Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.[1] These programs will be executed under the context of the user and will have the account's associated permissions level.
The following run keys are created by default on Windows systems:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
Run keys may exist under multiple hives.[2][3] The HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
is also available but is not created by default on Windows Vista and newer. Registry run key entries can reference programs directly or list them as a dependency.[1] For example, it is possible to load a DLL at logon using a "Depend" key with RunOnceEx: reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /d "C:\temp\evil[.]dll"
[4]
Placing a program within a startup folder will also cause that program to execute when a user logs in. There is a startup folder location for individual user accounts as well as a system-wide startup folder that will be checked regardless of which user account logs in. The startup folder path for the current user is C:\Users\[Username]\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
. The startup folder path for all users is C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp
.
The following Registry keys can be used to set startup folder items for persistence:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
The following Registry keys can control automatic startup of services during boot:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices
Using policy settings to specify startup programs creates corresponding values in either of two Registry keys:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
Programs listed in the load value of the registry key HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows
run automatically for the currently logged-on user.
By default, the multistring BootExecute
value of the registry key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager
is set to autocheck autochk *
. This value causes Windows, at startup, to check the file-system integrity of the hard disks if the system has been shut down abnormally. Adversaries can add other programs or processes to this registry value which will automatically launch at boot.
Adversaries can use these configuration locations to execute malware, such as remote access tools, to maintain persistence through system reboots. Adversaries may also use Masquerading to make the Registry entries look as if they are associated with legitimate programs.
ID | Name | Description |
---|---|---|
S0045 | ADVSTORESHELL |
ADVSTORESHELL achieves persistence by adding itself to the |
S0331 | Agent Tesla |
Agent Tesla can add itself to the Registry as a startup program to establish persistence.[8][9] |
S1025 | Amadey |
Amadey has changed the Startup folder to the one containing its executable by overwriting the registry keys.[10][11] |
S1074 | ANDROMEDA |
ANDROMEDA can establish persistence by dropping a sample of itself to |
S0622 | AppleSeed |
AppleSeed has the ability to create the Registry key name |
G0026 | APT18 |
APT18 establishes persistence via the |
G0073 | APT19 |
An APT19 HTTP malware variant establishes persistence by setting the Registry key |
G0007 | APT28 |
APT28 has deployed malware that has copied itself to the startup directory for persistence.[17] |
G0016 | APT29 | |
G0022 | APT3 |
APT3 places scripts in the startup folder for persistence.[19] |
G0050 | APT32 |
APT32 established persistence using Registry Run keys, both to execute PowerShell and VBS scripts as well as to execute their backdoor directly.[20][21][22] |
G0064 | APT33 |
APT33 has deployed a tool known as DarkComet to the Startup folder of a victim, and used Registry run keys to gain persistence.[23][24] |
G0067 | APT37 |
APT37's has added persistence via the Registry key |
G0087 | APT39 |
APT39 has maintained persistence using the startup folder.[27] |
G0096 | APT41 |
APT41 created and modified startup files for persistence.[28][29] APT41 added a registry key in |
