less obvious to a user?

I'm not clear if you're asking for less obvious persistency specifically involving the registry? or just malware persistency in general. Cause I'd assume if you've been studying about malware persistency you've come across other methods that might not be as obvious (imo)

But if your question is about the registry specifically, then you haven't really explained which methods you think are super obvious, so not sure I can really make any other suggestions. That said if any kind of registry auditing is enabled/available, then pretty much any registry change will be super obvious.
Reply
#3
Are you referring to keeping the process alive or having it start with the machine?
Reply
#4
(02-07-2021, 08:30 PM)Golgotha Wrote: Are you referring to keeping the process alive or having it start with the machine?
I was referencing about some payload running on startup of a machine, however I'm also open to answers to other topics as well. Any knowledge willing to be shared will be awesome!
Reply
#5
(02-07-2021, 10:23 PM)ueax Wrote:
(02-07-2021, 08:30 PM)Golgotha Wrote: Are you referring to keeping the process alive or having it start with the machine?
I was referencing about some payload running on startup of a machine, however I'm also open to answers to other topics as well. Any knowledge willing to be shared will be awesome!

Stuff like copying the file and creating a registry key have callbacks so even syscalling them won't help much unless it's a shit antivirus. Better off finding random COM functions and abusing them to move the file.
Reply
#6
(02-08-2021, 03:35 AM)Golgotha Wrote: Stuff like copying the file and creating a registry key have callbacks so even syscalling them won't help much unless it's a shit antivirus. Better off finding random COM functions and abusing them to move the file.
Wow! I've never heard of COM before, I'll have to research that. Thanks!
Reply
#7
To name a few off the top of my head:
- Registry
| Kind of obvious. Everybody and their hacker-mom uses the registry. the "Run" and one other key that escapes my memory are frequently used. It's kind of a basic type of persistence.
- Startup folders
| Also a basic kind of persistence, but works fine on your average user. There is a certain folder that will execute anything it contains at boot. The nice thing is you can use it as a regular user, and don't need admin.
- Browser helper objects
| Read more about those here: https://resources.infosecinstitute.com/t...ntication/. Haven't used these a lot myself, but have heard of them being used frequently.
- System Services
| System services start at boot a lot. Adding a new one or modifying an existing one is a good persistence mechanism. Someone check me on this, but I think you do need Administrator access to add or modify services.
- Bootkits
| They start before the OS itself. They are like rootkits but infect the MBR of the system.
- Backdooring system files
| Switch out DLLs for ones that are similar but also execute your payload. Modify the code of a program if you have the source code for it. Change common programs' .lnk files. The lnks that are on the desktop specifically.
- WMI
| This is another one I'm a little fuzzy on. Check out powershell empire. It has a WMI persistence function. Here's somewhere you can read about that: https://attack.mitre.org/techniques/T1546/003

I didn't get into depth on any of these. But you can google them or read about them. Or I'll answer what questions I can about each if you have any. Hope this helped.
Reply
#8
(02-08-2021, 04:39 PM)ueax Wrote:
(02-08-2021, 03:35 AM)Golgotha Wrote: Stuff like copying the file and creating a registry key have callbacks so even syscalling them won't help much unless it's a shit antivirus. Better off finding random COM functions and abusing them to move the file.
Wow! I've never heard of COM before, I'll have to research that. Thanks!

Yup, an example is BitsTransfer. By now a few have detected it, but it still should bypass most antivirus I believe.
Reply
#9
(02-08-2021, 05:36 PM)Golgotha Wrote: Yup, an example is BitsTransfer. By now a few have detected it, but it still should bypass most antivirus I believe.

Wow! This is really interesting!
I'll have to do more research into this technique and find others like it. Maybe something else that is COM related.
Thanks a lot!
Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  [QUESTION] Make LaZagne undetectable to get saved passwords in Python zettabyte 7 5,103 05-10-2021, 05:50 PM
Last Post: zettabyte
  Question about RAT's supernova 13 9,976 04-26-2021, 03:55 PM
Last Post: Vector
  Malware dev advice OSCNET 6 6,996 04-22-2021, 12:11 AM
Last Post: Vector
  How to persist malware in Windows without tripping runtime AV? God Himself 2 3,567 04-21-2021, 10:25 PM
Last Post: Vector