Home Explore Help
Sign In
msc
/
cheatsheets
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Branch: master
Branches Tags
cheatsheets
/
cheatsheets
/
security
/
malware
/
persistence.md

persistence.md 858 B
Permalink History Raw

title: persistence.md

categories: [cheatsheets]

Persistence

Registry

  • SOFTWARE\Microsoft\Windows\CurrentVersion\Run - Normal Startup Folder
  • SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs <-- Space Delimited String of DLLs
  • SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify <-- Loaded when winlogon.exe starts
  • ScvHost Dlls in

DLL load order hijacking

  • Order a DLL is loaded in Windows:
    • App. Directory
    • Current Directory
    • The System Directory (C:/windows/system32)
    • Windows Directory (C:\Windows)
    • Directories listed in Path variable

Exception: Dlls listed in knownDll Registry Key, they get loaded first.

If there is a DLL not in system32 folder which includes a DLL, not listed in knownDLLs these can be hijacked by placing a malicious dll in the current dir where the .exe sits.