The Windows Restart Manager: How It Works Part 1
Tags
| attack-pattern: | Data Hooking - T1617 Malware - T1587.001 Malware - T1588.001 Service Stop - T1489 Software - T1592.002 Windows Service - T1543.003 Hooking - T1179 Hooking Service Stop |
Common Information
| Type | Value |
|---|---|
| UUID | 7d39bb77-bf65-4dbd-b29a-ca085949f8af |
| Fingerprint | 8420cc3664b9afd5 |
| Analysis status | DONE |
| Considered CTI value | 0 |
| Text language | |
| Published | Nov. 7, 2024, midnight |
| Added to db | Nov. 12, 2024, 11:53 a.m. |
| Last updated | Nov. 17, 2024, 6:49 p.m. |
| Headline | The Windows Restart Manager: How It Works and How It Can Be Hijacked, Part 1 |
| Title | The Windows Restart Manager: How It Works Part 1 |
| Detected Hints/Tags/Attributes | 38/1/26 |
Source URLs
| Redirection | Url | |
|---|---|---|
| Details | Source | https://www.crowdstrike.com/en-us/blog/windows-restart-manager-part-1/ |
URL Provider
Attributes
| Details | Type | #Events | CTI | Value |
|---|---|---|---|---|
| Details | Domain | 207 | learn.microsoft.com |
|
| Details | Domain | 10 | devblogs.microsoft.com |
|
| Details | Domain | 2 | ninite.com |
|
| Details | Domain | 3 | www.rohitab.com |
|
| Details | File | 16 | rstrtmgr.dll |
|
| Details | File | 380 | notepad.exe |
|
| Details | File | 1260 | explorer.exe |
|
| Details | File | 5 | target.exe |
|
| Details | File | 1 | target.tmp |
|
| Details | File | 1 | inno_updater.exe |
|
| Details | Url | 1 | https://learn.microsoft.com/en-us/windows/win32/api/restartmanager/nf-restartmanager-rmstartsession |
|
| Details | Url | 1 | https://learn.microsoft.com/en-us/windows/win32/api/restartmanager/nf-restartmanager-rmregisterresources |
|
| Details | Url | 1 | https://learn.microsoft.com/en-us/windows/win32/api/restartmanager/nf-restartmanager-rmgetlist |
|
| Details | Url | 1 | https://devblogs.microsoft.com/oldnewthing/20180216-00/?p=98035 |
|
| Details | Url | 1 | https://learn.microsoft.com/en-us/windows/win32/api/restartmanager/nf-restartmanager-rmshutdown |
|
| Details | Url | 1 | https://learn.microsoft.com/en-us/windows/win32/api/restartmanager/nf-restartmanager-rmrestart |
|
| Details | Url | 1 | https://learn.microsoft.com/en-us/windows/win32/api/restartmanager/nf-restartmanager-rmaddfilter |
|
| Details | Url | 1 | https://learn.microsoft.com/en-us/windows/win32/api/winuser/nf-winuser-sendmessagetimeoutw |
|
| Details | Url | 1 | https://learn.microsoft.com/en-us/windows/win32/shutdown/wm-queryendsession |
|
| Details | Url | 1 | https://learn.microsoft.com/en-us/windows/win32/shutdown/wm-endsession |
|
| Details | Url | 1 | https://learn.microsoft.com/en-us/windows/win32/winmsg/wm-close |
|
| Details | Url | 1 | https://learn.microsoft.com/en-us/windows/win32/api/winsvc/nf-winsvc-controlservice |
|
| Details | Url | 1 | https://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-terminateprocess |
|
| Details | Url | 1 | https://ninite.com |
|
| Details | Url | 2 | http://www.rohitab.com/apimonitor |
|
| Details | Windows Registry Key | 1 | HKCU\Software\Microsoft\RestartManager |