+ windows shutdown event

From ema
Jump to navigation Jump to search
EMA ID: ema-1030
Description: In Windows, the shutdown event triggered by WinLogon can be registered by an application to allow a malicious DLL a chance to execute every time a machine shuts down.

When the machine is shutdown the malware is loaded into memory. Then it downloads the primary malware and reinfects the machine. The malware will also lie dormant during incident reporting processes. HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogonNotify If the subkey doesn't exist you are in good shape. If a subkey with any name exists and it has a "shutdown" value then the dll in the "DLLName" key will be launched during the shutdown process.

Associated Capabilities/Subcapabilities: Capability.png Persistence

Notes: MM Notify CallBack (3/22/2013): https://isc.sans.edu/diary/Wipe+the+drive!++Stealthy+Malware+Persistence+-+Part+4/15460
Associated With + windows shutdown event
No results