1) HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\BootExecute
2) HKLM\System\CurrentControlSet\Services (start value of 0 indicates kernel drivers, which load before kernel initiation)
3) HKLM\System\CurrentControlSet\Services (start value of 2, auto-start and 3, manual start via SCM)
4) HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
5) HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
6) HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
7) HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
8) HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
9) HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
10) HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell
11) HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell
12) HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
13) HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
14) HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
15) HKLM\Software\Microsoft\Windows\CurrentVersion\Run
16) HKCU\Software\Microsoft\Windows\CurrentVersion\Run
17) HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
18) HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
19) HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
20) HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\load
21) HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows
22) HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler (XP, NT, W2k only)
23) HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs
Source: https://blog.cylance.com/windows-registry-persistence-part-2-the-run-keys-and-search-order
Startup folders
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
BootExecute Key
Since smss.exe launches before windows subsystem loads, it calls configuration subsystem to load the hive present at HKLM\SYSTEM\CurrentControlSet\Control\hivelist. Also smss.exe will launch anything present in the BootExecute key at HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Session Manager. It should always have the value of autocheck autochk*. If there are more values in it, then probably the malware is likely to launch at boot. (source)
UserInit keys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit
Notify:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
Explorer.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell, this key points to explorer.exe(Windows interface) and should only be string explorer.exe rather than complete path as it is supposed to launch from \windows. The boot key at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\system.ini\boot points to the location under Winlogon only. (same source)
Services:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\service
Plus services that fail to start can be set to run a program instead
HKLM\Software\Microsoft\Windows NT\CurrentVersion\SvcHost
Browser helper objects BHO
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
AppInit DLLs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs
File association keys
HKEY_LOCAL_MACHINE\Software\Classes\ and HKEY_CLASSES_ROOT\;
source: https://digital-forensics.sans.org/blog/2010/10/20/digital-forensics-autorun-registry-keys/
Không có nhận xét nào:
Đăng nhận xét