Thursday, October 21, 2010

Persistence Registry keys and Windows Incident Response

The Sans Computer Forensics blog discusses how to query certain registry keys to find secondary indicators of a compromise.

Dave Hull has created a list of registry keys that can be used to run malware at boot time. He used AutoRuns from Microsoft Sysinternals to pull the list of registry keys.

The list of keys are available :


XPSP3_HKCU_Startup_Locations.txt - cannot be remotely queried
XPSP3_HKLM_Startup_Locations.txt - can be remotely queried

No comments:

Post a Comment