S0456 | Aria-body |
Aria-body has established persistence via the Startup folder or Run Registry key.[31] |
S0373 | Astaroth | |
S1029 | AuTo Stealer |
AuTo Stealer can place malicious executables in a victim's AutoRun registry key or StartUp directory, depending on the AV product installed, to maintain persistence.[33] |
S0640 | Avaddon | |
S1053 | AvosLocker |
AvosLocker has been executed via the |
S0414 | BabyShark |
BabyShark has added a Registry key to ensure all future macros are enabled for Microsoft Word and Excel as well as for additional persistence.[36][37] |
S0093 | Backdoor.Oldrea |
Backdoor.Oldrea adds Registry Run keys to achieve persistence.[38][39] |
S0031 | BACKSPACE |
BACKSPACE achieves persistence by creating a shortcut to itself in the CSIDL_STARTUP directory.[40] |
S0128 | BADNEWS |
BADNEWS installs a registry Run key to establish persistence.[41] |
S0337 | BadPatch |
BadPatch establishes a foothold by adding a link to the malware executable in the startup folder.[42] |
S0534 | Bazar |
Bazar can create or add files to Registry Run Keys to establish persistence.[43][44] |
S0127 | BBSRAT |
BBSRAT has been loaded through DLL side-loading of a legitimate Citrix executable that is set to persist through the Registry Run key location |
S0268 | Bisonal |
Bisonal has added itself to the Registry key |
S0570 | BitPaymer |
BitPaymer has set the run key |
S0089 | BlackEnergy |
The BlackEnergy 3 variant drops its main DLL component and then creates a .lnk shortcut to that file in the startup folder.[48] |
S0635 | BoomBox |
BoomBox can establish persistence by writing the Registry value |
S0204 | Briba |
Briba creates run key Registry entries pointing to malicious DLLs dropped to disk.[50] |
G0060 | BRONZE BUTLER |
BRONZE BUTLER has used a batch script that adds a Registry Run key to establish malware persistence.[51] |
S0471 | build_downer |
build_downer has the ability to add itself to the Registry Run key for persistence.[52] |
S0030 | Carbanak |
Carbanak stores a configuration files in the startup directory to automatically execute commands in order to persist across reboots.[53] |
S0484 | Carberp |
Carberp has maintained persistence by placing itself inside the current user's startup folder.[54] |
S0348 | Cardinal RAT |
Cardinal RAT establishes Persistence by setting the |
S0631 | Chaes |
Chaes has added persistence via the Registry key |
S0144 | ChChes |
ChChes establishes persistence by adding a Registry Run key.[57] |
S1041 | Chinoxy |
Chinoxy has established persistence via the |
S0660 | Clambling |
Clambling can establish persistence by adding a Registry run key.[59][60] |
G0080 | Cobalt Group |
Cobalt Group has used Registry Run keys for persistence. The group has also set a Startup path to launch the PowerShell shell command and download Cobalt Strike.[61] |
S0338 | Cobian RAT |
Cobian RAT creates an autostart Registry key to ensure persistence.[62] |
S0244 | Comnie |
Comnie achieves persistence by adding a shortcut of itself to the startup path in the Registry.[63] |
S0608 | Conficker |
Conficker adds Registry Run keys to establish persistence.[64] |
G0142 | Confucius |
Confucius has dropped malicious files into the startup folder |
S0137 | CORESHELL |
CORESHELL has established persistence by creating autostart extensibility point (ASEP) Registry entries in the Run key and other Registry keys, as well as by creating shortcuts in the Internet Explorer Quick Start folder.[66] |
S0046 | CozyCar |
One persistence mechanism used by CozyCar is to set itself to be executed at system startup by adding a Registry value under one of the following Registry keys: |
S0115 | Crimson | |
S0235 | CrossRAT | |
G0070 | Dark Caracal |
Dark Caracal's version of Bandook adds a registry key to |
S0334 | DarkComet |
DarkComet adds several Registry entries to enable automatic execution at every system startup.[71][72] |
S1111 | DarkGate |
DarkGate installation includes AutoIt script execution creating a shortcut to itself as an LNK object, such as bill.lnk, in the victim startup folder.[73] DarkGate installation finishes with the creation of a registry Run key.[73] |
