Persistence methods used by malware
Many malware used the persistence method to maintain the foothold on the system that was infected even when the system is restarted.
They are many technics often used by malware to maintain the persistency such as: registry keys, the startup folder, account manipulation, device registration and others Persistence, Tactic TA0003 – Enterprise | MITRE ATT&CK®.
Registry Keys used for persistency.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
Startup folder used for persistency.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
Tools used to detect and remove malware using persistence method.
- Autoruns Autoruns for Windows – Sysinternals | Microsoft Learn
- Sysmon Sysmon – Sysinternals | Microsoft Learn
- Endpoint Detection and Response such as:
- Crowdstrike CrowdStrike: Stop breaches. Drive business
- Sophos Intercept X Endpoint https://www.sophos.com/
- SentinelOne SentinelOne | Autonomous AI Endpoint Security Platform | s1.ai
- Microsoft Defender Microsoft Defender for Individuals | Microsoft 365
- PowerShell logging, PowerShell GetWmi-Object, OSQuery, Antimalware Scan Interface How to detect persistence mechanisms with seven different tools (redcanary.com)
In conclusion, the persistence method is one of the favorites methods used by the threats actors to compromise the system. They are many malware that used the technics described above to maintain the foothold to the system. Following the best practices such as using tools to detect and remove the malware is the key to stay protected.
Bangaly Koita is a Cyber Security Analyst and researcher working for Radarcs Cyber Security in Vienna-Austria. As a passionate in cyber security, he writes articles to share his knowledge and experience to the vast community of IT but in general Cyber Security.
