The following list of registry keys are accessed during system start in order of their use by the different windows components:. Run your service as the LocalSystem account unless the account needs to access network resources at which point you'd create a domain service account, give it access to the applicable resources, and then hard-code its credentials for the service to run as. On the local machine, it'll have administrative permissions to everything and not require any password for the service credential.
The LocalSystem account is a predefined local account used by the service control manager. This account is not recognized by the security subsystem, so you cannot specify its name in a call to the LookupAccountName function. It has extensive privileges on the local computer, and acts as the computer on the network. The name of the account in all locales is. This account does not have a password. If you specify the LocalSystem account in a call to the CreateService or ChangeServiceConfig function, any password information you provide is ignored.
Sign up to join this community. The best answers are voted up and rise to the top. Stack Overflow for Teams — Collaborate and share knowledge with a private group. Create a free Team What is Teams? Learn more. Asked 5 years, 11 months ago. Active 2 years, 11 months ago. Viewed 9k times. Where is this key located? How do I use it, are there any optional parameters? How do I determine the user that the application is run as? Is it run by the user that created the key? If a LocalSystem service creates the key, will it be run as LocalSystem?
Improve this question. This account is not recognized by the security subsystem, so you cannot specify its name in a call to the LookupAccountName function. It has extensive privileges on the local computer, and acts as the computer on the network.
The name of the account in all locales is. This account does not have a password. If you specify the LocalSystem account in a call to the CreateService or ChangeServiceConfig function, any password information you provide is ignored. Skip to content windows windows-registry I have an application that updates software on the local machine. Where is this key located? How do I use it, are there any optional parameters? How do I determine the user that the application is run as?
Is it run by the user that created the key? Avaddon uses registry run keys for persistence. BabyShark has added a Registry key to ensure all future macros are enabled for Microsoft Word and Excel as well as for additional persistence.
Oldrea adds Registry Run keys to achieve persistence. BadPatch establishes a foothold by adding a link to the malware executable in the startup folder. Bazar can create or add files to Registry Run Keys to establish persistence. Briba creates run key Registry entries pointing to malicious DLLs dropped to disk.
Carbanak stores a configuration files in the startup directory to automatically execute commands in order to persist across reboots. Carberp has maintained persistence by placing itself inside the current user's startup folder.
ChChes establishes persistence by adding a Registry Run key. Cobalt Group has used Registry Run keys for persistence. The group has also set a Startup path to launch the PowerShell shell command and download Cobalt Strike. Cobian RAT creates an autostart Registry key to ensure persistence. Comnie achieves persistence by adding a shortcut of itself to the startup path in the Registry. Conficker adds Registry Run keys to establish persistence. Crimson can add Registry run keys for persistence.
DarkComet adds several Registry entries to enable automatic execution at every system startup. Darkhotel has been known to establish persistence by adding programs to the Run Registry key.
Dragonfly 2. If establishing persistence by installation as a new service fails, one variant of Elise establishes persistence for the created. Variants of Emissary have added Run Registry keys to establish persistence. EvilGrab adds a Registry Run key for ctfmon. Final1stspy creates a Registry Run key to establish persistence.
Gamaredon Group tools have registered Run keys in the registry to give malicious VBS files persistence. Gazer can establish persistence by creating a. Gold Dragon establishes persistence in the Startup folder. Gorgon Group malware can create a. Grandoreiro can use run keys and create link files in the startup folder for persistence. GrimAgent can set persistence with a Registry run key. Hancitor has added Registry Run keys to establish persistence. Helminth establishes persistence by creating a shortcut in the Start Menu folder.
Hi-Zor creates a Registry Run key to establish persistence. Higaisa added a spoofed binary to the start-up folder for persistence. Honeybee uses a batch file that configures the ComSysApp service to autostart in order to establish persistence. IcedID has established persistence by creating a Registry run key. InvisiMole can place a lnk file in the Startup Folder to achieve persistence. JCry has created payloads in the Startup directory to maintain persistence.
Kasidet creates a Registry Run key to establish persistence. Kazuar adds a sub-key under several Registry run keys. Several Ke3chang backdoors achieved persistence by adding a Run key. Kimsuky has placed scripts in the startup folder for persistence.
Lazarus Group malware attempts to maintain persistence by saving itself in the Start menu folder or by adding a Registry Run key. Leviathan has used JavaScript to create a shortcut file in the Startup folder that points to its main backdoor. LookBack sets up a Registry Run key to establish a persistence mechanism. Machete used the startup folder for persistence.