G0012 | Darkhotel |
Darkhotel has been known to establish persistence by adding programs to the Run Registry key.[74] |
S1066 | DarkTortilla |
DarkTortilla has established persistence via the |
S1021 | DnsSystem |
DnsSystem can write itself to the Startup folder to gain persistence.[76] |
S0186 | DownPaper |
DownPaper uses PowerShell to add a Registry Run key in order to establish persistence.[77] |
G0035 | Dragonfly |
Dragonfly has added the registry value ntdll to the Registry Run key to establish persistence.[78] |
S0062 | DustySky |
DustySky achieves persistence by creating a Registry entry in |
S0081 | Elise |
If establishing persistence by installation as a new service fails, one variant of Elise establishes persistence for the created .exe file by setting the following Registry key: |
S0082 | Emissary |
Variants of Emissary have added Run Registry keys to establish persistence.[82] |
S0367 | Emotet |
Emotet has been observed adding the downloaded payload to the |
S0363 | Empire |
Empire can modify the registry run keys |
S0396 | EvilBunny |
EvilBunny has created Registry keys for persistence in |
S0152 | EvilGrab |
EvilGrab adds a Registry Run key for ctfmon.exe to establish persistence.[57] |
S0568 | EVILNUM |
EVILNUM can achieve persistence through the Registry Run key.[88][89] |
S0512 | FatDuke |
FatDuke has used |
S0267 | FELIXROOT |
FELIXROOT adds a shortcut file to the startup folder for persistence.[91] |
G0051 | FIN10 |
FIN10 has established persistence by using the Registry option in PowerShell Empire to add a Run key.[92][86] |
G1016 | FIN13 |
FIN13 has used Windows Registry run keys such as, |
G0037 | FIN6 |
FIN6 has used Registry Run keys to establish persistence for its downloader tools known as HARDTACK and SHIPBREAD.[94] |
G0046 | FIN7 |
FIN7 malware has created Registry Run and RunOnce keys to establish persistence, and has also added items to the Startup folder.[95][96] |
S0355 | Final1stspy |
Final1stspy creates a Registry Run key to establish persistence.[97] |
S0182 | FinFisher |
FinFisher establishes persistence by creating the Registry key |
S0696 | Flagpro |
Flagpro has dropped an executable file to the startup directory.[100] |
S0036 | FLASHFLOOD |
FLASHFLOOD achieves persistence by making an entry in the Registry's Run key.[40] |
S0381 | FlawedAmmyy |
FlawedAmmyy has established persistence via the |
S1044 | FunnyDream |
FunnyDream can use a Registry Run Key and the Startup folder to establish persistence.[58] |
G0047 | Gamaredon Group |
Gamaredon Group tools have registered Run keys in the registry to give malicious VBS files persistence.[101][102][103] |
S0168 | Gazer |
Gazer can establish persistence by creating a .lnk file in the Start menu.[104][105] |
S0666 | Gelsemium | |
S0032 | gh0st RAT |
gh0st RAT has added a Registry Run key to establish persistence.[107][108] |
S0249 | Gold Dragon |
Gold Dragon establishes persistence in the Startup folder.[109] |
G0078 | Gorgon Group |
Gorgon Group malware can create a .lnk file and add a Registry Run key to establish persistence.[110] |
S0531 | Grandoreiro |
Grandoreiro can use run keys and create link files in the startup folder for persistence.[111][112] |
S0417 | GRIFFON |
GRIFFON has used a persistence module that stores the implant inside the Registry, which executes at logon.[113] |
S0632 | GrimAgent | |
S0561 | GuLoader |
GuLoader can establish persistence via the Registry under |
S0499 | Hancitor |
Hancitor has added Registry Run keys to establish persistence.[116] |
S0170 | Helminth |
Helminth establishes persistence by creating a shortcut in the Start Menu folder.[117] |
S1027 | Heyoka Backdoor |
Heyoka Backdoor can establish persistence with the auto start function including using the value |
S0087 | Hi-Zor |
Hi-Zor creates a Registry Run key to establish persistence.[119] |
G0126 | Higaisa |
Higaisa added a spoofed binary to the start-up folder for persistence.[120][121] |
