Hey there, fellow threat hunters! 👋 Today we're diving into the fascinating world of Windows Scheduled Tasks. While they're essential for system maintenance and automation, they're also a favorite playground for attackers. Let's explore how to spot the difference between legitimate tasks and malicious ones!

Why Attackers Love Scheduled Tasks

Before we dive into detection, let's understand why attackers are so fond of scheduled tasks:

• They persist through system reboots without requiring Run keys or services
• They can run with SYSTEM privileges if configured that way
• Many organizations don't regularly audit their scheduled tasks
• They can blend in with legitimate maintenance tasks

Quick Task Enumeration

Let's start with a simple PowerShell command to list all scheduled tasks:

Get-ScheduledTask | Select-Object TaskName, TaskPath, State, Principal | Format-Table -AutoSize

But that's just scratching the surface. Here's a more detailed script to find potentially suspicious tasks:

# Get tasks with suspicious properties
Get-ScheduledTask | ForEach-Object {
    $task = $_
    $actions = $task | Get-ScheduledTaskInfo
    
    # Check for suspicious patterns
    if ($task.Actions.Execute -match '(powershell|cmd|wscript|cscript)' -or
        $task.TaskPath -notmatch '^\\Microsoft\\' -and
        $task.Principal.UserId -eq "SYSTEM") {
        
        [PSCustomObject]@{
            'TaskName' = $task.TaskName
            'Path' = $task.TaskPath
            'Command' = $task.Actions.Execute
            'Arguments' = $task.Actions.Arguments
            'User' = $task.Principal.UserId
            'LastRun' = $actions.LastRunTime
            'NextRun' = $actions.NextRunTime
        }
    }
} | Format-Table -AutoSize

Red Flags to Watch For

Here are some telltale signs that a scheduled task might be malicious:

• Tasks that execute PowerShell with encoded commands
• Tasks running from unusual locations (like Temp directories)
• Tasks with generic or random-looking names
• SYSTEM-level tasks that don't originate from Microsoft
• Tasks that trigger on user login but run as SYSTEM

Deep Dive: Task XML Analysis

Sometimes the real dirt is in the task's XML definition. Here's how to check it:

$taskName = "SuspiciousTask"
$task = Get-ScheduledTask -TaskName $taskName
[xml]$taskXml = Export-ScheduledTask -TaskName $task.TaskName

Common Attack Patterns

Let's look at some real-world examples (obfuscated for safety):

# Malicious PowerShell execution
Action: powershell.exe
Arguments: -enc JiYoZW5jb2RlZF9wYXlsb2FkJiY=

# Credential theft via scheduled task
Action: cmd.exe
Arguments: /c net use \\server\share /user:domain\user password > %temp%\out.txt

# Persistence through task folder monitoring
Action: wscript.exe
Arguments: //B //NOLOGO C:\Windows\Temp\monitor.vbs

Hunting Script

Here's a more comprehensive hunting script to help you find suspicious tasks:

function Find-SuspiciousScheduledTasks {
    $suspiciousPatterns = @(
        '.*powershell.*-enc.*',
        '.*cmd.*/c.*',
        '.*wscript.*',
        '.*%temp%.*',
        '.*%appdata%.*'
    )

    Get-ScheduledTask | ForEach-Object {
        $task = $_
        $actions = $task | Get-ScheduledTaskInfo
        
        # Check command and arguments against patterns
        $suspicious = $false
        $matchedPattern = ""
        
        foreach ($pattern in $suspiciousPatterns) {
            if ($task.Actions.Execute -match $pattern -or 
                $task.Actions.Arguments -match $pattern) {
                $suspicious = $true
                $matchedPattern = $pattern
                break
            }
        }
        
        # Report suspicious tasks
        if ($suspicious) {
            [PSCustomObject]@{
                'TaskName' = $task.TaskName
                'Path' = $task.TaskPath
                'Command' = $task.Actions.Execute
                'Arguments' = $task.Actions.Arguments
                'User' = $task.Principal.UserId
                'LastRun' = $actions.LastRunTime
                'Pattern' = $matchedPattern
            }
        }
    }
}

Using Managed Service Accounts

Remember our discussion about MSAs and gMSAs in our Best practices for securing Windows services post? The same principles apply to scheduled tasks! Instead of using regular service accounts, you can (and should) use managed service accounts for your scheduled tasks. Here's how:

# Create a scheduled task with gMSA
$action = New-ScheduledTaskAction -Execute "PowerShell.exe" -Argument "-File C:\Scripts\Maintenance.ps1"
$trigger = New-ScheduledTaskTrigger -Daily -At 3am
$principal = New-ScheduledTaskPrincipal -UserID "domain\gMSA_MaintenanceTask$" -LogonType Password
Register-ScheduledTask -TaskName "MaintenanceTask" -Action $action -Trigger $trigger -Principal $principal

Benefits of using MSAs/gMSAs for scheduled tasks:

• Automatic password management - no more expired passwords breaking your tasks
• Enhanced security through complex, rotating passwords
• Centralized management in Active Directory
• Reduced attack surface compared to regular service accounts
• Better audit trails for task execution

Pro Tips

• Always baseline your known-good tasks first
• Monitor for new task creation, especially outside of Microsoft paths
• Look for tasks that execute from temporary locations
• Pay special attention to SYSTEM-level tasks
• Document your organization's legitimate maintenance tasks

Wrapping Up

Remember, not every suspicious-looking task is malicious, and not every malicious task looks suspicious! The key is understanding what's normal in your environment and investigating anything that stands out. Stay safe, and happy hunting! 🕵️‍♂️ P.S. Want to learn more about Windows security? Check out our other security-focused guides!

Hey there, fellow threat hunters! 👋 Today we're diving into Windows Service hardening. Sure, everyone knows you should "secure your services," but let's get into the nitty-gritty of what that actually means and how to do it properly.

Understanding the Basics: Why Services Are a Target

Before we jump into hardening, let's understand why attackers love targeting Windows services:

• Often run with SYSTEM privileges
• Start automatically with Windows
• Can be used for persistence
• Many organizations don't properly audit them
• Provide access to system resources

1. Service Account Principle of Least Privilege

First, let's check for services running with excessive privileges:

# Get services running as SYSTEM
Get-WmiObject win32_service | 
    Where-Object {$_.StartName -eq "LocalSystem"} |
    Select-Object Name, DisplayName, StartName, PathName |
    Format-Table -AutoSize

Best practices for service accounts:

• Use managed service accounts (MSAs) where possible
• Create dedicated service accounts with minimal permissions
• Never use domain admin accounts for services
• Regularly audit service account permissions
• Document service account dependencies and permissions

2. Understanding Service Accounts: MSA vs gMSA

Let's clear up some confusion about service accounts. I've seen too many environments where admins either don't know about or don't understand the difference between Managed Service Accounts (MSAs) and Group Managed Service Accounts (gMSAs).

Traditional Service Accounts - The Old Way

First, let's remember why we're moving away from traditional service accounts:

• Manual password management
• Password rotation headaches
• Service interruptions during password changes
• Passwords stored in scripts/documentation
• No centralized management

Managed Service Accounts (MSAs)

MSAs are like your entry-level managed accounts:

• Features:
  • Automatic password management
  • Simplified SPN management
  • Can only be used on one computer
  • Built-in password rotation
• Best used for:
  • Single-server applications
  • Standalone services
  • Windows Server 2008 R2 environments
  • Simple service deployments

Here's how to create an MSA:

# Create a regular MSA
New-ADServiceAccount -Name "MSA_AppService" -RestrictToSingleComputer

# Install the MSA on the server
Add-ADComputerServiceAccount -Identity "ServerName" -ServiceAccount "MSA_AppService"

# Install the service account locally
Install-ADServiceAccount -Identity "MSA_AppService"

# Test the installation
Test-ADServiceAccount -Identity "MSA_AppService"

Group Managed Service Accounts (gMSAs) - The Modern Approach

gMSAs are like MSAs with superpowers:

• Features:
  • Can be used across multiple servers
  • Automatic password management
  • Complex 240-character passwords
  • Centralized management
  • Supports Failover Clusters
  • Built-in SPN management
• Best used for:
  • Farm deployments
  • Load-balanced services
  • Clustered services
  • Modern Windows deployments (2012 R2 and newer)
  • Enterprise applications

Here's how to set up a gMSA:

# First, ensure you have a KDS Root Key (only needed once in the domain)
Add-KdsRootKey -EffectiveTime ((Get-Date).AddHours(-10))

# Create a security group for servers that will use the gMSA
New-ADGroup -Name "gMSA_Servers" `
   -GroupScope Global `
   -Description "Servers that can use the gMSA account"

# Add servers to the group
Add-ADGroupMember -Identity "gMSA_Servers" -Members "Server1$","Server2$"

# Create the gMSA
New-ADServiceAccount -Name "gMSA_WebApp" `
   -DNSHostName "gMSA_WebApp.domain.com" `
   -PrincipalsAllowedToRetrieveManagedPassword "gMSA_Servers" `
   -ServicePrincipalNames "HTTP/webapp.domain.com"

# Install on each server
Invoke-Command -ComputerName "Server1", "Server2" -ScriptBlock {
   Install-ADServiceAccount -Identity "gMSA_WebApp"
   Test-ADServiceAccount -Identity "gMSA_WebApp"
}

When to Use What - Decision Matrix

Scenario	Recommended Account Type	Reason
Single server application	MSA	Simpler to manage, sufficient for single-server deployments
Web farm	gMSA	Supports multiple servers, works with load balancing
Failover cluster	gMSA	Supports resource migration between nodes
Legacy application	Traditional Service Account	If application doesn't support managed accounts
Modern enterprise app	gMSA	Best security features and management capabilities

Common Pitfalls and Troubleshooting

Let's look at some common issues and how to resolve them:

# Issue 1: Service won't start with gMSA
# Check if the server can retrieve the password
Test-ADServiceAccount -Identity "gMSA_WebApp"

# Issue 2: SPNs not registering
# View current SPNs
Get-ADServiceAccount -Identity "gMSA_WebApp" -Properties ServicePrincipalNames

# Add missing SPN
Set-ADServiceAccount -Identity "gMSA_WebApp" `
   -ServicePrincipalNames @{Add="HTTP/newapp.domain.com"}

# Issue 3: Permission problems
# Check gMSA permissions
Get-ADServiceAccount -Identity "gMSA_WebApp" -Properties * |
   Select-Object Name, PrincipalsAllowedToRetrieveManagedPassword

3. Service Executable Security

Now that we have our service accounts sorted, let's lock down the service executables themselves:

# Comprehensive service executable audit script
function Audit-ServiceExecutables {
   Get-WmiObject win32_service | ForEach-Object {
       $service = $_
       $execPath = $service.PathName -replace '^"([^"]+)".*', '$1'
       
       try {
           $acl = Get-Acl $execPath -ErrorAction Stop
           $sig = Get-AuthenticodeSignature $execPath -ErrorAction Stop
           
           [PSCustomObject]@{
               ServiceName = $service.Name
               ExecutablePath = $execPath
               Permissions = $acl.Access | Where-Object {
                   $_.IdentityReference -notmatch 'NT SERVICE|NT AUTHORITY|BUILTIN'
               }
               IsSigned = $sig.Status -eq 'Valid'
               SignatureStatus = $sig.Status
               SignedBy = $sig.SignerCertificate.Subject
               LastWriteTime = (Get-Item $execPath).LastWriteTime
               FileHash = (Get-FileHash $execPath).Hash
           }
       } catch {
           Write-Warning "Could not check $($service.Name): $($_.Exception.Message)"
       }
   }
}

Best practices for service executables:

• File System Security:
  • Place service executables in secure locations
  • Restrict permissions to SYSTEM and Administrators
  • Enable auditing on executable directories
  • Use file integrity monitoring
• Signature Verification:
  • Only allow signed executables
  • Verify signature chain
  • Maintain an allowlist of trusted publishers
• Path Security:
  • Use fully qualified paths
  • Avoid paths with spaces unless properly quoted
  • Restrict write access to service directories

