Skip to main content

Malware Hunting - Beginner

Author(s): carbonice

Last Updated: 07-1-2025

Recommended Prerequisites (click to expand)

None

Why do we care?

Practice images, especially the higher difficulty ones, are often riddled with malicious programs, DLLs, backdoors, services, configurations, and programs. Additionally, these techniques that are used also often leverage a security vulnerability to do what they need to do (example: a malicious DNS plugin was only installable because an unwanted user had the DNS Admin role).

Finding the Easiest Malware

Some malware is easily discoverable because:

  1. The malware makes its presence known, like Desktop Goose. If it's actively bugging you, you know to look for it.
  2. It can be found within AutoRuns. See below.
  3. It can be found with a baseline MalwareBytes scan, as well as Windows Defender and other antiviruses.
  4. It isn't fileless... we will get to this eventually, haha.

AutoRuns

A defender's best friend, at least for simpler cases. Autoruns can discover a wide variety of simple persistence mechanisms used by malicious programs to stay running:

  • Registry keys such as HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, which run programs on system startup
  • Context Menu Handlers, such as a malicious option when you right click a file
  • Image hijacks, basically saying "You want to run this program, actually you are running this program instead." (often used to set up sethc or utilman backdoors, see this)
  • Scheduled Tasks
  • Services
  • Drivers

Antiviruses

There are plenty of antiviruses that are easy and free to use. This includes:

  1. Windows Defender - make sure there are no exclusions prior to running the scan.
  2. Malwarebytes - note that this will override Windows Defender.
  3. Hitmanpro - note that this will set up a service.
  4. Bitdefender - note that this will override Windows Defender.
  5. Kaspersky Virus Removal Tool application - note it is banned in the US, so you may want to use a VPN.

Practice

Any practice image beyond the beginner difficulty will have some form of malware. Take your pick! The Windows Persistence Image may be helpful, as it has 8 persistences. Malwarebazaar also has a ton of malware that you can practice with, just note that some malware uploaded may not be malware. Malwarebazaar also has a daily malware zip folder if you want to download a lot in one go.

References, Further Reading, & Tools Mentioned