ICMTC CTF — DFIR Challenge Writeup “Devil init Persistence”

Ebrahim Mustafa
2 min readJul 31, 2023

First, I had a registry file ‘devil init persistence.reg’:

And this is the description of the challenge:

`A hacker managed to set up a persistence in a less common reg key, could you get the command he used to gain persistence?`

I noticed a persistence technique, then I opened MITRE ATT&CK and started searching for techniques used in files. However, this trial failed because I found lots of results and it will take much time.

Let’s focus on the challenge name `Init Persistence`. I opened the file in text editor like notepad++ and I started searching with `init`. I got 2311 hits, and this is so much.

Let’s do a quick online search on ‘init persistence’. I found this article: (Windows Persistence using WinLogon)

https://pentestlab.blog/2020/01/14/persistence-winlogon-helper-dll/

and now let’s search with keywords:

I found a target ‘netsh.exe’ which is used to load malicious .dll files.

And this info about it in this article:

https://learn.microsoft.com/en-us/windows-server/networking/technologies/netsh/netsh-contexts

Finally, we got the flag:

EGCERT{netsh.exe add helper C:\\Users\\User\\phantom.dll}

Sign up to discover human stories that deepen your understanding of the world.

Free

Distraction-free reading. No ads.

Organize your knowledge with lists and highlights.

Tell your story. Find your audience.

Membership

Read member-only stories

Support writers you read most

Earn money for your writing

Listen to audio narrations

Read offline with the Medium app

Ebrahim Mustafa
Ebrahim Mustafa

Written by Ebrahim Mustafa

Cyber Security Pentester ,Bug hunter ,CTF player and Coder

No responses yet

Write a response