Modify

Processes

Run as the user creds you supply:

runas /password /user:<username> C:\sus.exe 

Quietly start your malicious installer:

msiexec /quiet /qn /i C:\sus.msi

Sysinternals

DLLs

Registers a DLL file with the system.

This command is used to register a DLL file with the system.

When a DLL is registered, the information about its classes and interfaces is added to the Windows Registry, allowing COM clients to use the DLL.

WARNING: May execute code if the DLL has a DllRegisterServer entry point:

regsvr32 <DLLName>

Unregisters a DLL file from the system. This command unregisters a DLL file from the system, removing its class and interface information from the Windows Registry:

regsvr32 /u <DLLName>

Executes a function located in a specified DLL. Typically used for DLLs that expose functions compatible with the rundll32 requirements:

rundll32.exe <DLLName>,<EntryPoint>

Uses PowerShell to load a DLL and execute a specific method:

PowerShell -Command "[System.Reflection.Assembly]::LoadFile('<FullPathToDLL>').GetType('<Namespace.ClassName>').GetMethod('<MethodName>').Invoke($null, $null)"

Registry Locations

Processes

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Contains entries for programs and processes that are launched automatically at startup for all users.

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

Contains entries for programs and processes that are launched automatically at startup for the current user.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

Contains entries for programs and processes that are run once and then removed the next time the system starts.

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce

Contains entries for programs and processes that are run once for the current user and then removed the next time the user logs in.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options

Contains options and settings for debugging and customizing the execution of specific executable files, including processes.

DLLs

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs

Contains paths and reference counts for shared DLLs used by multiple applications.

HKEY_CLASSES_ROOT\CLSID{CLSID}\InprocServer32

Contains registration information for COM DLLs, including the path to the DLL file and threading model for each class identified by its CLSID.

HKEY_CLASSES_ROOT\TypeLib{TypeLibID}

Contains information about the type libraries, which may include DLLs, registered on the system.

Each type library is identified by a unique ID.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs

Contains names of DLLs to be loaded into every process that uses User32.dll.

This feature is often used by software for customization or extension purposes, but it can also be abused by malware.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\KnownDLLs

Lists the names of DLLs that are known to the system and are loaded from a trusted location, typically used to improve performance and security.