Here's a script to fix common service path issues:

# Fix unquoted service paths
Get-WmiObject win32_service | 
   Where-Object {$_.PathName -notmatch '^".*"$' -and $_.PathName -match '\s+'} |
   ForEach-Object {
       $newPath = '"' + $_.PathName + '"'
       Write-Host "Fixing path for $($_.Name)"
       $_ | Set-WmiInstance -Arguments @{PathName=$newPath}
   }

4. Service Dependencies and Attack Surface

Understanding service dependencies is crucial for security. One vulnerable dependency can compromise your entire service chain:

# Comprehensive dependency mapping function
function Get-ServiceDependencyMap {
   param(
       [string]$ServiceName,
       [int]$MaxDepth = 10
   )
   
   $dependencyMap = @{}
   $seenServices = @{}
   
   function Map-Dependencies {
       param(
           $ServiceName,
           $CurrentDepth = 0
       )
       
       if ($CurrentDepth -gt $MaxDepth -or $seenServices.ContainsKey($ServiceName)) {
           return
       }
       
       $seenServices[$ServiceName] = $true
       $service = Get-Service -Name $ServiceName -ErrorAction SilentlyContinue
       
       if ($service) {
           $serviceInfo = @{
               Status = $service.Status
               StartType = $service.StartType
               Dependencies = @()
               DependentServices = @()
           }
           
           # Get dependencies
           $service.ServicesDependedOn | ForEach-Object {
               $serviceInfo.Dependencies += $_.Name
               Map-Dependencies -ServiceName $_.Name -CurrentDepth ($CurrentDepth + 1)
           }
           
           # Get dependent services
           $service.DependentServices | ForEach-Object {
               $serviceInfo.DependentServices += $_.Name
           }
           
           $dependencyMap[$ServiceName] = $serviceInfo
       }
   }
   
   Map-Dependencies -ServiceName $ServiceName
   return $dependencyMap
}

5. Advanced Hardening Techniques

Beyond basic configuration, let's implement advanced hardening:

5.1 Service Isolation

# Configure service isolation
$serviceName = "YourService"
$sddl = "D:(A;;CCLCSWRPWPDTLOCRRC;;;SU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;AU)"

# Apply restricted security descriptor
sc.exe sdset $serviceName $sddl

# Verify the change
$service = Get-WmiObject win32_service -Filter "Name='$serviceName'"
$service.GetSecurityDescriptor().Descriptor

5.2 Resource Access Restrictions

# Create a restricted token for service
$policy = @'
{
   "Windows": {
       "SecurityFilters": [
           {
               "Services": {
                   "IsolationType": "Limited",
                   "RestrictedServices": ["YourService"],
                   "Capabilities": ["EnumerateUsers"]
               }
           }
       ]
   }
}
'@

Set-Content -Path "C:\ServicePolicy.json" -Value $policy

# Apply policy using Windows Security
New-ServiceSecurityPolicy -Path "C:\ServicePolicy.json"

6. Monitoring and Incident Response

Set up proper monitoring for your hardened services:

# Create an event monitor for critical service changes
$query = @"
    <QueryList>
        <Query Id="0" Path="System">
            <Select Path="System">
                *[System[(EventID=7030 or EventID=7031 or EventID=7032 or 
                  EventID=7034 or EventID=7035 or EventID=7036 or EventID=7040)]]
            </Select>
        </Query>
    </QueryList>
"@

# Create the event subscription
$params = @{
    Query = $query
    SourceIdentifier = "ServiceMonitor"
    Action = {
        $event = $Event.SourceEventArgs.NewEvent
        $message = "Service Event Detected: $($event.Message)"
        Send-MailMessage -To "admin@domain.com" -Subject "Service Alert" -Body $message
    }
}

Register-CimIndicationEvent @params

7. Common Attack Scenarios and Mitigations

Let's look at real-world attacks and how to prevent them:

7.1 DLL Hijacking Prevention

# Audit service DLL load paths
function Audit-ServiceDLLPaths {
   Get-WmiObject win32_service | ForEach-Object {
       $service = $_
       if ($service.PathName -like "*svchost.exe*") {
           $regPath = "HKLM:\SYSTEM\CurrentControlSet\Services\$($service.Name)\Parameters"
           $dllPath = Get-ItemProperty -Path $regPath -Name "ServiceDll" -ErrorAction SilentlyContinue
           
           if ($dllPath) {
               [PSCustomObject]@{
                   ServiceName = $service.Name
                   DLLPath = $dllPath.ServiceDll
                   Exists = Test-Path $dllPath.ServiceDll
                   IsSecurePath = $dllPath.ServiceDll -like "$env:SystemRoot\System32\*"
               }
           }
       }
   }
}

7.2 Privilege Escalation Prevention

• Service Configuration:
  • Restrict service account permissions
  • Remove unnecessary privileges
  • Implement service isolation
  • Monitor for privilege changes
• File System Security:
  • Lock down service directories
  • Implement access controls
  • Monitor for unauthorized changes

8. Quick Reference - Hardening Checklist

Category	Action	Priority
Account Security	Implement gMSA	High
File System	Secure service paths	High
Dependencies	Map and secure dependencies	Medium
Monitoring	Implement change detection	High
Isolation	Configure service isolation	Medium

References

• [1] Microsoft Security Baseline Documentation
• [2] NIST SP 800-123: "Guide to General Server Security"
• [3] CIS Benchmarks: "Windows Server Security Configuration"
• [4] MITRE ATT&CK: "System Services: Service Execution"

Wrapping Up

Remember, service hardening is not a one-time task but an ongoing process. Keep your configurations updated, monitor for changes, and regularly audit your service security posture. Stay tuned for our next post where we'll dive into Windows Scheduled Task security! Until then, keep hunting! 🕵️‍♂️

Hey there, fellow threat hunters! 👋 Today we're diving into everyone's favorite Windows feature - the Registry. This isn't just another basic "check your Run keys" tutorial. We're going deep into the attacker's playbook to understand not just where they hide, but why they choose these locations. Grab your coffee, because this is going to be a good one!

1. The Run Keys Family - More Than Meets the Eye

Let's start with the classics. Yes, everyone knows about Run keys, but there's more to them than you might think:

# Primary Run Keys
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

# Less Known Run Keys
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Load
HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Run

Why attackers love them:

• Survive system reboots
• Execute with user/system privileges
• No special permissions needed for HKCU keys
• RunOnce keys automatically delete after execution (great for staging payloads)

Real-world example: The Emotet malware used Run keys with randomly generated names, storing encoded PowerShell commands for persistence [1]. Recent variants even implemented a technique to monitor and restore these registry keys if removed [2].

2. The Windows Services Registry - Attacker's VIP Lounge

Services are a goldmine for persistence. The main registry location:

HKLM\SYSTEM\CurrentControlSet\Services

Why attackers choose services:

• Run with SYSTEM privileges by default
• Can specify custom service accounts
• Support for multiple trigger methods:
  • Boot-time execution
  • On-demand activation
  • Delayed start
• Can masquerade as legitimate Windows services
• Harder to detect than Run keys

Key attributes attackers modify:

• ImagePath: Points to the malicious executable
• ServiceDLL: For shared service processes
• ObjectName: Service account to run under
• Type: Kernel drivers (1) vs user-mode services (16)
• Start: Boot (0), System (1), Auto (2), Manual (3), Disabled (4)

Real-world example: The BlackByte ransomware creates a service named "BConfig" with Type=16 and Start=2 to ensure persistence across reboots [3].

3. The COM Object Hijacking - Advanced Persistence

COM objects are like a five-star hotel for malware:

HKLM\SOFTWARE\Classes\CLSID
HKCU\SOFTWARE\Classes\CLSID
HKLM\SOFTWARE\Classes\Wow6432Node\CLSID  # 64-bit systems

Why attackers love COM hijacking:

• Triggers when legitimate applications load COM objects
• Can intercept calls to legitimate DLLs
• Often overlooked in security scans
• Persists through system updates
• Can achieve DLL search order hijacking

Real-world example: The Astaroth trojan hijacked the CLSID "{62BE5D10-60EB-11D0-BD3B-00A0C911CE86}" used by various Windows processes to maintain persistence and intercept system calls [4].

