Skip to content

3 ‐ Detections

Jump to bottom
last - @last0x00 edited this page Mar 31, 2024 · 5 revisions

This section details the different persistence techniques which PersistenceSniper is able to detect.

The topic of persistence, especially on Windows machines, is one of those which see new discoveries basically every other week. Given the sheer amount of persistence techniques found so far by researchers, implementing them is an iterative process and will continue for as long as this repository will be alive. So far the following 52 techniques have been implemented successfully:

  1. Run Key: executables in properties of the key (HKLM|HKEY_USERS<SID>)\SOFTWARE\Microsoft\Windows\CurrentVersion\Run are run when the user logs in or when the machine boots up (in the case of the HKLM hive);
  2. RunOnce Key: executables in properties of the key (HKLM|HKEY_USERS<SID>)\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce are run once when the user logs in, or when the machine boots up (in the case of the HKLM hive), and then deleted.
  3. Image File Execution Options: executables in the Debugger property of a subkey of (HKLM|HKEY_USERS<SID>)\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ are run instead of the program corresponding to the subkey. Gained access depends on whose context the debugged process runs in;
  4. Natural Language Development Platform 6 DLL Override Path: DLLs listed in properties of subkeys of (HKLM|HKEY_USERS<SID>)\SYSTEM\CurrentControlSet\Control\ContentIndex\Language are loaded via LoadLibrary executed by SearchIndexer.exe;
  5. AEDebug Keys: the executable in the Debugger property of (HKLM|HKEY_USERS<SID>)\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AeDebug is run when a process crashes. Gained access depends on whose context the debugged process runs in; if the Auto property of the same registry key is set to 1, the debugger starts without user interaction. A value of 'C:\Windows\system32\vsjitdebugger.exe' might be a false positive if you have Visual Studio Community installed;
  6. Windows Error Reporting Debugger: the executable in the Debugger property of (HKLM|HKEY_USERS<SID>)\SOFTWARE\Microsoft\Windows\Windows Error Reporting\Hangs is spawned by WerFault.exe when a process crashes;
  7. Windows Error Reporting ReflectDebugger: the executable in the ReflectDebugger property of (HKLM|HKEY_USERS<SID>)\SOFTWARE\Microsoft\Windows\Windows Error Reporting\Hangs is spawned by WerFault.exe when called with the -pr argument;
  8. Command Prompt AutoRun: the executable in the AutoRun property of (HKLM|HKEY_USERS<SID>)\Software\Microsoft\Command Processor\AutoRun is run when cmd.exe is spawned without the /D argument;
  9. Explorer Load: the executable in the Load property of (HKLM|HKEY_USERS<SID>)\Software\Microsoft\Windows NT\CurrentVersion\Windows is run by explorer.exe at login time;
  10. Winlogon Userinit: the executables in the Userinit property of (HKLM|HKEY_USERS<SID>)\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon are run at login time by any user. Normally this property should be set to 'C:\Windows\system32\userinit.exe,' without any further executables appended;
  11. Winlogon Shell: the executables in the Shell property of (HKLM|HKEY_USERS<SID>)\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon are run as the default shells for any users. Normally this property should be set to 'explorer.exe' without any further executables appended;
  12. Windows Terminal startOnUserLogin: the executable specified as value of the key "commandline" of a profile which has the "startOnUserLogin" key set to "true" in the Windows Terminal's settings.json of a user is run every time that user logs in;
  13. AppCertDlls DLL Injection: DLLs in properties of the key (HKLM|HKEY_USERS<SID>)\SYSTEM\CurrentControlSet\Control\Session Manager\AppCertDlls are loaded by every process that loads the Win32 API at process creation;
  14. App Paths Hijacking: executables in the (Default) property of a subkey of (HKLM|HKEY_USERS<SID>)\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\ are run instead of the program corresponding to the subkey. Gained access depends on whose context the process runs in. Be aware this might be a false positive;
  15. ServiceDll Hijacking: DLLs in the ServiceDll property of (HKLM|HKEY_USERS<SID>)\SYSTEM\CurrentControlSet\Services<SERVICE_NAME>\Parameters are loaded by the corresponding service's svchost.exe. If an attacker modifies said entry, the malicious DLL will be loaded in place of the legitimate one;
  16. Group Policy Extensions DLLs: DLLs in the DllName property of (HKLM|HKEY_USERS<SID>)\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions<GUID>\ are loaded by the gpsvc process. If an attacker modifies said entry, the malicious DLL will be loaded in place of the legitimate one;
  17. Winlogon MPNotify: the executable specified in the "mpnotify" property of the (HKLM|HKEY_USERS<SID>)\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon key is run by Winlogon when a user logs on. After the timeout (30s) the process and its child processes are terminated;
