Malware Windows registry modification

It is common that malwares will attempt to modify the Windows registry to achieve persistence on exploited systems or to bypass some built in securities.

Disable UAC :

  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA" set to 0
    • <SYSTEM32>\reg.exe /k Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t "REG_DWORD" /d "0" /f
  • HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM\ConsentPromptBehaviorAdmin" set to 0
    • <SYSTEM32>\reg.exe /k Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "ConsentPromptBehaviorAdmin" /t "REG_DWORD" /d "0" /f
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\UAC\COMAutoApprovalList
    Shows all COM objects that auto-elevate, bypassing UAC. The COM objects inside of that registry path are defined with their CLSID. To walk through COM class in Windows OleView.NET

Persistence :
    Run or RunOnce registry keys to make a program run when a user logs on. The Run key makes the program run every time the user logs on, while the RunOnce key makes the program run one time, and then the key is deleted.
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce

    • Malicious modifications to these registry keys may cause Winlogon to load and execute malicious DLLs and/or executables.
  • HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
  • HKLM\Software[\Wow6432Node\]\Microsoft\Windows NT\CurrentVersion\Winlogon
     Winlogon\Notify - points to notification package DLLs that handle Winlogon events.
     Winlogon\Userinit - points to userinit.exe, the user initialization program executed when a user logs on.
     Winlogon\Shell - points to explorer.exe, the system shell executed when a user logs on.

    • Adversaries may abuse the Windows Task Scheduler to perform task scheduling for initial or recurring execution of malicious code.
  • HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\Taskcache\Tasks
    • C:\Windows\system32\schtasks.exe" /Create /F /SC DAILY /ST 12:00 /TN MicrosoftEdge /TR "c:\Windows\system32\wscript.exe C:\Windows\temp\Windows.vbe"
  • HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\Taskcache\Tree
    • at.exe \\computername time/interactive | /every: date, … /next: date, … command

Technical details :
HKLM : HKEY_LOCAL_MACHINE
HKEY_CLASSES_ROOT : HKLM\Software