4. Shell Extensions - The Silent Watchers

Shell extensions can monitor and intercept user actions:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

# Context Menu Handlers
HKCR\*\shellex\ContextMenuHandlers
HKCR\Directory\shellex\ContextMenuHandlers

Why attackers use shell extensions:

• Load whenever Explorer.exe runs
• Can monitor file system activities
• Intercept right-click context menus
• Execute when specific file types are opened
• Often trusted by Windows

Real-world example: The HookExplorer malware used shell extensions to monitor file operations and capture banking credentials, persisting through Windows Explorer's trusted execution.

5. Explorer Load Points - The Sneaky Ones

These keys load when Explorer.exe starts:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Load

Why attackers choose these:

• AppInit_DLLs inject into every process that loads User32.dll
• Winlogon Shell modifications affect the login process
• Windows\Load runs whenever a user logs in
• Often survive system updates

Real-world example: The Ursnif banking trojan utilized AppInit_DLLs for system-wide code injection, making it particularly difficult to detect and remove.

6. File Association Hijacking - The Subtle Approach

Let's look at how attackers change Windows file type handling:

# File Association Registry Locations
HKCR\.exe
HKCR\.dll
HKCR\.cmd
HKLM\SOFTWARE\Classes\.exe

Why it's effective:

• Executes whenever specific file types are opened
• Can intercept execution of legitimate files
• Often overlooked in security audits
• Can affect all users on the system

Here's a script to check for file association hijacking:

# Check for modified file associations
$suspectExtensions = @('.exe', '.dll', '.cmd', '.bat', '.ps1')

foreach ($ext in $suspectExtensions) {
    $defaultHandler = (Get-ItemProperty -Path "HKLM:\SOFTWARE\Classes\$ext" -ErrorAction SilentlyContinue)."(Default)"
    $userHandler = (Get-ItemProperty -Path "HKCU:\SOFTWARE\Classes\$ext" -ErrorAction SilentlyContinue)."(Default)"
    
    if ($defaultHandler -ne $null -or $userHandler -ne $null) {
        [PSCustomObject]@{
            Extension = $ext
            SystemHandler = $defaultHandler
            UserHandler = $userHandler
            Suspicious = ($userHandler -ne $null -and $userHandler -ne $defaultHandler)
        }
    }
}

Real-world example: The Carbanak group used file association hijacking to intercept .doc file openings, enabling them to monitor banking documents [5].

7. LSA Providers - The Crown Jewels

LSA (Local Security Authority) providers handle authentication:

HKLM\SYSTEM\CurrentControlSet\Control\Lsa
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig

Why attackers target LSA:

• Can intercept authentication processes
• Access to plain-text credentials
• High-privilege execution
• Difficult to detect without specialized monitoring

Real-world example: APT29 utilized LSA provider manipulation as part of their credential theft toolkit, demonstrating the sophisticated abuse of this registry location [6].

Detection Strategies

Key areas to focus your monitoring efforts:

• Registry Monitoring:
  • Use Process Monitor to track registry modifications
  • Set up alerts for modifications to critical keys
  • Monitor for new registry values in known persistence locations
• Baseline Comparison:
  • Maintain a known-good baseline of registry keys
  • Regularly compare current state against baseline
  • Document legitimate changes during software installations
• Suspicious Indicators:
  • Encoded PowerShell commands
  • Paths to temporary directories
  • References to common attack tools
  • Unsigned executables in system locations

Comprehensive Detection Script

Here's a thorough script that checks all the persistence locations we discussed:

# Comprehensive Registry Persistence Hunter
# Use with caution and only on systems you own/have permission to scan

function Write-ColorOutput {
    param(
        [string]$Message,
        [string]$Color = "White"
    )
    Write-Host $Message -ForegroundColor $Color
}

# Initialize suspicious patterns
$suspiciousPatterns = @{
    Commands = @(
        "*powershell*", "*cmd.exe*", "*wscript*", "*cscript*",
        "*rundll32*", "*regsvr32*", "*mshta*", "*certutil*"
    )
    Paths = @(
        "*temp*", "*appdata*", "*downloads*", 
        "*/windows/fonts/*", "*/recycle*", "*/perflogs/*"
    )
    Extensions = @(
        "*.ps1", "*.vbs", "*.js", "*.hta", "*.exe", "*.dll",
        "*.cmd", "*.bat", "*.scr", "*.tmp"
    )
    Encodings = @(
        "*base64*", "*utf-8*", "*utf-16*", "*unicode*",
        "*-enc*", "*-encodedcommand*", "*-e *", "*-ec *"
    )
    Keywords = @(
        "*bypass*", "*hidden*", "*encrypt*", "*http*", "*https*",
        "*ftp*", "*ssh*", "*admin*", "*password*", "*credential*"
    )
}

function Test-SuspiciousValue {
    param(
        [string]$Value
    )
    
    foreach ($category in $suspiciousPatterns.Keys) {
        foreach ($pattern in $suspiciousPatterns[$category]) {
            if ($Value -like $pattern) {
                return @{
                    IsSuspicious = $true
                    Category = $category
                    Pattern = $pattern
                }
            }
        }
    }
    return @{
        IsSuspicious = $false
        Category = $null
        Pattern = $null
    }
}

function Get-RegistryKeyLastWriteTime {
    param(
        [string]$Path
    )
    try {
        $key = Get-Item -LiteralPath $Path -ErrorAction Stop
        return $key.GetValue("LastWriteTime")
    }
    catch {
        return $null
    }
}

function Check-RegistryLocation {
    param(
        [string]$Path,
        [string]$Description
    )
    
    Write-ColorOutput "`nChecking $Description" "Yellow"
    Write-ColorOutput "Location: $Path" "Gray"
    
    $findings = @()
    
    try {
        # Get all properties
        $items = Get-ItemProperty -Path $Path -ErrorAction Stop
        
        # Get subkeys if they exist
        $subKeys = Get-ChildItem -Path $Path -ErrorAction SilentlyContinue
        
        # Check properties
        foreach ($prop in ($items.PSObject.Properties | 
            Where-Object { $_.Name -notin @('PSPath','PSParentPath','PSChildName','PSProvider')})) {
            
            $suspiciousCheck = Test-SuspiciousValue -Value $prop.Value
            
            if ($suspiciousCheck.IsSuspicious) {
                $findings += [PSCustomObject]@{
                    Location = $Path
                    ItemName = $prop.Name
                    ItemValue = $prop.Value
                    Type = "Property"
                    SuspiciousCategory = $suspiciousCheck.Category
                    MatchedPattern = $suspiciousCheck.Pattern
                    LastWriteTime = Get-RegistryKeyLastWriteTime -Path $Path
                }
            }
        }
        
        # Check subkeys if they exist
        if ($subKeys) {
            foreach ($key in $subKeys) {
                $suspiciousCheck = Test-SuspiciousValue -Value $key.Name
                
                if ($suspiciousCheck.IsSuspicious) {
                    $findings += [PSCustomObject]@{
                        Location = $key.PSPath
                        ItemName = $key.Name
                        ItemValue = "(Registry Key)"
                        Type = "Key"
                        SuspiciousCategory = $suspiciousCheck.Category
                        MatchedPattern = $suspiciousCheck.Pattern
                        LastWriteTime = Get-RegistryKeyLastWriteTime -Path $key.PSPath
                    }
                }
            }
        }
    }
    catch {
        Write-ColorOutput "Error accessing $Path : $($_.Exception.Message)" "Red"
        return $null
    }
    
    return $findings
}

# Define registry locations to check
$locationsToCheck = @{
    # Run Keys
    "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" = "Run Keys (HKLM)"
    "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" = "RunOnce Keys (HKLM)"
    "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" = "Run Keys (HKCU)"
    "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" = "RunOnce Keys (HKCU)"
    
