Registry Persistence Detection || TryHackMe WalkThrough
Task 1 Intro
One crucial step that malware does upon successful execution on a target machine is to ensure that it can stay there even after a reboot or removal attempt. This is possible using various techniques, collectively called
“malware persistence mechanisms”
This room will give you an overview of these techniques and introduce a tool that can help detect them and aid in removal.
Learning Objectives
- Learn how malware persists in a machine
- Learn how malware uses the Registry as a persistence mechanism
- Learn how to use the AutoRuns PowerShell module to detect and remediate persistence mechanisms
Task 2 Intro to Malware Persistence Mechanisms
The term “malware persistence” can be defined as:
“Behaviors that enable malware to remain on a system regardless of system events, such as reboots.”
There are multiple ways malware can gain persistence —
- The technique varies depending on
- The target OS
- Ease of implementation
- Level of stealthiness
- Or based on the preference of the author of the malware
- Examples of these techniques would be modifying an operating system’s boot sector, installing malicious configurations, or hijacking execution flow.
In Windows, the most common and easiest-to-implement technique is the abuse of Windows Registry Run keys.
- The Windows Registry is a database of low level operating systems and application settings
- The Run Keys are specific keys within the Registry that contains a path that runs every time a user logs on, and they are listed below —
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run — Run path when the current user logs in
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run — Run path when any user logs in
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce — Run path when the current user logs in, then delete
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce — Run path when any user logs in, then delete
Q 1.What is the value “Name” of the suspicious registry entry that runs during startup? Include the parenthesis.
Answer: (Default)
Q 2. What is the value “Data” of the suspicious registry entry that runs during startup?
Answer: C:\Users\Administrator\AppData\Local\bd84\24d9.bat
Q 3. What string is displayed on the console when the suspicious file runs?
Answer: pleaseletmepersist
Task 3 Intro to the AutoRuns PowerShell Module
- Detection of persistence is possible by checking the keys manually
- However other keys can be used to gain persistence, and they ate not obvious
- There are tools that can help with detection, Autoruns checks all possible locations where a program can automatically run on startup
- For this room AutoRuns PowerShell module will be used
- Advantages of the PowerShell over the original tool, it allows to leverage the benefits of PowerShell scripting and has a baseline feature for comparing current snapshots to previous ones
- The module is already installed in windows
- To use it, open PowerShell in Administrator mode by clicking on the PowerShell icon on the Windows Taskbar at the bottom of the screen
Screenshot References for the questions above —
Task 4 Filtering AutoRuns Entries
- The Get-PSAutorun command will list all the possible auto-start mechanisms available on the machine
- It makes this list by looking at the categories like the Registry, Windows Services, WMI entries, DLL hijacking and more
- This might cause a lot of output in the form of text on the terminal and must be filtered in order to analyze it
PS C:\\> Get-PSAutorun
Path : HKLM:\\System\\CurrentControlSet\\Control\\Session Manager
Item : BootExecute
Category : Boot Execute
Value : autocheck autochk *
ImagePath : C:\\Windows\\system32\\autochk.exe
Size : 956416
LastWriteTime : 11/6/2022 4:24:46 AM
Version : 10.0.17763.1697
Path : HKLM:\\SOFTWARE\\\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ShellServiceObjects
Item : {003e0278-eca8-4bb8-a256-3689ca1c2600}
Category : Explorer
Value : C:\\Windows\\system32\\shell32.dll
ImagePath : C:\\Windows\\system32\\shell32.dll
Size : 22153696
LastWriteTime : 11/6/2022 4:25:16 AM
Version : 10.0.17763.1911
Path : HKLM:\\SOFTWARE\\\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ShellServiceObjects
Item : {3BF043EF-A974-49B3-8322-B853CF1E5EC5}
Category : Explorer
Value : C:\\Windows\\System32\\SndVolSSO.dll
ImagePath : C:\\Windows\\System32\\SndVolSSO.dll
Size : 823808
LastWriteTime : 11/6/2022 4:25:22 AM
Version : 10.0.17763.652
...- Piping the result of the command above to the Out-GridView cmdlet can make the output more readable
PS C:\\> Get-PSAutorun | Out-GridViewThe above command will open a new window showing the following output:
Note: Wait for a couple of minutes for the tool to finish populating the results
- The results above list all possible places a program can run on start-up
- The results can be specifying keywords in the “Filter” bar at the top of the window
- The results can also be sorted by clicking the column headers
PS C:\\> Get-Help Get-PSAutorun -detailedBootExecute-https://research.splunk.com/endpoint/eabbac3a-45aa-4659-920f-6b8cff383fb8/
PrintMonitorDLLS-https://www.varonis.com/blog/how-to-use-autoruns
VerifyDigitalSignature-https://github.com/p0w3rsh3ll/AutoRuns/blob/master/README.md#Install
Task 5 Comparing to a Baseline
- While filtering via parameter switches helps reduce the output, there is still a lot to go through
- This is where the baseline creation and comparison feature of the AutoRuns PowerShell module is helpful, as only the entries that differ from the baseline are shown in the results
- After creating this room’s machine, a baseline file was generated and saved in the ~/Documents folder. This file serves as a snapshot of the Registry before the malware ran
- To check what Registry keys were changed, a new baseline file needs to be created using the
New-AutoRunsBaseLinefunction
PS C:\\> Get-PSAutorun -VerifyDigitalSignature |
>> Where { -not($_.isOSbinary)} |
>> New-AutoRunsBaseLine -VerboseNote: Generating a new baseline file using the code above will take a few minutes. So please be patient.
When done, the new baseline file is added to the ~/Documents folder
The two baseline files can now be compared using the following command:
PS C:\\> Compare-AutoRunsBaseLine -Verbose | Out-GridViewNote: Make sure there are always two baseline files in the ~/Documents folder when comparing. Delete the other files you do not need to avoid confusion.
Creating A New Baseline To Compare With The BaseLine That Was Created At The Start Of The Lab-
PS C:\Users\Administrator> Get-PSAutorun -VerifyDigitalSignature | Where {-not($_.isOSbinary)} | New-AutoRunsBaseLine -Verbose
VERBOSE: PSAutoRunsBaseLine ~/Documents/PSAutoRunsBaseLine-20231011070107.ps1 successfully created
PS C:\Users\Administrator> Compare-AutoRunsBaseLine -Verbose | Out-GridView
VERBOSE: Reference file set to C:\Users\Administrator\Documents\PSAutoRunsBaseLine-20221106123440.ps1
VERBOSE: Difference file set to C:\Users\Administrator\Documents\PSAutoRunsBaseLine-20231011070107.ps1
PS C:\Users\Administrator>
