A Story of Persistance – Windows Part 2


This is the second part, first part is here.

Malwares use persistence mechanisms to keep access on a system across restarts. Mitre Att&ack talks about Persistence as a tactic, and all the persistence mechanisms are the techniques.

The way the articles will flow is the same as the first article:

  1. Name and some details of the persistence mechanism.
  2. How it works.
  3. Threat actors or malware who use this consistently.
  4. How to set it up.
  5. How to detect it from the event logs.
  6. How to get more details about it, using tools like PowerShell, Autoruns or any other tool.
  7. How to remove it.

First persistence mechanism:

Name: Service

Microsoft Windows services, formerly known as NT services, enable you to create long-running executable applications that run in their own Windows sessions. These services can be automatically started when the computer boots, can be paused and restarted, and do not show any user interface. These features make services ideal for use as persistence mechanism in malware. (Most of this paragraph is copied from MSDN Link.

There are different startup types for services, they can be setup to start manually, automatic or automatic delayed. Automatic services start first, automatic delayed services start after all automatic services have been started.

Long list of malware use this persistance mechanism, most prevalent these days would be :

  1. Emotet.
  2. Netwalker.
  3. Remcom.
  4. Many more mentioned here.

Lets first enable the audit logs which will enable us to see the service creation in the Security Event Logs.

Command to enable required Audit logs:

auditpol /set /category:"System" /success:enable /failure:enable

Setting up a service is pretty straight forward, the steps I followed are:

  1. Created a windows service using the metasploit template from this location.
  2. Updated the code to logging instead of running malicious code.
  3. Compiled the service on Visual Studio 2019.
  4. Created a service using the following command:
sc.exe create asktest binpath= service.exe

5. Check that the service is created from services.msc in windows:

How to check for presence in the event logs:

Get-WinEvent -FilterHashtable @{LogName="Security";ID=4697;} | Select *

As you may have guessed 4697 is the windows event id for the service creation.

I think these details are enough for this blog.


About the author

Ahmed Kasmani

Add comment

By Ahmed Kasmani

Recent Posts

Recent Comments