Byte Breach Loader
Byte Breach Ecosystem
Initializing Neural Infrastructure
New:Digital Evidence Handling & Legal Procedures Course — Enrol NowNew:Digital Evidence Handling & Legal Procedures Course — Enrol NowNew:Digital Evidence Handling & Legal Procedures Course — Enrol NowNew:Digital Evidence Handling & Legal Procedures Course — Enrol NowNew:Digital Evidence Handling & Legal Procedures Course — Enrol NowNew:Digital Evidence Handling & Legal Procedures Course — Enrol NowNew:Digital Evidence Handling & Legal Procedures Course — Enrol NowNew:Digital Evidence Handling & Legal Procedures Course — Enrol Now
Byte Breach
BBI
WRITEUPS / MALWARE ANALYSIS

Malware Persistence
Mechanisms & Hunting

An exploration of how modern malware maintains a footprint in endpoint systems, focusing on Registry keys, tasks, DLL hijacking, and hunting methods.

Back to Writeups

1. The Persistence Lifecycle

Once malware executes on a victim machine, it must establish a method to survive reboots, updates, or user logouts. This step is critical for attackers attempting to maintain long-term command-and-control (C2) access within enterprise environments.

By understanding the exact mechanism malware uses to persist, incident responders can pinpoint the injection vector, clean the system, and implement preventative detections.

2. Registry Run Keys & AppInit DLLs

The most classic persistence mechanism on Windows involves adding values to autorun keys. These registry keys run specified executables when the computer starts or when a user logs in.

Common Registry Keys

  • HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run
  • HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run
  • HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce
  • HKLM\\System\\CurrentControlSet\\Services (Service Creation)

3. Scheduled Tasks & WMI Event Subscriptions

Attackers often abuse Windows Task Scheduler (schtasks.exe) to execute payloads on a set schedule or upon triggering specific system events (e.g. idle states or network reconnections).

Alternatively, advanced malware utilizes Windows Management Instrumentation (WMI) Event Subscriptions. WMI filters can listen for system triggers (such as a specific user logging in) and run target actions silently with high authority.

4. DLL Search Order Hijacking

When a program loads a dynamic-link library (DLL) without specifying a fully qualified path, Windows searches directories in a predefined order. Attackers exploit this by placing a malicious DLL named after a legitimate system dependency in the same directory as the target application.

5. Threat Hunting for Registry Keys

Responders can hunt for unauthorized Run keys across endpoints using a simple PowerShell command:

hunt_persistence.ps1
# Query local machine startup registry keys
Get-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' |
Select-Object * -ExcludeProperty PSPath, PSParentPath, PSChildName, PSDrive, PSProvider |
Format-List