본문 바로가기
기본 - 악성 코드 분석/지속 메커니즘

레지스트리

by 발라먹는 보안 2020. 10. 13.

 

  • Run

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

HKLM\Software\Microsoft\WindowsNT\CurrentVersion\WinLogon\
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explore\Run

 

  • Win.ini

HKCU\Software\Microsoft\Windows\CurrentVersion\Windows
"run"=""
"load"=""

 

  • Winlogon\\Shell

HKLM\Software\Microsoft\Windows\CurrentVersion\Policise\system
HKCU\Software\Microsoft\Windows\CurrentVersion\Policise\system

 

  • Print Monitor

HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors

 

  • Terminal Server Autoruns

HKLM\Software\Microsoft\Windows NT\CurrentVesion\Terminal Server\install\Software\Microsoft\Windows\CurrentVersion\Runonce
HKLM\Software\Microsoft\Windows NT\CurrentVesion\Terminal Server\install\Software\Microsoft\Windows\CurrentVersion\RunonceEx

HKCU\Software\Microsoft\Windows NT\CurrentVesion\Terminal Server\install\Software\Microsoft\Windows\CurrentVersion\Run
HKCU\Software\Microsoft\Windows NT\CurrentVesion\Terminal Server\install\Software\Microsoft\Windows\CurrentVersion\Runonce
HKCU\Software\Microsoft\Windows NT\CurrentVesion\Terminal Server\install\Software\Microsoft\Windows\CurrentVersion\RunonceEx

 

  • LSA Authentication, Notification and Security Packages

HKLM\system\currentcontrolset\control\lsa
"Authentication Packages"

 

  • Active Setup\Installed Components

HKLM\Software\Microsoft\Active Setup\Installed Compenents\KeyName
StubPath=C:\PathToFile\Filename.exe

HKCU\Software\Microsoft\Active Setup\Installed Compenents\KeyName
StubPath=C:\PathToFile\Filename.exe

 

  • UserInit reg value

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
"Userinit"="C:\WIDOW\system32\userinit.exe

 

  • AppInit_DLLs

Reg Key : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
"AppInit_DLLs"=""

 

  • ShellServiceObjectDelayLoad

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad

 

  • The BootExecute registry value in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager

HKLM\SYSTEM\CurrentControlSet\Control\Session Manager
"Execute"=
"SetupExecute"=
"SOInitialCommand"=