This technical summary provides an overview of various Windows persistence methods, highlighting their mechanisms and potential use in cybersecurity, both for offensive and defensive purposes.
Account Creation
- Local and Domain Accounts: Establishing persistence through the creation of user accounts, either local (specific to one computer) or domain (across a network), allowing ongoing access.
Startup Methods
- Startup Folder: Placing scripts or executables in the Startup folder to execute them upon system boot.
- Registry Autorun: Using Registry keys like HKCU\Software\Microsoft\Windows\CurrentVersion\Run to automatically run programs at startup.
- Registry Logon Scripts: Executing scripts during the logon process via Registry modifications.
File and System Manipulation
- Hijacking File Extensions: Changing file associations to execute malicious code when certain files are opened.
- Shortcut Modification: Altering shortcut files to point to malicious executables.
- PowerShell Profile: Modifying PowerShell profiles to execute scripts upon PowerShell startup.
Scheduled Tasks
- Regular and Elevated Users: Creating tasks to run under normal or elevated privileges.
- Multi-Action Tasks: Setting up tasks that perform a series of operations, triggered by specific events or times.
Services and DLL Manipulation
- Creating and Modifying Services: Using Windows services for background execution of malicious code.
- DLL Hijacking: Replacing legitimate DLLs with malicious ones to exploit application dependencies.
Advanced Techniques
- Proxying/Sideloading: Intercepting or redirecting processes or library calls to execute malicious actions.
- Appcert DLLs, Appinit DLLs, Winlogon Helpers, Port Monitors, Print Processors: Exploiting these mechanisms for executing code at different stages of the system or application lifecycle.
COM Manipulation
- Hijacking and Proxying: Redirecting COM objects or intercepting COM calls for malicious purposes.
Accessibility Features
- Replacing Binaries and Creating Symlinks: Substituting system binaries with malicious ones or creating symbolic links to redirect system processes.
Network and System Tools
- Bitsadmin: Using it for command and control operations.
- Netsh Helper DLLs: Leveraging network configuration for persistence.
- Application Shimming: Exploiting compatibility fixes to inject malicious code.
WMI, Active Setup, and IFEO
- WMI Subscription: Creating WMI event subscriptions for executing code.
- Active Setup: Utilizing this feature to run code at user logon.
- Image File Execution Options (IFEO): Using debugger and globalflag keys for redirecting or modifying application execution.
Time-Based and Visual Triggers
- Time Provider: Registering malicious DLLs as time providers.
- Screensaver: Replacing screensaver files with malicious executables.
Local Security Authority (LSA)
- Authentication Packages (authpkg), Service Security Providers (ssp), Password Filters: Intercepting authentication processes or passwords for unauthorized access.
Development and Version Control
- Vsprog and Git Hooks: Exploiting development tools and version control systems for code execution and persistence.
