Diocyde tweeted a good but older (2009) article about hiding malicious executable code (malware) in the Windows Registry: Malware IN the Registry a.k.a. if it can’t be Done, Why Am I Looking At it?
The post is a good description of what almost all incident responders/intrusion analysts encounter regularly: Is that right? How could that be? Hey [analyst sitting in the next cubicle] is this what I think it is?
After 9 years of intrusion analysis in various organizations, I can say that this happens to me very regularly. Now, I expect the unexpected. Not much surprises me any longer.
However, it is fun to watch a new analyst come upon these things and me, nonchalantly, describe what they are seeing and how cool it is. They are always astonished at the tactics of the adversaries and the lengths to which they will go.
While we should always expect the unexpected, we should never lose our respect for the adversary and their ability to find new ways to astound and confound us. For when we lose that, we blind ourselves.