S0070 | HTTPBrowser |
HTTPBrowser has established persistence by setting the |
S0483 | IcedID |
IcedID has established persistence by creating a Registry run key.[124] |
G0100 | Inception |
Inception has maintained persistence by modifying Registry run key value |
S0259 | InnaputRAT |
Some InnaputRAT variants establish persistence by modifying the Registry key |
S0260 | InvisiMole |
InvisiMole can place a lnk file in the Startup Folder to achieve persistence.[127] |
S0015 | Ixeshe |
Ixeshe can achieve persistence by adding itself to the |
S0389 | JCry |
JCry has created payloads in the Startup directory to maintain persistence. [129] |
S0044 | JHUHUGIT |
JHUHUGIT has used a Registry Run key to establish persistence by executing JavaScript code within the rundll32.exe process.[130] |
S0088 | Kasidet |
Kasidet creates a Registry Run key to establish persistence.[131][132] |
S0265 | Kazuar | |
G0004 | Ke3chang |
Several Ke3chang backdoors achieved persistence by adding a Run key.[134] |
G0094 | Kimsuky |
Kimsuky has placed scripts in the startup folder for persistence and modified the |
S0250 | Koadic |
Koadic has added persistence to the |
S0669 | KOCTOPUS |
KOCTOPUS can set the AutoRun Registry key with a PowerShell command.[139] |
S0356 | KONNI |
A version of KONNI has dropped a Windows shortcut into the Startup folder to establish persistence.[140] |
G0032 | Lazarus Group |
Lazarus Group has maintained persistence by loading malicious code into a startup folder or by adding a Registry Run key.[141][142][143][144] |
G0140 | LazyScripter |
LazyScripter has achieved persistence via writing a PowerShell script to the autorun registry key.[139] |
G0065 | Leviathan |
Leviathan has used JavaScript to create a shortcut file in the Startup folder that points to its main backdoor.[145][146] |
S0513 | LiteDuke |
LiteDuke can create persistence by adding a shortcut in the |
S0397 | LoJax |
LoJax has modified the Registry key |
S0582 | LookBack |
LookBack sets up a Registry Run key to establish a persistence mechanism.[148] |
S0532 | Lucifer |
Lucifer can persist by setting Registry key values |
G1014 | LuminousMoth |
LuminousMoth has used malicious DLLs that setup persistence in the Registry Key |
S0409 | Machete | |
G0059 | Magic Hound |
Magic Hound malware has used Registry Run keys to establish persistence.[154][155][156] |
S0652 | MarkiRAT |
MarkiRAT can drop its payload into the Startup directory to ensure it automatically runs when the compromised system is started.[157] |
S0167 | Matryoshka |
Matryoshka can establish persistence by adding Registry Run keys.[158][159] |
S0449 | Maze |
Maze has created a file named "startup_vrun.bat" in the Startup folder of a virtual machine to establish persistence.[160] |
S0500 | MCMD | |
S0455 | Metamorfo |
Metamorfo has configured persistence to the Registry key |
S1122 | Mispadu |
Mispadu creates a link in the startup folder for persistence.[166] Mispadu adds persistence via the registry key |
S0080 | Mivast |
Mivast creates the following Registry entry: |
S0553 | MoleNet |
MoleNet can achieve persitence on the infected machine by setting the Registry run key.[169] |
G0021 | Molerats |
Molerats saved malicious files within the AppData and Startup folders to maintain persistence.[170] |
S1026 | Mongall |
Mongall can establish persistence with the auto start function including using the value |
S0256 | Mosquito |
Mosquito establishes persistence under the Registry key |
G0069 | MuddyWater |
MuddyWater has added Registry Run key |
G0129 | Mustang Panda |
Mustang Panda has created the registry key |
G0019 | Naikon |
Naikon has modified a victim's Windows Run registry to establish persistence.[179] |
S0228 | NanHaiShu |
NanHaiShu modifies the %regrun% Registry to point itself to an autostart mechanism.[180] |
S0336 | NanoCore |
NanoCore creates a RunOnce key in the Registry to execute its VBS scripts each time the user logs on to the machine.[181] |
S0247 | NavRAT |
NavRAT creates a Registry key to ensure a file gets executed upon reboot in order to establish persistence.[182] |