  18. CHM Helper DLL: DLLs in the Location property of (HKLM|HKEY_USERS<SID>)\Software\Microsoft\HtmlHelp Author\ are loaded when a CHM help file is parsed. If an attacker adds said entry, the malicious DLL will be loaded;
  19. Hijacking of hhctrl.ocx: the DLL in the (Default) property of HKEY_CLASSES_ROOT\CLSID{52A2AAAE-085D-4187-97EA-8C30DB990436}\InprocServer32 is loaded when a CHM help file is parsed or when hh.exe is started. If an attacker modifies said entry, the malicious DLL will be loaded. In case the loading fails for any reason, C:\Windows\hhctrl.ocx is loaded;
  20. Startup Folder: the executables under the .\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ of a user's folder are run every time that user logs in;
  21. User Init Mpr Logon Script: the executable specified in the "UserInitMprLogonScript" property of the HKEY_USERS<SID>\Environment key is run when the user logs on;
  22. AutodialDLL Winsock Injection: the DLL specified in the "AutodialDLL" property of the (HKLM|HKEY_USERS<SID>)\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters key is loaded by the Winsock library everytime it connects to the internet;
  23. LSA Extensions DLL: the DLLs specified in the "Extensions" property of the (HKLM|HKEY_USERS<SID>)\SYSTEM\CurrentControlSet\Control\LsaExtensionConfig\LsaSrv\ key are loaded by LSASS at machine boot;
  24. ServerLevelPluginDll DNS Server DLL Hijacking: the DLL specified in the "ServerLevelPluginDll" property of the (HKLM|HKEY_USERS<SID>)\SYSTEM\CurrentControlSet\Services\DNS\Parameters key is loaded by the DNS service on systems with the "DNS Server" role enabled;
  25. LSA Authentication Packages DLL: the DLLs specified in the "Authentication Packages" property of the (HKLM|HKEY_USERS<SID>)\SYSTEM\CurrentControlSet\Control\Lsa\ key are loaded by LSASS at machine boot;
  26. LSA Security Packages DLL: the DLLs specified in the "Security Packages" property of the (HKLM|HKEY_USERS<SID>)\SYSTEM\CurrentControlSet\Control\Lsa\ key are loaded by LSASS at machine boot;
  27. Winlogon Notify Packages DLL: DLLs in the properties of the (HKLM|HKEY_USERS<SID>)\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify key are loaded by the system when it boots;
  28. Explorer Tools Hijacking: executables in the (Default) property of a subkey of (HKLM|HKEY_USERS<SID>)\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer are run when the corresponding event is triggered;
  29. .NET DbgManagedDebugger: the executable in the DbgManagedDebugger property of (HKLM|HKEY_USERS<SID>)\SOFTWARE\Wow6432Node\Microsoft.NETFramework is run when a .NET process crashes. Gained access depends on whose context the debugged process runs in;
  30. ErrorHandler.cmd Hijacking: the content of C:\WINDOWS\Setup\Scripts\ErrorHandler.cmd is read whenever some tools under C:\WINDOWS\System32\oobe\ (e.g. Setup.exe) fail to run for any reason;
  31. WMI Subscriptions: WMI Events subscriptions can be used to link script/command executions to specific events. Here we list the active consumer events, but you may want to review also existing Filters (with Get-WMIObject -Namespace root\Subscription -Class __EventFilter) and Bindings (with Get-WMIObject -Namespace root\Subscription -Class __FilterToConsumerBinding;
  32. Windows Services: adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions;
  33. Terminal Services InitialProgram: the executable in the InitialProgram property of (HKLM|HKEY_USERS<SID>)\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services is run when a Remote Desktop Connection is made to the target machine. Gained access depends on whether the key is in the system hive or a user's hive. For this technique to work, the fInheritInitialProgram property of the same key must also be set to 1;
  34. Accessibility Tools Backdoor: accessibility tools are executables that can be run from the lock screen of a Windows machine and are supposed to enable accessibility features like text to speech or zooming in on the screen. If an attacker replaces them with malicious or LOLBIN executables they can execute code with SYSTEM permission from a lock screen, effectively bypassing authentication. In this case, the accessibility tool in the Path field has been replaced with the binary in the Value field;
  35. AMSI Providers: DLLs in the (Default) property of HKLM:\SOFTWARE\Classes\CLSID$keyGUID\InprocServer32 where $keyGUID is a GUID listed under HKLM:\SOFTWARE\Microsoft\AMSI\Providers\ are considered AMSI providers and loaded by all processes also loading the .NET CLR;
  36. Powershell Profiles: files named 'Profile.ps1' or 'Microsoft.PowerShell_profile.ps1' under System32's Powershell directory or a user's Documents\WindowsPowerShell folder are loaded whenever a user launches Powershell;
  37. Silent Exit Monitor: executables specified under subkeys of HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\ are run when the process associated with the subkey is terminated by another process;
