연구 자료/악성코드 분석

악성코드에서 사용하는 Windows Registry

단디연구소 2015. 2. 10. 14:27

Windows Registry

보안 설정                                   

“숨김파일설정”

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden

“작업관리자 설정

HKCU\Software\Microsoft\Windows\CurrentVersion\policies\DisableTaskMgr

“레지스트리 설정

HKCU\Software\Microsoft\Windows\CurrentVersion\policies\system\DisableRegistryTools

IE 오프라인 설정

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\GlobalUserOffline

“안전모드 설정

HKCU\System\CurrentControlSet\Control\SafeBoot

“안티 바이러스 설정

HKLM\SOFTWARE\Microsoft\Security Center\AntiVirusOverride

“안티 바이러스 프로그램에 대한 경고 알림

HKLM\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify

“방화벽 경고 알림

HKLM\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify

“방화벽 설정

HKLM\SOFTWARE\Microsoft\Security Center\FirewallOverride

“업데이트 알림

HKLM\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify

"사용자 계정 컨트롤 알림 설정"

HKLM\SOFTWARE\Microsoft\Security Center\UacDisableNotify

"사용자 계정 컨트롤 설정"

HKLM\Software\Microsoft\Windows\CurrentVersion\policies\system\EnableLUA

“방화벽 예외 프로그램 설정

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy

\StandardProfile\AuthorizedApplications\악성코드 파일 경로

“방화벽 설정

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy

\StandardProfile\EnableFirewall

“방화벽 예외 허용 설정

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy

\StandardProfile\DoNotAllowExceptions

“방화벽 알림 설정

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy

\StandardProfile\DisableNotifications

기타

“OS 정보

HKLM\Software\Microsoft\Windows NT\CurrentVersion

제품 이름

HKLM\Software\Microsoft\Windows NT\CurrentVersion /v ProductName

설치 날짜

HKLM\Software\Microsoft\Windows NT\CurrentVersion /v InstallDate

“REGISTERED OWNER”

HKLM\Software\Microsoft\Windows NT\CurrentVersion /v RegisteredOwner

시스템 경로

HKLM\Software\Microsoft\Windows NT\CurrentVersion /v SystemRoot

시간 존

HKLM\System\CurrentControlSet\Control\TimeZoneinformation /v ActiveTimeBias

“MAPPED NETWORK DRIVES”

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Map Network Drive MRU

마운트 디바이스

HKLM\Systern\MountedDevices

“USB 디바이스

HKLM\Systern\CurrentControlSet\Enurn\USBStor

“IP 포워드 실행

HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters

-IPEnableRouter = 1

“PASSWORD KEYS : LSA SECRETS CAN CONTAIN VPN 1 AUTOLOGON 1 OTHER PASSWORDS”

HKLM\Security\Policy\Secrets

HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\autoadminlogon

“AUDIT POLICY”

HKLM\Security\Policy\PolAdTev

“KERNEL/USER SERVICES”

HKLM\Software\Microsoft\Windows NT\CurrentControlSet\Services

“INSTALLED SOFTWARE ON MACHINE”

HKLM\Software

“INSTALLED SOFTWARE FOR USER”

HKCU\Software

“RECENT DOCUMENTS”

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs

“RECENT USER LOCATIONS”

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpensaveMRU

“TYPED URLs”

HKCU\Software\Microsoft\Internet Explorer\TypedURLs

“MRU LISTS”

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU

“LAST REGISTRY KEY ACCESSED”

HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\RegEdit /v LastKey

“STARTUP LOCATIONS”

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

HKLM\Software\Microsoft\Windows\CurrentVersion\Runonce

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

HKCU\Software\Microsoft\Windows\CurrentVersion\Runonce

HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Load

HKCU\Software\Microsoft\Windows NT\CurrentVersion\WinRun