From d55cc2c4f7603f504c60273fa2c979a397095bf5 Mon Sep 17 00:00:00 2001 From: cocomelonc Date: Thu, 22 Aug 2024 10:54:15 +0300 Subject: [PATCH] malware persistence 26: add conclusion --- _posts/2024-08-14-malware-pers-26.markdown | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/_posts/2024-08-14-malware-pers-26.markdown b/_posts/2024-08-14-malware-pers-26.markdown index 3747579..a861f38 100644 --- a/_posts/2024-08-14-malware-pers-26.markdown +++ b/_posts/2024-08-14-malware-pers-26.markdown @@ -208,6 +208,12 @@ For the correctness of the experiment, we will launch our Process Hacker 2 and c As you can see, `hack.dll` started correctly, the same effect will be for other Windows programs, even `Procmon64.exe`. I assume the behavior will be the same if you open anything that uses Windows sockets. To be honest, I don't know what this particular registry parameter is used for, but it seems to have something to do with sockets. +So, everything worked as expected. Perfect! =^..^= + +This PoC is how an attacker might use different Windows features like socket connections for running a "malicious" DLL. + +I hope this post spreads awareness to the blue teamers of this interesting persistence technique, and adds a weapon to the red teamers arsenal. + > This is a practical case for educational purposes only. [Windows Sockets](https://learn.microsoft.com/en-us/windows/win32/winsock/windows-sockets-start-page-2)