Malware Persistence on Boot – Monitor Modified Registry Keys & Possible Windows Event ID


The Windows Registry is a hierarchical database that stores low-level settings for the Microsoft Windows operating system and for applications that opt to use the registry on runtime. Adversaries use various techniques to achieve persistence on the network and connect back to their CnC ( Command and Control ) server. The most common way is Registry key value modification.

What are Run keys in Registry?

The registry holds a set of keys, which will handle the operating system setting for the device drivers, services, Security Accounts Manager, and user interface, etc. Adding the new string under the run key will execute a specific program at user boot or logon.

How Threat Actors intercept those keys?

Threat actors May use windows terminal to add their specific application which needs to be executed the next boot time. Here we are using “reg add” to interact with the registry and add a new string under the HKCU ( HKEY_CURRENT_USER ) hive to execute the malware on runtime. However, the file “sysmon.exe” will be executed only on the next boot.

Similar persistence can be achieved with GUI also, Here we are trying to execute the “zoom installer” with auto-run on run time.

Also Read: APT-Hunter – Threat Hunting Tool For Windows Event Logs

Additional keys for Malware Persistence

Below registry keys can also help attackers to be persistent on windows for a long time and steal confidential data and exfiltrate to their domains. Be cautious when you see an alert with your EDR ( Endpoint Detection and response ) or AV Antivirus products for such behaviors.

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager

In addition with one of above behavior ,Figure out & find the Event ID : 4657 in you Log analytics tool.This event ID will help soc analysts /Incident responder to find the registry value changes .

Also Read: Soc Interview Questions and Answers – CYBER SECURITY ANALYST

Note: Investigate your incidents according, This event ID is logged only if the auditing feature is set for the registry key in its SACL ( A system access control list )

Successful combination of these registry attempts with event ID 4657 illustrates the bad actor successfully accessed your systems and backdoor files are uploaded to the victim machine. Happy Hunting !!!

Previous articleHow to Enable Packet Filtering With Open Source Iptables Firewall/Linux Firewall?
Next articleRace Condition Attack – How to Prevent Race condition vulnerabilities in your organization
Balaganesh is a Incident Responder. Certified Ethical Hacker, Penetration Tester, Security blogger, Founder & Author of Soc Investigation.


Please enter your comment!
Please enter your name here