Skip to content

zhubrain/Windows_persistence

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

14 Commits
1. AtBroker/AtBroker
1. AtBroker/AtBroker
 
 
2. Windows Management Instrumentation
2. Windows Management Instrumentation
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 

Repository files navigation

Windows_persistence

Ways for malwares to gain persistence in Windows.

1. Ease of Access - AtBroker.exe

Programs under register key "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs" will be executed by windows binary "AtBroker.exe". After a configuration in register "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\Configuration = …", the process will be executed anytime when a user log on, or when a destop change happens(e.g., when uac pops up).

2. WMI Event Subscription

Create a permanent WMI subscription, then when a certain event fires up, a vbscript(or a commandline) will be executed.

About

Ways for malwares to gain persistence in Windows.

Resources

Readme

License

GPL-3.0 license
Activity

Stars

2 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages