The Image File Execution Options key

File paths set in the debugger of the Image File Execution Options key is run when the process is to be debugged or is run with the CreateProcess API:

• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\[Process Name]
  • Debugger = [executable file]
  • [Process Name] pertains to the filename of the running executable
  • This persistence only triggers when there is a need for  [Process Name] to invoke a debugger

Browser Helper Objects key

• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\[CLSID]
  • Having the CLSID as a subkey simply means that it is installed and enabled as an Internet Explorer BHO
  • The CLSID is registered under the HKEY_CLASSES_ROOT\CLSID\[CLSID]\InprocServer32 key
    • The (Default) value points to the DLL file associated with the BHO
  • The DLL file is loaded every time Internet Explorer is opened

Besides registry entries, an executable can also be triggered by schedule using the task scheduler or cron jobs. An executable or a script can be triggered even at certain conditions. Take, for example, the following screenshot of a Windows Task scheduler:

There are many more ways in which malware gets persistence other than those which have been listed previously. These are the challenges that a reverse engineer learns as they encounter new techniques.