Some persistence and escalation techniques don’t require an exploit but only a little tweaking of some config.
Windows
📂 File System
%AppData%\Roaming\Micorsoft\Windows\Start Menu\Programs\Startup
⚙️ Registry
The list of reg keys that could be abused for persistence and escalation.
🔑 C:\Users\[Username]\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup (default)
🔑 C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp (default)
🔑 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run (default)
🔑 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce (default)
🔑 HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run (default)
🔑 HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce (default)
🔑 HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx: reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /d "C:\temp\evil[.]dll"
🔑 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
🔑 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
🔑 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
🔑 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
🔑 HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
🔑 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
🔑 HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
🔑 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices
🔑 HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run (when specified in the policy settings)
🔑 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run (when specified in the policy settings)
🔑 HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit # Usually, only userinit.exe is referenced here. Winlogon.exe will launch all executables mentioned.
🔑 HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
🔑 HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows # run when any user logs on.
# multistring BootExecute value of the registry
🔑 HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager # to autocheck autochk *. This value causes Windows, at startup, to check the file-system integrity of the hard disks if the system has been shut down abnormally. Adversaries can add other programs or processes to this registry value which will automatically launch at boot. Adversaries can use the autostart mechanism provided by LSA authentication packages for persistence by placing a reference to a binary in the Windows Registry location HKLM\SYSTEM\CurrentControlSet\Control\Lsa\ with the key value of "Authentication Packages"=<target binary>. The binary will then be executed by the system when the authentication packages are loaded. Time providers are implemented as dynamic-link libraries (DLLs) that are registered in the subkeys of HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\TimeProviders\. The time provider manager, directed by the service control manager, loads and starts time providers listed and enabled under this key at system startup and/or whenever parameters are changed.
🔑 HKLM\Software[\Wow6432Node\]\Microsoft\Windows NT\CurrentVersion\Winlogon\
🔑 HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ # are used to manage additional helper programs and functionalities that support Winlogon.
🔑 Winlogon\Notify points to notification package DLLs that handle Winlogon events.
🔑 Winlogon\Userinit points to userinit.exe, the user initialisation program executed when a user logs on
🔑 Winlogon\Shell points to explorer.exe, the system shell executed when a user logs on
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages, HKLM\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig\Security Packages load into LSA space, meaning having access to unencrypted password info.
# Boot execute. Not sure what that means https://www.tenable.com/plugins/nessus/70615. It could be [this](https://github.com/beahunt3r/Windows-Hunting/blob/master/Persistence/Registry%20Autoruns/Boot%20Execute):
🔑 HKLM\System\CurrentControlSet\Control\ServiceControlManagerExtension
🔑 HKLM\System\CurrentControlSet\Control\Session Manager\BootExecute
🔑 HKLM\System\CurrentControlSet\Control\Session Manager\Execute
🔑 HKLM\System\CurrentControlSet\Control\Session Manager\S0InitialCommand
🔑 HKLM\System\CurrentControlSet\Control\Session Manager\SetupExecute
Policies
More about it here. This could be used to allow some legit software.
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
(when specified in the policy settings)
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
(when specified in the policy settings)
Linux
/etc/systemd/system
/usr/lib/systemd/system
/etc/init*
macOS
Login Items
System Preferences -> Users & Groups -> Login Items
. Additional: SDF podcast.
How to determine if it’s malicious? Well, the sure way is only to reverse engineer it, but it is time consuming. So, you need to narrow down the candidates first. There are a couple of indicators that are commonly seen in malware.
Login items run within the user’s desktop session, inheriting the user’s permissions, and start automatically at user login. Due to this afforded persistence, Mac malware will commonly install itself as a login item. You can find examples of this technique in malware like Kitm, NetWire, and WindTail. Wardle, Patrick. The Art of Mac Malware (p. 24). No Starch Press. Kindle Edition.
❗️ macOS doesn’t readily show the full path to a persisted login item in its interface (unless you hover over the item for a few seconds)
👻 backgroundtaskmanagementagent
is a daemon that is running in the background and thus also manages login items. The list of the items is stored in a file ⚙️ named backgrounditems.btm
.
Programming persistence
⚙️ LSSharedFileListCreate
(returns the reference to the list) -> LSSharedFileListInsertItemURL
(adds a new item, requires a full path to the item).
To view the APIs used run nm WindTail/Final_Presentation.app/Contents/MacOS/usrnode
. The above two APIs in the list suggest the binary used this persistence mechanism.
🥷🏼 (stealthy) SMLoginItemSetEnabled
- the “Modern Login Items” blog post or Apple’s documentation. This allows application-specific helper login items. They don’t show up in the Preferences. Those items are stored in LoginItems
subdirectory of an application’s bundle.