89 lines
3.3 KiB
Python
89 lines
3.3 KiB
Python
def get_content():
|
|
"""
|
|
Returns structured content for Basic Persistence Mechanisms.
|
|
"""
|
|
return [
|
|
{
|
|
"title": "BootExecute Key",
|
|
"content": r"""
|
|
### BootExecute Key
|
|
The BootExecute registry key launches processes before the subsystem initializes.
|
|
|
|
**Key Path**:
|
|
- `HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Session`
|
|
"""
|
|
},
|
|
{
|
|
"title": "WinLogon Process Keys",
|
|
"content": r"""
|
|
### WinLogon Process Keys
|
|
1. **Userinit Key**:
|
|
- Launches login scripts during the user logon process.
|
|
- **Key Path**: `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon`
|
|
2. **Notify Key**:
|
|
- Handles the `Ctrl+Alt+Del` event.
|
|
- **Key Path**: `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify`
|
|
3. **Explorer.exe Key**:
|
|
- Points to `explorer.exe` and can be abused for persistence.
|
|
- **Key Path**: `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell`
|
|
"""
|
|
},
|
|
{
|
|
"title": "Startup Keys",
|
|
"content": r"""
|
|
### Startup Keys
|
|
Startup keys allow programs to launch when a user logs on.
|
|
|
|
**Key Paths**:
|
|
- `HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders`
|
|
- `HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders`
|
|
- `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders`
|
|
- `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders`
|
|
"""
|
|
},
|
|
{
|
|
"title": "Services Keys",
|
|
"content": r"""
|
|
### Services Keys
|
|
Services keys enable services to boot automatically at startup.
|
|
|
|
**Key Paths**:
|
|
- `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services`
|
|
- `HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce`
|
|
- `HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices`
|
|
"""
|
|
},
|
|
{
|
|
"title": "Browser Helper Objects",
|
|
"content": r"""
|
|
### Browser Helper Objects
|
|
Browser Helper Objects can be used for persistence or malicious activity.
|
|
|
|
**Key Path**:
|
|
- `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects`
|
|
"""
|
|
},
|
|
{
|
|
"title": "AppInit_DLLs",
|
|
"content": r"""
|
|
### AppInit_DLLs
|
|
The AppInit_DLLs registry key specifies DLLs that are loaded into every user-mode process that loads `user32.dll`.
|
|
|
|
**Key Path**:
|
|
- `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs`
|
|
"""
|
|
},
|
|
{
|
|
"title": "Persistence Using Global Flags",
|
|
"content": r"""
|
|
### Persistence Using Global Flags
|
|
Global flags in the Image File Execution Options registry key can be abused for persistence.
|
|
|
|
**Example Commands**:
|
|
- `reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe" /v GlobalFlag /t REG_DWORD /d 512`
|
|
- `reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\notepad.exe" /v ReportingMode /t REG_DWORD /d 1`
|
|
- `reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\notepad.exe" /v MonitorProcess /d "C:\temp\evil.exe"`
|
|
"""
|
|
}
|
|
]
|