Secondary Categories: 02-Command and Control, 02-Malware

Environmental Keying

When your payload lands on a victims system its important develop your implants/payloads to perform some checks to ensure they are in the right environment. Some things we can check:

  • Check if connected to domain
  • Check if being debugged
  • Check System Cores or Memory
  • Check Keyboard language
  • Check date time
  • Check for mouse movement
  • Check for window resizing

User Profiling

When you are developing a payload you can also perform check based on the user profile before the payload is executed.

  • Only execute during work hours
  • Only execute before XYZ date
  • Check for specific installed software for their position
  • Check Most Recently used files (MRUs)
    • HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FindComputerMRU
    • HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Doc Find Spec MRU
    • %AppData%\Microsoft\Windows\Recent
  • Check RDP History
    • HKCU\Software\Microsoft\Terminal Server Client\Servers
    • HKCU\Software\Microsoft\Terminal Server Client\Default
    • HKCU\Software\Microsoft\Terminal Server Client\UsernameHint

Also Check Out:

  • PLACEHOLDER