Persistency

Windows:

  1. Standard ways which are probably discovered by most antiviruses:
    1. Put an exe as a string value under ‘HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run’ and it runs on user login
    2. Put an exe as a string value after ‘explorer.exe’ under ‘HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell’ and it runs on user login immediately after explorer.exe runs
    3. On windows 7+ place file under ‘C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup’ and it will run on startup of any user. On windows xp: ‘C:\Documents and Settings\All Users\Start Menu\Programs\Startup’
    4. On windows 7+ place file under ‘C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup’ of a specific user. On windows xp: ‘C:\Documents and Settings\%USERNAME%\Start Menu\Programs\Startup’
  2. Less standard ways:
    1. Add key called ‘Driver’ under ‘HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors’ with value being a string pointing to your malicious dll path and it will load on startup. The dll must be placed in C:\Windows\system32. You can load multiple DLL’s like this. The print monitors which are installed are shown in sysinternals autoruns tool under the “Print Monitors” tab.
      1. https://www.youtube.com/watch?v=GbppskJ5FU4

Unix Based:

Leave a comment