Summary
Keywords
Full Transcript
In this full series we will talk about Incident Response and it will be a Free Training Course for everyone. Today is Day-17 and today we are going to cover Top Persistence Mechanism used by Malwares. Techniques used for persistence include any access, action, or configuration changes that let them maintain their foothold on systems, such as replacing or hijacking legitimate code or adding startup code. While we check the MITRE Framework it comes under- TA0003. For the details about this tactic, you can check out this- https://attack.mitre.org/tactics/TA0003/ In this Episode, we will focus on Windows specific way the most common techniques used in this tactic. Not only theory, I will also show how can you identify them from a system, what are the easy processes to capture them in timely manner. And we will also cover some memory forensics techniques, by which we can uncover Autostart Extensibility Points (AESPs) So watch the episode full, if you want to learn doing triage quick yet detailed manner. ✅Most useful Reg keys: ------------------------------------------------------------------------------------------------------------------------- ☸Run/RunOnce keys User Level- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce ☸System Level- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ☸BootExecute key- userinit key- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Notify Key- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify Explorer.exe- HKEY_LOCAL_MACHINE\SOFTWARE\MicrosoftWindows NT\CurrentVersion\Winlogon\Shell ☸Startup Keys- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell ☸Start background services- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce ☸Browser Helper Objects- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects ☸AppInit_DLLs- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs ☸File Association Keys- HKEY_LOCAL_MACHINE\Software\Classes HKEY_CLASSES_ROOT 🔗LINKs for your requirements- ------------------------------------------------------------------------------------------------------------------------- 1. Common Persistence - https://resources.infosecinstitute.com/topic/common-malware-persistence-mechanisms/ 2. Winesap Volatility Plugins- https://github.com/reverseame/winesap WATCH BELOW Playlists as well, if you want to make your career in DFIR and Security Operations!! ------------------------------------------------------------------------------------------------------------------------- INCIDENT RESPONSE TRAINING Full Course 👉https://youtube.com/playlist?list=PLjWEV7pmvSa4yvhzNsCjOJovOn1LLyBXB DFIR Free Tools and Techniques 👉 https://youtube.com/playlist?list=PLjWEV7pmvSa6f-NTpXsaUYWZLjLAB_0TS Windows and Memory Forensics 👉 https://youtube.com/playlist?list=PLjWEV7pmvSa50erciZUSnzvE7nK0FyvsH Malware Analysis 👉 https://youtube.com/playlist?list=PLjWEV7pmvSa6u32RongesgDtkfKBfrFWW SIEM Tutorial 👉 https://youtube.com/playlist?list=PLjWEV7pmvSa7cXTkCppnYHERUdy8Dd71x Threat Hunt & Threat Intelligence 👉 https://youtube.com/playlist?list=PLjWEV7pmvSa5UTZlsWp5wRnURNbeMS-fu ⌚ Timelines ------------------------------------------------------------------------------------------------------------------------- 0:00 ⏩ Introduction 1:10 ⏩ Overall view 1:52 ⏩ Run Keys 4:41 ⏩ BootExecute and Winlogon Keys 7:41 ⏩ Startup Keys 10:04 ⏩ BHO 13:00 ⏩ File Association Keys 16:06 ⏩ Services 19:31 ⏩ Shortcut Hijacking 23:10 ⏩ ASEP and Autoruns 29:14 ⏩ Identify Persistence in Memory 33:08 ⏩ Summerize 📞📲 FOLLOW ME EVERYWHERE- ------------------------------------------------------------------------------------------------------------------------- ✔ LinkedIn: https://www.linkedin.com/company/blackperl ✔ You can reach out to me personally in LinkedIn as well- https://bit.ly/38ze4L5 ✔ Twitter: @blackperl_dfir ✔ Git: https://github.com/archanchoudhury ✔ Insta: (blackperl_dfir)https://www.instagram.com/blackperl_dfir/ ✔ Can be reached via [email protected] SUPPORT BLACKPERL ------------------------------------------------------------------------------------------------------------------------- ╔═╦╗╔╦╗╔═╦═╦╦╦╦╗╔═╗ ║╚╣║║║╚╣╚╣╔╣╔╣║╚╣═╣ ╠╗║╚╝║║╠╗║╚╣║║║║║═╣ ╚═╩══╩═╩═╩═╩╝╚╩═╩═╝ ➡️ SUBSCRIBE, Share, Like, Comment ☕ Buy me a Coffee 👉 https://www.buymeacoffee.com/BlackPerl 📧 Sponsorship Inquiries: [email protected] ------------------------------------------------------------------------------------------------------------------------- 🙏 Thanks for watching!! Be CyberAware!! 🤞