Magic Hound malware has used Registry Run keys to establish persistence. MarkiRAT can drop its payload into the Startup directory to ensure it automatically runs when the compromised system is started. Matryoshka can establish persistence by adding Registry Run keys. LNK files in the startup folder to achieve persistence. MoleNet can achieve persitence on the infected machine by setting the Registry run key. Molerats saved malicious files within the AppData and Startup folders to maintain persistence.
Naikon has modified a victim's Windows Run registry to establish persistence. NavRAT creates a Registry key to ensure a file gets executed upon reboot in order to establish persistence. Nebulae can achieve persistence through a Registry Run key. ObliqueRAT can gain persistence by a creating a shortcut in the infected user's Startup directory.
Octopus achieved persistence by placing a malicious executable in the startup directory. Okrum establishes persistence by creating a. Patchwork has added the path of its second-stage malware to the startup folder to achieve persistence. One of its file stealers has also persisted by adding a Registry Run key. Pisloader establishes persistence via a Registry Run key. PlugX adds Run key entries in the Registry to establish persistence. PoetRAT has added a registry key in the hive for persistence.
PoisonIvy creates run key Registry entries pointing to a malicious executable dropped to disk. PowerDuke achieves persistence by using various Registry Run keys. PowerShower sets up persistence with a Registry run key. Pteranodon copies itself to the Startup folder to establish persistence. QakBot can maintain persistence by creating an auto-run Registry key. Ramsay has created Registry Run keys to establish persistence. Reaver creates a shortcut file and saves it in a Startup folder to establish persistence.
RedLeaves attempts to add a shortcut file in the Startup folder to achieve persistence. If this fails, it attempts to add Registry Run keys. RogueRobin created a shortcut in the Windows startup folder to launch a PowerShell script each time the user logs in to establish persistence. S-Type may create a. SDBbot has the ability to add a value to the Registry Run key to establish persistence if it detects it is running with regular user privilege.
SeaDuke is capable of persisting via the Registry Run key or a. SharpStage has the ability to create persistence for the malware using the Registry autorun key and startup folder. Sidewinder has added paths to executables in the Registry to establish persistence. Smoke Loader adds a Registry Run key for persistence and adds a script in the Startup folder to deploy the payload.
Sykipot has been known to establish persistence by adding programs to the Run Registry key. TeamTNT has added batch scripts to the startup folder. TinyZBot can create a shortcut in the Windows startup folder for persistence. TrickBot establishes persistence in the Startup folder. Karagany can create a link to itself in the Startup folder to automatically start itself upon system restart. Tropic Trooper has created shortcuts in the Startup folder to establish persistence.
Truvasys adds a Registry Run key to establish persistence. Turian can establish persistence by adding Registry Run keys. Additionally, a Turla custom executable containing Metasploit shellcode is saved to the Startup folder to gain persistence.
Ursnif has used Registry Run keys to establish automatic execution at system startup. Vasport copies itself to disk and creates an associated run key Registry entry to establish. Windshift has created LNK files in the Startup folder to establish persistence.
Xbash can create a Startup item for persistence if it determines it is on a Windows system. Zebrocy creates an entry in a Registry Run key for the malware to execute on startup.
Zeus Panda adds persistence by creating Registry Run keys. This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.
Monitor Registry for changes to run keys that do not correlate with known software, patch cycles, etc. Monitor the start folder for additions or changes. Tools such as Sysinternals Autoruns may also be used to detect system changes that could be attempts at persistence, including listing the run keys' Registry locations and startup folders. Changes to these locations typically happen under normal conditions when legitimate software is installed.
To increase confidence of malicious activity, data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement. Active Scanning. Scanning IP Blocks. Vulnerability Scanning. Gather Victim Host Information. Client Configurations. Gather Victim Identity Information. Email Addresses. Employee Names.
Gather Victim Network Information. Domain Properties. Network Trust Dependencies. Network Topology. IP Addresses. Network Security Appliances. Gather Victim Org Information. Determine Physical Locations. Business Relationships.
Identify Business Tempo. Identify Roles. Phishing for Information. Spearphishing Service. Spearphishing Attachment. Spearphishing Link. Search Closed Sources. Threat Intel Vendors. Purchase Technical Data. Search Open Technical Databases. Digital Certificates. Scan Databases. Social Media. Search Engines. Search Victim-Owned Websites. Resource Development. Acquire Infrastructure. DNS Server. Virtual Private Server.
Web Services. Compromise Accounts. Social Media Accounts. Email Accounts. Compromise Infrastructure. Develop Capabilities. Code Signing Certificates. Establish Accounts. Obtain Capabilities. Stage Capabilities. Upload Malware. Upload Tool. Install Digital Certificate. Drive-by Target. Link Target. Initial Access. Drive-by Compromise. Exploit Public-Facing Application.