  38. Telemetry Controller: executables specified under the Command property of HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\TelemetryController\ are run by the Windows Compatibility Telemetry's binary named CompatTelRunner.exe;
  39. RDP WDS Startup Programs: executables specified under the StartupPrograms property of HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd are run whenever a user logs on the machine through remote desktop;
  40. Scheduled Tasks: scheduled tasks run executables or actions when certain conditions, such as user log in or machine boot up, are met;
  41. BITS Jobs NotifyCmdLine: the Windows Background Intelligent Transfer Service (BITS) can be used to persistently execute code by creating long-standing jobs. Specifically, if an attacker sets the SetNotifyCmdLine when creating a job which will error, the executable specified will be run everytime the BITS job fails;
  42. Power Automate: Power Automate is a RPA (Robotic Process Automation) made available by Microsoft. It can runs on standalone system or through Azure Tenants. Given the high number of functions available and the 'legit source' of these executables and processes, it could be used for malicious intent as well. The presence of the logs means that the system is in some way running these flows. Review if they are legit or not (last log is shown in Value);
  43. Screensaver: executables specified under the SCRNSAVE.EXE property of the HKEY_USERS<SID>\Control Panel\Desktop key will be run in place of the legitimate screensaver, thus achieving persistence on a compromised machine;
  44. Office Templates: attackers can drop macro-enabled files in specific folders to trigger their execution every time the victim user opens an Office application;
  45. Office AI.exe Hijacking: Office executables like WINWORD.exe look for AI.exe under the %ProgramFiles%\Microsoft Office\root<Office Version> and %ProgramFiles(x86)%\Microsoft Office\root<Office Version> directories. An attacker may place a malicious AI.exe there in order to have persistence whenever a user interacts with the Microsoft Office Suite;
  46. Explorer Context Menu Hijacking: 'DLLs in the (Default) property of the "HKEY_CLASSES_ROOT\AllFilesystemObjects\shellex\ContextMenuHandlers{B7CDF620-DB73-44C0-8611-832B261A0107}" key are run when the user right clicks any explorer Window;
  47. Service Control Manager Security Descriptor Manipulation: the Service Control Manager is the software responsible for starting and stopping services in the Windows OS. If its ACL is loosely set, it would be possible for a non administrative process to start administrative processes by creating a service running with high or SYSTEM privileges.
  48. RunEx Key: executables in properties of any key under the (HKLM|HKEY_USERS<SID>)\SOFTWARE\Microsoft\Windows\CurrentVersion\RunEx key are run when the user logs in or when the machine boots up (in the case of the HKLM hive);
  49. RunOnceEx Key: executables in properties of any key under the (HKLM|HKEY_USERS<SID>)\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx key are run when the user logs in or when the machine boots up (in the case of the HKLM hive), and then deleted;
  50. .NET Startup Hooks DLL Sideloading: the .NET DLLs listed in the DOTNET_STARTUP_HOOKS environment variable are loaded into .NET processes at runtime;
  51. RID Hijacking: RID hijacking allows an attacker to covertly replace the RID of a user with the RID of another user, effectively giving the first user all of the privileges of the second user. The second user is usually an Administrator, which allows the first user to gain administrator level privileges while using a non-administrator account;
  52. Suborner Technique: the Suborner attack involves creating hidden users which are not shown using the "net user" command. They do not appear in the login screen or in lusrmgr.msc and can be found using the Get-LocalUser powershell cmdlet. This technique is usually paired with RID hijacking to achieve stealthy, admin level persistence;
  53. DSRM Backdoor: the password used to enter Directory Services Restore Mode (DSRM) is the password set to the local administrator of a Domain Controller during DCPROMO. If the DsrmAdminLogonBehavior property of the HKLM:\System\CurrentControlSet\Control\Lsa key is set to 2, this password can be used to access the Domain Controller with the local administrator account;
  54. GhostTask: malicious scheduled tasks can be created manually by properly modifying some registry keys. Tasks created in this way and without the SD property do not show up in the Task Scheduler utility or in the Event Log.
  55. Boot Verification Program Hijacking: the executable pointed to by the ImagePath property of the HKLM:\SYSTEM\CurrentControlSet\Control\BootVerificationProgram key is run by the Windows Service Manager at boot time in place of the legitimate Bootvrfy.exe;
  56. AppInit DLLs Injection: the DLLs specified in the AppInit_DLLs property of the HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Windows key are loaded by user32.dll whenever a new process starts.
Clone this wiki locally