įIN8 has deleted Registry keys during post compromise cleanup activities. įELIXROOT deletes the Registry key HKCU\Software\Classes\Applications\rundll32.exe\shell\open. Įxplosive has a function to write itself to Registry values.
#REG PRO CLEANER MALWARE WIKI WINDOWS#
Įxaramel for Windows adds the configuration to the Registry in XML format. ĮVILNUM can make modifications to the Regsitry for persistence. ĭragonfly 2.0 modified the Registry to perform multiple techniques through the use of Reg. ĭarkComet adds a Registry value for its installation routine to the Registry Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System Enable LUA="0" and HKEY_CURRENT_USER\Software\DC3_FEXEC. ĬSPY Downloader can write to the Registry under the %windir% variable to execute tasks. Ĭrimson can set a Registry key to determine how long it has been installed and possibly to indicate the version number. ĬrackMapExec can create a registry key using wdigest. Ĭonficker adds keys to the Registry at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services and various other Registry locations.
#REG PRO CLEANER MALWARE WIKI CODE#
ĬomRAT has encrypted and stored its orchestrator code in the Registry as well as a PowerShell script into the WsqmCons Registry key. Ĭobalt Strike can modify Registry values within HKEY_CURRENT_USER\Software\Microsoft\Office\ \Excel\Security\AccessVBOM\ to enable the execution of additional code. Ĭlop can make modifications to Registry keys. ĬHOPSTICK may store RC4 encrypted configuration information in the Windows Registry. Ĭhaes stored its instructions in a config file in the Registry. Ĭaterpillar WebShell has a command to modify a Registry key. Ĭatchamas creates three Registry keys to establish persistence by adding a Windows Service. Ĭardinal RAT sets HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Load to point to its executable. īlue Mockingbird has used Windows Registry modifications to specify a DLL payload. īitPaymer can set values in the Registry to help in execution. īankshot writes data into the Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Pniumj. īADCALL modifies the firewall Registry key SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfileGloballyOpenPorts\List. īACKSPACE is capable of deleting Registry keys, sub-keys, and values on a victim system. Īvaddon modifies several registry keys for persistence and UAC bypass. Īttor's dispatcher can modify the Run registry key. ĪPT41 used a malware variant called GOODLUCK to modify the registry in order to steal credentials. ĪPT38 uses a tool called CLEANTOAD that has the capability to modify Registry keys. ĪPT32's backdoor has modified the Windows Registry to store the backdoor's configuration. ĪPT19 uses a Port 22 malware variant to modify several Registry keys. Īgent Tesla can achieve persistence by modifying Registry key entries. Often Valid Accounts are required, along with access to the remote system's SMB/Windows Admin Shares for RPC communication.ĪDVSTORESHELL is capable of setting and deleting Registry values. It requires the remote Registry service to be running on the target system. The Registry of a remote system may be modified to aid in execution of files as part of lateral movement. Adversaries may abuse these pseudo-hidden keys to conceal payloads/commands used to maintain persistence.
Registry modifications may also include actions to hide keys, such as prepending key names with a null character, which will cause an error and/or be ignored when read via Reg or other utilities using the Win32 API. Other tools may also be used, such as a remote access tool, which may contain functionality to interact with the Registry through the Windows API. The built-in Windows command-line utility Reg may be used for local or remote Registry modification. Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.Īccess to specific areas of the Registry depends on account permissions, some requiring administrator-level access.
0 kommentar(er)
