ICMTC CTF — DFIR Challenge Writeup “Devil init Persistence”

First, I had a registry file ‘devil init persistence.reg’:

And this is the description of the challenge:
`A hacker managed to set up a persistence in a less common reg key, could you get the command he used to gain persistence?`
I noticed a persistence technique, then I opened MITRE ATT&CK and started searching for techniques used in files. However, this trial failed because I found lots of results and it will take much time.
Let’s focus on the challenge name `Init Persistence`. I opened the file in text editor like notepad++ and I started searching with `init`. I got 2311 hits, and this is so much.

Let’s do a quick online search on ‘init persistence’. I found this article: (Windows Persistence using WinLogon)
https://pentestlab.blog/2020/01/14/persistence-winlogon-helper-dll/
and now let’s search with keywords:

I found a target ‘netsh.exe’ which is used to load malicious .dll files.
And this info about it in this article:
https://learn.microsoft.com/en-us/windows-server/networking/technologies/netsh/netsh-contexts
Finally, we got the flag: