After reading some of the various open reports regarding how malware or threat actors were “using” the Registry, manipulating it to meet their needs, I wanted to take a look and see what the effects or impacts of these actions might “look like” from a dead-box, DFIR perspective, looking solely at the Registry.
The first scenario I looked at was from this Avast write-up on Raspberry Robins’s Roshtyak component; in the section titled “Indirect registry writes”, the article describes the persistence mechanism of renaming the RunOnce key, adding a value, then re-renaming the key back to “RunOnce”, apparently in an effort to avoid rules/filters that look specifically for values being added to the RunOnce key. As most analysts are likely aware, the purpose of the RunOnce key is exactly that…to launch executables once. When the RunOnce key is enumerated, the value is read, deleted, and the executable it pointed to is launched. In the past, I’ve read about malware executables that are launched from the RunOnce key, and the malware itself, once executed, will re-write a value to that key, essentially allowing the RunOnce key and the malware together to act as if the malware were launched from the Run key.
I wanted to perform this testing from a purely dead-box perspective. Using EDR tools, or relying on the Windows Event Logs. Depending upon your configuration, you could perhaps look to the Sysmon Event Log, or if the system had been rebooted, you could also look to the Microsoft-Windows-Shell-Core%4Operational.evtx Event Log and Events Ripper to percolate unusual executables.
For reference, information on the Registry file format specification can be found here.
Methodology
The first thing I did was use “reg save” to create a backup of the Software hive. I then renamed the RunOnce key, and added a value (i.e., “Calc”), and renamed the key back to “RunOnce”, all via RegEdit. I then closed RegEdit and used “reg save” to create a second copy of the Software hive. I then opened RegEdit, deleted the value, and saved a third copy of the Software hive.
During this process, I did not reboot the system; rat
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: