Persistence Mechanisms

As a continuation of the "Introduction to Windows Forensics" series, this episode looks at persistence mechanisms often utilized by malware. First, we’ll look at the ubiquitous “Run” and “RunOnce” keys, as well as a great article that summarizes many of the other Autostart Extensibility Points (ASEPs) you’re likely to encounter. Then, we’ll look at Autoruns from Sysinternals. This utility will automatically parse and aggregate these ASEPs and show us the dozens of places in which we can tell Windows to automatically start a program. Lastly, we’ll look at new research that identifies another feature of Windows that can be exploited to achieve persistence, but that will NOT show up in Autoruns or in other tools that attempt to display this information.

** If you enjoy this video, please consider supporting 13Cubed on Patreon at patreon.com/13cubed. **

Introduction to Windows Forensics:
   • Introduction to Windows Forensics  

Run and RunOnce Registry Keys:
https://msdn.microsoft.com/en-us/libr...

Common Malware Persistence Mechanisms:
https://resources.infosecinstitute.co...

Autoruns for Windows:
https://docs.microsoft.com/en-us/sysi...

Persistence Using GlobalFlags in Image File Execution Options:
https://oddvar.moe/2018/04/10/persist...

Background Music Courtesy of Anders Enger Jensen:
   / hariboosx  

#Forensics #DigitalForensics #DFIR #ComputerForensics #WindowsForensics #MalwareAnalysis #Malware