T1547.001: Registry Run Keys / Startup Folder

Data from MITRE ATT&CK®:

Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.(Citation: Microsoft Run Key) These programs will be executed under the context of the user and will have the account's associated permissions level.

The following run keys are created by default on Windows systems:

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce

Run keys may exist under multiple hives.(Citation: Microsoft Wow6432Node 2018)(Citation: Malwarebytes Wow6432Node 2016) The HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx is also available but is not created by default on Windows Vista and newer. Registry run key entries can reference programs directly or list them as a dependency.(Citation: Microsoft Run Key) For example, it is possible to load a DLL at logon using a "Depend" key with RunOnceEx: reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /d "C:\temp\evil[.]dll" (Citation: Oddvar Moe RunOnceEx Mar 2018)

Placing a program within a startup folder will also cause that program to execute when a user logs in. There is a startup folder location for individual user accounts as well as a system-wide startup folder that will be checked regardless of which user account logs in. The startup folder path for the current user is C:\Users\[Username]\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup. The startup folder path for all users is C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp.

The following Registry keys can be used to set startup folder items for persistence:

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders

The following Registry keys can control automatic startup of services during boot:

• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices

Using policy settings to specify startup programs creates corresponding values in either of two Registry keys:

• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

Programs listed in the load value of the registry key HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows run automatically for the currently logged-on user.

By default, the multistring BootExecute value of the registry key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager is set to autocheck autochk *. This value causes Windows, at startup, to check the file-system integrity of the hard disks if the system has been shut down abnormally. Adversaries can add other programs or processes to this registry value which will automatically launch at boot.

Adversaries can use these configuration locations to execute malware, such as remote access tools, to maintain persistence through system reboots. Adversaries may also use Masquerading to make the Registry entries look as if they are associated with legitimate programs.

© 2024 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.

File Modification (File)

Changes made to a file, or its access permissions and attributes, typically to alter the contents of the targeted file (ex: Windows EID 4670 or Sysmon EID 2)

Process Creation (Process)

The initial construction of an executable managed by the OS, that may involve one or more tasks or threads. (e.g. Win EID 4688, Sysmon EID 1, cmd.exe > net use, etc.)

Command Execution (Command)

The execution of a line of text, potentially with arguments, created from program code (e.g. a cmdlet executed via powershell.exe, interactive commands like >dir, shell executions, etc. )

Windows Registry Key Creation (Windows Registry)

Initial construction of a new Registry Key (ex: Windows EID 4656 or Sysmon EID 12)

Windows Registry Key Modification (Windows Registry)

Changes made to a Registry Key and/or Key value (ex: Windows EID 4657 or Sysmon EID 13|14)

Reg Key Run

windows

Add Executable Shortcut Link to User Startup Folder

windows

Add persistance via Recycle bin

windows

HKLM - Modify default System Shell - Winlogon Shell KEY Value

windows

HKLM - Policy Settings Explorer Run Key

windows

Change Startup Folder - HKLM Modify User Shell Folders Common Startup Value

windows

secedit used to create a Run key in the HKLM Hive

windows

Reg Key RunOnce

windows

SystemBC Malware-as-a-Service Registry

windows

Change Startup Folder - HKCU Modify User Shell Folders Startup Value

windows

HKCU - Policy Settings Explorer Run Key

windows

Modify BootExecute Value

windows

HKLM - Append Command to Winlogon Userinit KEY Value

windows

PowerShell Registry RunOnce

windows

Suspicious vbs file run from startup Folder

windows

Suspicious jse file run from startup Folder

windows

Suspicious bat file run from startup Folder

windows

Startup Folder File Write

windows file event

Wow6432Node Windows NT CurrentVersion Autorun Keys Modification

windows registry set

Modify User Shell Folders Startup Value

windows registry set

Direct Autorun Keys Modification

windows process creation

Leviathan Registry Key Activity

windows registry event

Classes Autorun Keys Modification

windows registry set

Wow6432Node CurrentVersion Autorun Keys Modification

windows registry set

Session Manager Autorun Keys Modification

windows registry set

Potential Persistence Attempt Via Run Keys Using Reg.EXE

windows process creation

New RUN Key Pointing to Suspicious Folder

windows registry set

Suspicious Powershell In Registry Run Keys

windows registry set

VBScript Payload Stored in Registry

windows registry set

Office Autorun Keys Modification

windows registry set

Suspicious Run Key from Download

windows registry event

Narrator's Feedback-Hub Persistence

windows registry event

CurrentControlSet Autorun Keys Modification

windows registry set

CurrentVersion Autorun Keys Modification

windows registry set

Common Autorun Keys Modification

windows registry set

CurrentVersion NT Autorun Keys Modification

windows registry set

Potential Suspicious Activity Using SeCEdit

windows process creation

Wow6432Node Classes Autorun Keys Modification

windows registry set

Internet Explorer Autorun Keys Modification

windows registry set

Potential Startup Shortcut Persistence Via PowerShell.EXE

windows file event

File Creation In Suspicious Directory By Msdt.EXE

windows file event

Registry Persistence via Explorer Run Key

windows registry set

WinSock2 Autorun Keys Modification

windows registry set

Suspicious Startup Folder Persistence

windows file event

System Scripts Autorun Keys Modification

windows registry set