LetsDefend Academy

Online practicing and training platform for blue team members









Registry

Attackers often change registry values to ensure persistence. Whenever a registry value changes, a Windows EventID 4657 log is generated. You can follow the log for registry values used for persistence or you can check these values after the event.

Frequently used registries


"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run"
"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce"
"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices"
"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce"
"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001"
"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend"

"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run"
"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce"
"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices"
"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce"

By checking these registries, you can check whether the attacker dropped a backdoor.



Log file for questions:

challange.zip Pass=321


Questions