External Remote Services. Hardware Additions. Spearphishing via Service. Replication Through Removable Media. Supply Chain Compromise. Compromise Software Dependencies and Development Tools. Compromise Software Supply Chain. Compromise Hardware Supply Chain.
Trusted Relationship. Valid Accounts. Default Accounts. Domain Accounts. Local Accounts. Cloud Accounts. Command and Scripting Interpreter. Windows Command Shell. Unix Shell. Visual Basic. Network Device CLI. Container Administration Command. Deploy Container. Exploitation for Client Execution. Inter-Process Communication. Component Object Model. Dynamic Data Exchange. Native API.
At Linux. At Windows. Scheduled Task. Systemd Timers. Container Orchestration Job. Shared Modules. Software Deployment Tools. System Services. Service Execution. User Execution. Malicious Link. Malicious File. Malicious Image. Windows Management Instrumentation. Account Manipulation. Additional Cloud Credentials. Exchange Email Delegate Permissions. Add Office Global Administrator Role. SSH Authorized Keys. BITS Jobs. Boot or Logon Autostart Execution. Authentication Package.
Time Providers. Winlogon Helper DLL. Security Support Provider. Kernel Modules and Extensions. Re-opened Applications. Shortcut Modification. Port Monitors. Plist Modification.
Print Processors. XDG Autostart Entries. Active Setup. Login Items. Boot or Logon Initialization Scripts. Logon Script Windows. Logon Script Mac. Network Logon Script. RC Scripts. Startup Items.
Browser Extensions. Compromise Client Software Binary. Create Account. Local Account. Domain Account. Cloud Account. Create or Modify System Process.
Launch Agent. Systemd Service. Windows Service. Launch Daemon. Event Triggered Execution. Change Default File Association. Windows Management Instrumentation Event Subscription. Unix Shell Configuration Modification. Netsh Helper DLL. Accessibility Features. AppCert DLLs. AppInit DLLs. Application Shimming. Image File Execution Options Injection.
PowerShell Profile. Component Object Model Hijacking. Hijack Execution Flow. DLL Side-Loading. Dylib Hijacking. Executable Installer File Permissions Weakness. Dynamic Linker Hijacking. Path Interception by Search Order Hijacking. Path Interception by Unquoted Path.
Services File Permissions Weakness. Services Registry Permissions Weakness. Implant Internal Image. Modify Authentication Process. Domain Controller Authentication. Password Filter DLL. Pluggable Authentication Modules. Network Device Authentication. Office Application Startup.
Office Template Macros. Office Test. Outlook Forms. Outlook Home Page. Outlook Rules. Pre-OS Boot. System Firmware. Component Firmware. TFTP Boot. Server Software Component. SQL Stored Procedures. Transport Agent. Web Shell. IIS Components. Traffic Signaling. Port Knocking. Privilege Escalation. Abuse Elevation Control Mechanism. Setuid and Setgid. Bypass User Account Control. Sudo and Sudo Caching. Elevated Execution with Prompt.
Access Token Manipulation. Create Process with Token. Make and Impersonate Token. Parent PID Spoofing. SID-History Injection. Domain Policy Modification.
Group Policy Modification. Domain Trust Modification. Escape to Host. Exploitation for Privilege Escalation. Process Injection. Dynamic-link Library Injection. Portable Executable Injection. Thread Execution Hijacking. Asynchronous Procedure Call. Thread Local Storage. Ptrace System Calls.
Proc Memory. Extra Window Memory Injection. Process Hollowing. VDSO Hijacking. Defense Evasion. Build Image on Host. Direct Volume Access. Execution Guardrails. Environmental Keying. Exploitation for Defense Evasion. File and Directory Permissions Modification. Windows File and Directory Permissions Modification. Hide Artifacts. Hidden Files and Directories. Hidden Users. Hidden Window. Hidden File System.
Run Virtual Instance. VBA Stomping. Email Hiding Rules. Resource Forking. Impair Defenses. Disable or Modify Tools. Disable Windows Event Logging. Impair Command History Logging. Disable or Modify System Firewall.
Indicator Blocking. Disable or Modify Cloud Firewall. Disable Cloud Logs. Safe Mode Boot. Downgrade Attack. Indicator Removal on Host. Clear Windows Event Logs. Clear Linux or Mac System Logs. Clear Command History.
File Deletion. Network Share Connection Removal.
0コメント