search
Infiltr8ForumGitHub
githubEdit

Run Keys Persistence

MITRE ATT&CK™ Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder - Technique T1547.001

hashtag
Theory

A classic and widely used persistence technique involves adding an entry to the Registry "Run" keys, causing a specified program to execute automatically when a user logs in. This ensures that the attacker’s payload is launched every time the system starts or a user session begins.

hashtag
Trigger Condition:

The execution of the referenced program occurs when a user logs in to Windows. The specific privilege level of the executed process depends on the security context of the affected user account:

  • If added under HKCU\Software\Microsoft\Windows\CurrentVersion\Run, the program runs in the context of the current user.

  • If added under HKLM\Software\Microsoft\Windows\CurrentVersion\Run, the program executes for all users on the system, requiring Administrator privileges to modify.

This technique is simple, effective, and often overlooked, making it a popular choice for persistence in both malware and post-exploitation scenarios.

hashtag
Practice

circle-check

Registry entries under HKU/HKCU will only apply to the user. Registry entries under HKLM will apply to everyone

circle-info

Run/RunServices keys will run every time a user logs in.

RunOnce/RunServicesOnce will clears the registry key as soon as it run.

You can force a user to execute a program on logon via the Run and RunOnce and RunOnceEx registry keys. You can use the following registry entries to specify applications to run at logon:

  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run

  • HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

  • HKLM\Software\Microsoft\Windows\CurrentVersion\Run

  • HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

  • HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

The RunOnceEx key entries can reference programs directly or list them as a dependency. For example, it is possible to load a DLL at logon using a "Depend" key with RunOnceEx.

circle-info

RunOnceEx only executes from HKEY_LOCAL_MACHINE (HKLM)

RunOnceEx clears the registry key on completion of the command.

#Run/RunOnce
## Add key for current user
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v PeMalware /t REG_SZ /d "C:\Users\user1\shell.exe"
## Add key for computer (all users)
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce" /v PeMalware /t REG_SZ /d "C:\Users\user1\shell.exe"

#RunOnceEx
#Add key for current user - Execute command / PE
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx\0001" /v PeMalware /t REG_SZ /d "C:\tmp\shell.exe"
#Add key for computer (all users) - Execute DLL
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend" /v DLLMalware /t REG_SZ /d "C:\tmp\shell.dll"

hashtag
References

LogoBoot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Sub-technique T1547.001 - Enterprise | MITRE ATT&CK®attack.mitre.orgchevron-right

Last updated