Secondary Categories: 02-Command and Control, 02-Malware
Environmental Keying
When your payload lands on a victims system its important develop your implants/payloads to perform some checks to ensure they are in the right environment. Some things we can check:
- Check if connected to domain
- Check if being debugged
- Check System Cores or Memory
- Check Keyboard language
- Check date time
- Check for mouse movement
- Check for window resizing
User Profiling
When you are developing a payload you can also perform check based on the user profile before the payload is executed.
- Only execute during work hours
- Only execute before XYZ date
- Check for specific installed software for their position
- Check Most Recently used files (MRUs)
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FindComputerMRU
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Doc Find Spec MRU
%AppData%\Microsoft\Windows\Recent
- Check RDP History
HKCU\Software\Microsoft\Terminal Server Client\Servers
HKCU\Software\Microsoft\Terminal Server Client\Default
HKCU\Software\Microsoft\Terminal Server Client\UsernameHint
Also Check Out:
- PLACEHOLDER