S0630 | Nebulae |
Nebulae can achieve persistence through a Registry Run key.[179] |
S0034 | NETEAGLE |
The "SCOUT" variant of NETEAGLE achieves persistence by adding itself to the |
S0198 | NETWIRE |
NETWIRE creates a Registry start-up entry to establish persistence.[183][184][115][185] |
S0385 | njRAT |
njRAT has added persistence via the Registry key |
S0353 | NOKKI |
NOKKI has established persistence by writing the payload to the Registry key |
S0644 | ObliqueRAT |
ObliqueRAT can gain persistence by a creating a shortcut in the infected user's Startup directory.[189] |
S0340 | Octopus |
Octopus achieved persistence by placing a malicious executable in the startup directory and has added the |
S0439 | Okrum |
Okrum establishes persistence by creating a .lnk shortcut to itself in the Startup folder.[191] |
C0022 | Operation Dream Job |
During Operation Dream Job, Lazarus Group placed LNK files into the victims' startup folder for persistence.[192] |
C0013 | Operation Sharpshooter |
During Operation Sharpshooter, a first-stage downloader installed Rising Sun to |
G0040 | Patchwork |
Patchwork has added the path of its second-stage malware to the startup folder to achieve persistence. One of its file stealers has also persisted by adding a Registry Run key.[194][195] |
S0124 | Pisloader |
Pisloader establishes persistence via a Registry Run key.[196] |
S0254 | PLAINTEE |
PLAINTEE gains persistence by adding the Registry key |
S0013 | PlugX |
PlugX adds Run key entries in the Registry to establish persistence.[198][57][199] |
S0428 | PoetRAT |
PoetRAT has added a registry key in the |
S0012 | PoisonIvy |
PoisonIvy creates run key Registry entries pointing to a malicious executable dropped to disk.[201] |
S0139 | PowerDuke |
PowerDuke achieves persistence by using various Registry Run keys.[202] |
S0441 | PowerShower |
PowerShower sets up persistence with a Registry run key.[203] |
S0145 | POWERSOURCE |
POWERSOURCE achieves persistence by setting a Registry Run key, with the path depending on whether the victim account has user or administrator access.[204] |
S0194 | PowerSploit |
PowerSploit's |
S0371 | POWERTON |
POWERTON can install a Registry Run key for persistence.[207] |
S0113 | Prikormka |
Prikormka adds itself to a Registry Run key with the name guidVGA or guidVSA.[208] |
G0056 | PROMETHIUM |
PROMETHIUM has used Registry run keys to establish persistence.[209] |
S0147 | Pteranodon |
Pteranodon copies itself to the Startup folder to establish persistence.[210] |
S0196 | PUNCHBUGGY |
PUNCHBUGGY has been observed using a Registry Run key.[211][212] |
S0192 | Pupy |
Pupy adds itself to the startup folder or adds itself to the Registry key |
G0024 | Putter Panda |
A dropper used by Putter Panda installs itself into the ASEP Registry key |
S0650 | QakBot |
QakBot can maintain persistence by creating an auto-run Registry key.[215][216][217][218] |
S0262 | QuasarRAT |
If the QuasarRAT client process does not have administrator privileges it will add a registry key to |
S0458 | Ramsay |
Ramsay has created Registry Run keys to establish persistence.[221] |
S0662 | RCSession |
RCSession has the ability to modify a Registry Run key to establish persistence.[59][222] |
S0172 | Reaver |
Reaver creates a shortcut file and saves it in a Startup folder to establish persistence.[223] |
S0153 | RedLeaves |
RedLeaves attempts to add a shortcut file in the Startup folder to achieve persistence. If this fails, it attempts to add Registry Run keys.[57][224] |
S0332 | Remcos |
Remcos can add itself to the Registry key |
S0375 | Remexi |
Remexi utilizes Run Registry keys in the HKLM hive as a persistence mechanism.[226] |
S0433 | Rifdoor |
Rifdoor has created a new registry entry at |
G0106 | Rocke |
Rocke's miner has created UPX-packed files in the Windows Start Menu Folder.[228] |
S0270 | RogueRobin |
RogueRobin created a shortcut in the Windows startup folder to launch a PowerShell script each time the user logs in to establish persistence.[229] |
