ICMTC CTF — DFIR Challenge Writeup “Devil init Persistence”

First, I had a registry file ‘devil init persistence.reg’:

And this is the description of the challenge:

`A hacker managed to set up a persistence in a less common reg key, could you get the command he used to gain persistence?`

I noticed a persistence technique, then I opened MITRE ATT&CK and started searching for techniques used in files. However, this trial failed because I found lots of results and it will take much time.

Let’s focus on the challenge name `Init Persistence`. I opened the file in text editor like notepad++ and I started searching with `init`. I got 2311 hits, and this is so much.

Let’s do a quick online search on ‘init persistence’. I found this article: (Windows Persistence using WinLogon)

https://pentestlab.blog/2020/01/14/persistence-winlogon-helper-dll/

and now let’s search with keywords:

I found a target ‘netsh.exe’ which is used to load malicious .dll files.

And this info about it in this article:

https://learn.microsoft.com/en-us/windows-server/networking/technologies/netsh/netsh-contexts

Finally, we got the flag:

EGCERT{netsh.exe add helper C:\\Users\\User\\phantom.dll}