    # Services
    "HKLM:\SYSTEM\CurrentControlSet\Services" = "Services"
    
    # COM Objects
    "HKLM:\SOFTWARE\Classes\CLSID" = "COM Objects (HKLM)"
    "HKCU:\SOFTWARE\Classes\CLSID" = "COM Objects (HKCU)"
    
    # Shell Extensions
    "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved" = "Shell Extensions"
    
    # Explorer Load Points
    "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" = "Windows Load Points"
    "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" = "Winlogon"
    
    # LSA Providers
    "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" = "LSA Providers"
}

# Main execution
$allFindings = @()
$startTime = Get-Date

Write-ColorOutput "Starting Registry Persistence Hunter" "Green"
Write-ColorOutput "Start Time: $startTime" "Gray"
Write-ColorOutput "Scanning registry locations for suspicious entries..." "Yellow"

foreach ($location in $locationsToCheck.GetEnumerator()) {
    $findings = Check-RegistryLocation -Path $location.Key -Description $location.Value
    if ($findings) {
        $allFindings += $findings
    }
}

# Output findings
if ($allFindings.Count -gt 0) {
    Write-ColorOutput "`nSuspicious Registry Entries Found:" "Red"
    $allFindings | ForEach-Object {
        Write-ColorOutput "`nLocation: $($_.Location)" "Yellow"
        Write-ColorOutput "Item Name: $($_.ItemName)" "White"
        Write-ColorOutput "Value: $($_.ItemValue)" "White"
        Write-ColorOutput "Type: $($_.Type)" "Gray"
        Write-ColorOutput "Category: $($_.SuspiciousCategory)" "Magenta"
        Write-ColorOutput "Matched Pattern: $($_.MatchedPattern)" "Gray"
        if ($_.LastWriteTime) {
            Write-ColorOutput "Last Write Time: $($_.LastWriteTime)" "Gray"
        }
        Write-ColorOutput "-----------------" "Gray"
    }
    
    # Export to CSV
    $timestamp = Get-Date -Format "yyyyMMdd_HHmmss"
    $exportPath = ".\RegistryFindings_$timestamp.csv"
    $allFindings | Export-Csv -Path $exportPath -NoTypeInformation
    Write-ColorOutput "`nFindings exported to: $exportPath" "Green"
}
else {
    Write-ColorOutput "`nNo suspicious registry entries found." "Green"
}

$endTime = Get-Date
$duration = $endTime - $startTime

Write-ColorOutput "`nScan completed in $($duration.TotalSeconds) seconds" "Green"

Usage Notes

• Run this script with administrative privileges for full access to registry locations
• Results are both displayed on screen and exported to a CSV file
• The script includes color-coded output for easier reading
• Suspicious patterns are customizable in the $suspiciousPatterns variable
• Each finding includes:
  • Location of the suspicious entry
  • Item name and value
  • Type (Key or Property)
  • Category of suspicious pattern matched
  • Last write time (when available)
    

Important Cautions

• This script may generate false positives - always verify findings
• Some registry keys require specific permissions to access
• Running comprehensive registry scans may impact system performance
• Always test security scripts in a controlled environment first

This detection script complements our earlier examination of attacker persistence techniques and provides a practical tool for identifying suspicious registry entries.

Wrapping Up

The Windows Registry is an attacker's playground with countless hiding spots. While we've covered the most common locations, remember that creative attackers are always finding new places to hide. The key is understanding not just where to look, but why attackers choose specific locations. Stay tuned for our next post where we'll dive into Windows Service hardening! Until then, keep hunting! 🕵️‍♂️

References

• [1] CISA Alert (AA20-280A): "Emotet Malware"
• [2] Microsoft Security Blog: "New Emotet Techniques"
• [3] Microsoft Threat Intelligence: "BlackByte Ransomware Analysis"
• [4] MITRE ATT&CK: "COM Hijacking - T1546.015"
• [5] MITRE ATT&CK: "Carbanak Group - File Association Hijacking"
• [6] Mandiant: "APT29 Analysis Report"

Additional Resources

• SANS Institute: "Windows Registry Forensics in-depth"
• Microsoft Security baselines
• Sysinternals Documentation: "Process Monitor for Registry Analysis"