S0090 | Rover |
Rover persists by creating a Registry entry in |
S0148 | RTM |
RTM tries to add a Registry Run key under the name "Windows Update" to establish persistence.[231] |
G0048 | RTM |
RTM has used Registry run keys to establish persistence for the RTM Trojan and other tools, such as a modified version of TeamViewer remote desktop software.[231][232] |
S0253 | RunningRAT |
RunningRAT adds itself to the Registry key |
S0446 | Ryuk |
Ryuk has used the Windows command line to create a Registry entry under |
S0085 | S-Type |
S-Type may create a .lnk file to itself that is saved in the Start menu folder. It may also create the Registry key |
S1018 | Saint Bot |
Saint Bot has established persistence by being copied to the Startup directory or through the |
S0074 | Sakula |
Most Sakula samples maintain persistence by setting the Registry Run key |
S0461 | SDBbot |
SDBbot has the ability to add a value to the Registry Run key to establish persistence if it detects it is running with regular user privilege. [238][239] |
S0053 | SeaDuke |
SeaDuke is capable of persisting via the Registry Run key or a .lnk file stored in the Startup directory.[240] |
S0345 | Seasalt |
Seasalt creates a Registry entry to ensure infection after reboot under |
S0382 | ServHelper |
ServHelper may attempt to establish persistence via the |
S0546 | SharpStage |
SharpStage has the ability to create persistence for the malware using the Registry autorun key and startup folder.[169] |
S0444 | ShimRat |
ShimRat has installed a registry based start-up key |
S0028 | SHIPSHAPE |
SHIPSHAPE achieves persistence by creating a shortcut in the Startup folder.[40] |
G0121 | Sidewinder |
Sidewinder has added paths to executables in the Registry to establish persistence.[244][245][246] |
G0091 | Silence |
Silence has used |
S0692 | SILENTTRINITY |
SILENTTRINITY can establish a LNK file in the startup folder for persistence.[248] |
S1035 | Small Sieve |
Small Sieve has the ability to add itself to |
S0226 | Smoke Loader |
Smoke Loader adds a Registry Run key for persistence and adds a script in the Startup folder to deploy the payload.[250] |
S0649 | SMOKEDHAM |
SMOKEDHAM has used |
S1086 | Snip3 |
Snip3 can create a VBS file in startup to persist after system restarts.[252] |
S0159 | SNUGRIDE |
SNUGRIDE establishes persistence through a Registry Run key.[253] |
S0035 | SPACESHIP |
SPACESHIP achieves persistence by creating a shortcut in the current user's Startup folder.[40] |
S0058 | SslMM |
To establish persistence, SslMM identifies the Start Menu Startup directory and drops a link to its own executable disguised as an "Office Start," "Yahoo Talk," "MSN Gaming Z0ne," or "MSN Talk" shortcut.[254] |
S1037 | STARWHALE |
STARWHALE can establish persistence by installing itself in the startup folder, whereas the GO variant has created a |
S0491 | StrongPity |
StrongPity can use the |
S0018 | Sykipot |
Sykipot has been known to establish persistence by adding programs to the Run Registry key.[257] |
S0663 | SysUpdate |
SysUpdate can use a Registry Run key to establish persistence.[258] |
G1018 | TA2541 |
TA2541 has placed VBS files in the Startup folder and used Registry run keys to establish persistence for malicious payloads.[259] |
S0011 | Taidoor |
Taidoor has modified the |
S0586 | TAINTEDSCRIBE |
TAINTEDSCRIBE can copy itself into the current user’s Startup folder as "Narrator.exe" for persistence.[261] |
G0139 | TeamTNT | |
G0027 | Threat Group-3390 |
Threat Group-3390's malware can add a Registry key to |
S0665 | ThreatNeedle |
ThreatNeedle can be loaded into the Startup folder ( |
S0131 | TINYTYPHON |
TINYTYPHON installs itself under Registry Run key to establish persistence.[41] |
S0004 | TinyZBot |
TinyZBot can create a shortcut in the Windows startup folder for persistence.[266] |
S0266 | TrickBot |
TrickBot establishes persistence in the Startup folder.[267] |
S0094 | Trojan.Karagany |
Trojan.Karagany can create a link to itself in the Startup folder to automatically start itself upon system restart.[38][268] |
