ICMTC CTF — DFIR Challenge Writeup “Devil init Persistence”

Ebrahim Mustafa
2 min readJul 31, 2023

--

First, I had a registry file ‘devil init persistence.reg’:

And this is the description of the challenge:

`A hacker managed to set up a persistence in a less common reg key, could you get the command he used to gain persistence?`

I noticed a persistence technique, then I opened MITRE ATT&CK and started searching for techniques used in files. However, this trial failed because I found lots of results and it will take much time.

Let’s focus on the challenge name `Init Persistence`. I opened the file in text editor like notepad++ and I started searching with `init`. I got 2311 hits, and this is so much.

Let’s do a quick online search on ‘init persistence’. I found this article: (Windows Persistence using WinLogon)

https://pentestlab.blog/2020/01/14/persistence-winlogon-helper-dll/

and now let’s search with keywords:

I found a target ‘netsh.exe’ which is used to load malicious .dll files.

And this info about it in this article:

https://learn.microsoft.com/en-us/windows-server/networking/technologies/netsh/netsh-contexts

Finally, we got the flag:

EGCERT{netsh.exe add helper C:\\Users\\User\\phantom.dll}

Sign up to discover human stories that deepen your understanding of the world.

Free

Distraction-free reading. No ads.

Organize your knowledge with lists and highlights.

Tell your story. Find your audience.

Membership

Read member-only stories

Support writers you read most

Earn money for your writing

Listen to audio narrations

Read offline with the Medium app

--

--

Ebrahim Mustafa
Ebrahim Mustafa

Written by Ebrahim Mustafa

Cyber Security Pentester ,Bug hunter ,CTF player and Coder

No responses yet

Write a response