![]() Įarth Lusca modified the registry using the command reg add "HKEY_CURRENT_USER\Environment" /v UserInitMprLogonScript /t REG_SZ /d "" for persistence. ĭragonfly has modified the Registry to perform multiple techniques through the use of Reg. ĭCSrv has created Registry keys for persistence. ĭarkWatchman can modify Registry values to store configuration strings, keylogger, and output of components. ĭarkTortilla has modified registry keys for persistence. ĭarkComet adds a Registry value for its installation routine to the Registry Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System Enable LUA="0" and HKEY_CURRENT_USER\Software\DC3_FEXEC. ĬSPY Downloader can write to the Registry under the %windir% variable to execute tasks. Ĭrimson can set a Registry key to determine how long it has been installed and possibly to indicate the version number. ĬrackMapExec can create a registry key using wdigest. Ĭonficker adds keys to the Registry at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services and various other Registry locations. ĬomRAT has modified Registry values to store encrypted orchestrator code and payloads. Ĭobalt Strike can modify Registry values within HKEY_CURRENT_USER\Software\Microsoft\Office\ \Excel\Security\AccessVBOM\ to enable the execution of additional code. Ĭlop can make modifications to Registry keys. Ĭlambling can set and delete Registry keys. ĬHOPSTICK may modify Registry keys to store RC4 encrypted configuration information. ĬharmPower can remove persistence-related artifacts from the Registry. Ĭhaes can modify Registry values to stored information and establish persistence. Ĭaterpillar WebShell has a command to modify a Registry key. Ĭatchamas creates three Registry keys to establish persistence by adding a Windows Service. Ĭardinal RAT sets HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Load to point to its executable. īlackCat has the ability to add the following registry key on compromised networks to maintain persistence: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services \LanmanServer\Paramenters īlue Mockingbird has used Windows Registry modifications to specify a DLL payload. īlack Basta can modify the Registry to enable itself to run in safe mode and to modify the icons and file extensions for encrypted files. īitPaymer can set values in the Registry to help in execution. īisonal has deleted Registry keys to clean up its prior activity. īankshot writes data into the Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Pniumj. īADCALL modifies the firewall Registry key SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfileGloballyOpenPorts\List. īACKSPACE is capable of deleting Registry keys, sub-keys, and values on a victim system. Īvaddon modifies several registry keys for persistence and UAC bypass. Īttor's dispatcher can modify the Run registry key. ĪPT41 used a malware variant called GOODLUCK to modify the registry in order to steal credentials. ĪPT38 uses a tool called CLEANTOAD that has the capability to modify Registry keys. ![]() ĪPT32's backdoor has modified the Windows Registry to store the backdoor's configuration. ĪPT19 uses a Port 22 malware variant to modify several Registry keys. Īmadey has overwritten registry keys for persistence. Īgent Tesla can achieve persistence by modifying Registry key entries. ĪDVSTORESHELL is capable of setting and deleting Registry values. Often Valid Accounts are required, along with access to the remote system's SMB/Windows Admin Shares for RPC communication.ĪADInternals can modify registry keys as part of setting a new pass-through authentication agent. It requires the remote Registry service to be running on the target system. The Registry of a remote system may be modified to aid in execution of files as part of lateral movement. Adversaries may abuse these pseudo-hidden keys to conceal payloads/commands used to maintain persistence. Registry modifications may also include actions to hide keys, such as prepending key names with a null character, which will cause an error and/or be ignored when read via Reg or other utilities using the Win32 API. Other tools may also be used, such as a remote access tool, which may contain functionality to interact with the Registry through the Windows API. ![]() The built-in Windows command-line utility Reg may be used for local or remote Registry modification. Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.Īccess to specific areas of the Registry depends on account permissions, some requiring administrator-level access.
0 Comments
Leave a Reply. |