G0081 | Tropic Trooper |
Tropic Trooper has created shortcuts in the Startup folder to establish persistence.[269][270] |
S0178 | Truvasys |
Truvasys adds a Registry Run key to establish persistence.[271] |
S0647 | Turian |
Turian can establish persistence by adding Registry Run keys.[272] |
G0010 | Turla |
A Turla Javascript backdoor added a local_update_check value under the Registry key |
S0199 | TURNEDUP |
TURNEDUP is capable of writing to a Registry Run key to establish.[274] |
S0386 | Ursnif |
Ursnif has used Registry Run keys to establish automatic execution at system startup.[275][276] |
S0136 | USBStealer |
USBStealer registers itself under a Registry Run key with the name "USB Disk Security."[277] |
S0207 | Vasport |
Vasport copies itself to disk and creates an associated run key Registry entry to establish.[278] |
S0442 | VBShower |
VBShower used |
S0670 | WarzoneRAT |
WarzoneRAT can add itself to the |
G0112 | Windshift |
Windshift has created LNK files in the Startup folder to establish persistence.[281] |
S0141 | Winnti for Windows |
Winnti for Windows can add a service named |
G0102 | Wizard Spider |
Wizard Spider has established persistence via the Registry key |
S0341 | Xbash |
Xbash can create a Startup item for persistence if it determines it is on a Windows system.[285] |
S0251 | Zebrocy |
Zebrocy creates an entry in a Registry Run key for the malware to execute on startup.[286][287][288] |
S0330 | Zeus Panda |
Zeus Panda adds persistence by creating Registry Run keys.[289][290] |
G0128 | ZIRCONIUM |
ZIRCONIUM has created a Registry Run key named |
This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.
ID | Data Source | Data Component | Detects |
---|---|---|---|
DS0017 | Command | Command Execution |
Monitor executed commands and arguments that may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. |
DS0022 | File | File Modification |
Monitor the start folder for additions or changes. Tools such as Sysinternals Autoruns may also be used to detect system changes that could be attempts at persistence, including the startup folders. [292] |
DS0009 | Process | Process Creation |
Monitor for newly executed processes executed from the Run/RunOnce registry keys through Windows EID 9707 or "Software\Microsoft\Windows\CurrentVersion\Run" and "Software\Microsoft\Windows\CurrentVersion\RunOnce" registry keys with the full command line. Registry modifications are often essential in establishing persistence via known Windows mechanisms. Many legitimate modifications are done graphically via regedit.exe or by using the corresponding channels, or even calling the Registry APIs directly. The built-in utility reg.exe provides a command-line interface to the registry, so that queries and modifications can be performed from a shell, such as cmd.exe. When a user is responsible for these actions, the parent of cmd.exe will likely be explorer.exe. Occasionally, power users and administrators write scripts that do this behavior as well, but likely from a different process tree. These background scripts must be learned so they can be tuned out accordingly. Output DescriptionThe sequence of processes that resulted in reg.exe being started from a shell. That is, a hierarchy that looks like• great-grand_parent.exe• grand_parent.exe• parent.exe• reg.exe Analytic 1 - Reg.exe called from Command Shell
|
DS0024 | Windows Registry | Windows Registry Key Creation |
Monitor for newly created windows registry keys that may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. |
Windows Registry Key Modification |
Monitor Registry for changes to run keys that do not correlate with known software, patch cycles, etc. Tools such as Sysinternals Autoruns may also be used to detect system changes that could be attempts at persistence, including listing the run keys' Registry locations. [292] Detection of the modification of the registry key Analytic 1 - Modification of Default Startup Folder in the Registry Key ‘Common Startup’
|