performing-malware-persistence-investigation

# Performing Malware Persistence Investigation ## When to Use - When investigating how malware maintains presence on a compromised system after reboots - During incident response to identify all persistence mechanisms for complete remediation - For threat hunting to discover unauthorized autostart entries across endpoints - When analyzing malware behavior to understand its persistence strategy - For verifying that all persistence has been removed after incident remediation ## Prerequisites - Forensic image or live system access with administrative privileges - Autoruns (Sysinternals) for Windows persistence enumeration - RegRipper for offline registry analysis - Understanding of Windows and Linux persistence mechanisms - YARA rules for scanning persistence locations - Baseline of known-good autorun entries for comparison ## Workflow ### Step 1: Enumerate Windows Registry Persistence ```bash # Extract registry hives from forensic image mount -o ro,loop,offset=$((2048*512)) /cases/case-2024-001/images/evidence.dd /mnt/evidence # Key registry persistence locations python3 << 'PYEOF' from Registry import Registry import json results = {'registry_persistence': []} # SYSTEM hive analysis system_reg = Registry.Registry("/cases/case-2024-001/registry/SYSTEM") select = system_reg.open("Select") current = select.value("Current").value() cs = f"ControlSet{current:03d}" # Services (very common persistence) services = system_reg.open(f"{cs}\\Services") for svc in services.subkeys...