Registry Run Keys / Start Folder
|Registry Run Keys / Start Folder|
|Permissions Required||User, Administrator|
|Data Sources||Windows Registry, File monitoring|
Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.1 The program will be executed under the context of the user and will have the account's associated permissions level.
Adversaries can use these configuration locations to execute malware, such as remote access tools, to maintain persistence through system reboots. Adversaries may also use Masquerading to make the Registry entries look as if they are associated with legitimate programs.
- APT29 added Registry Run keys to establish persistence.2
- APT3 places scripts in the startup folder for persistence. 3
- APT37 malware MILKDROP sets a Registry key for persistence.4
- BRONZE BUTLER has used a batch script that adds a Registry Run key to establish malware persistence.5
- Darkhotel has been known to establish persistence by adding programs to the Run Registry key.6
- FIN10 has established persistence by using the Registry option in PowerShell Empire to add a Run key.78
- FIN6 has used Registry Run keys to establish persistence for its downloader tools known as HARDTACK and SHIPBREAD.9
- FIN7 malware has created a Registry Run key pointing to its malicious LNK file to establish persistence.10
- Lazarus Group malware attempts to maintain persistence by saving itself in the Start menu folder or by adding a Registry Run key.1112
- Magic Hound malware has used Registry Run keys to establish persistence.15
- MuddyWater has added Registry Run keys to establish persistence.16
- Patchwork added the path of its second-stage malware to the startup folder to achieve persistence.17
- A dropper used by Putter Panda installs itself into the ASEP Registry key
HKCU\Software\Microsoft\Windows\CurrentVersion\Runwith a value named McUpdate.18
- ADVSTORESHELL achieves persistence by adding itself to the
- BACKSPACE achieves persistence by creating a shortcut to itself in the CSIDL_STARTUP directory.22
- BADNEWS installs a registry Run key to establish persistence.23
- BBSRAT has been loaded through DLL side-loading of a legitimate Citrix executable that is set to persist through the registry run key location:
- Backdoor.Oldrea adds Registry Run keys to achieve persistence.24
- The BlackEnergy 3 variant drops its main DLL component and then creates a .lnk shortcut to that file in the startup folder.25
- Briba creates run key Registry entries pointing to malicious DLLs dropped to disk.26
- CORESHELL has established persistence by creating autostart extensibility point (ASEP) Registry entries in the Run key and other Registry keys, as well as by creating shortcuts in the Internet Explorer Quick Start folder.27
- ChChes establishes persistence by adding a Registry Run key.28
- One persistence mechanism used by CozyCar is to set itself to be executed at system startup by adding a Registry value under one of the following Registry keys:
- creates run key Registry entries pointing to a malicious executable dropped to disk.30
- DownPaper uses PowerShell to add a Registry Run key in order to establish persistence.31
- DustySky achieves persistence by creating a Registry entry in
- If establishing persistence by installation as a new service fails, one variant of Elise establishes persistence for the created .exe file by setting the following Registry key:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\svchost : %APPDATA%\Microsoft\Network\svchost.exe. Other variants have set the following Registry key for persistence:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\imejp : [self]. 33
- Variants of Emissary have added Run Registry keys to establish persistence.34
- EvilGrab adds a Registry Run key for ctfmon.exe to establish persistence.28
- FLASHFLOOD achieves persistence by making an entry in the Registry's Run key.22
- Gazer can establish persistence by creating a .lnk file in the Start menu. 3536
- HTTPBrowser has established persistence by setting the
HKCU\Software\Microsoft\Windows\CurrentVersion\Runkey value for
wdmto the path of the executable.37 It has also used the Registry entry
HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Run vpdn “%ALLUSERPROFILE%\%APPDATA%\vpdn\VPDN_LU.exe”to establish persistence.38
- Helminth establishes persistence by creating a shortcut in the Start Menu folder.39
- Hi-Zor creates a Registry Run key to establish persistence.40
- Kasidet creates a Registry Run key to establish persistence.42 43
- Matroyshka can establish persistence by adding Registry Run keys.4445
- Mivast creates the following Registry entry:
- The "SCOUT" variant of NETEAGLE achieves persistence by adding itself to the
- creates a Registry start-up entry to establish persistence.47
- POWERSOURCE achieves persistence by setting a Registry Run key, with the path depending on whether the victim account has user or administrator access.48
- PUNCHBUGGY can establish Persistence using a Registry run key.49
- Pisloader establishes persistence via a Registry Run key.50
- PlugX can add a Run key entry in the Registry to establish persistence.5128
- PowerDuke achieves persistence by using various Registry Run keys.52
New-UserPersistenceOptionPersistence argument can be used to establish Persistence via the
- Prikormka adds itself to a Registry Run key with the name guidVGA or guidVSA.55
- Pteranodon copies itself to the Startup folder to establish persistence.56
- Pupy adds itself to the startup folder or adds itself to the Registry key
- ... further results
Identify and block potentially malicious software that may be executed through run key or startup folder persistence using whitelisting58 tools like AppLocker5960 or Software Restriction Policies61 where appropriate.62
Monitor Registry for changes to run keys that do not correlate with known software, patch cycles, etc. Monitor the start folder for additions or changes. Tools such as Sysinternals Autoruns may also be used to detect system changes that could be attempts at persistence, including listing the run keys' Registry locations and startup folders.63 Suspicious program execution as startup programs may show up as outlier processes that have not been seen before when compared against historical data.
Changes to these locations typically happen under normal conditions when legitimate software is installed. To increase confidence of malicious activity, data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement.
- Microsoft. (n.d.). Run and RunOnce Registry Keys. Retrieved November 12, 2014.
- Dunwoody, M. and Carr, N.. (2016, September 27). No Easy Breach DerbyCon 2016. Retrieved October 4, 2016.
- Moran, N., et al. (2014, November 21). Operation Double Tap. Retrieved January 14, 2016.
- FireEye. (2018, February 20). APT37 (Reaper): The Overlooked North Korean Actor. Retrieved March 1, 2018.
- Counter Threat Unit Research Team. (2017, October 12). BRONZE BUTLER Targets Japanese Enterprises. Retrieved January 4, 2018.
- Kaspersky Lab's Global Research and Analysis Team. (2014, November). The Darkhotel APT A Story of Unusual Hospitality. Retrieved November 12, 2014.
- FireEye iSIGHT Intelligence. (2017, June 16). FIN10: Anatomy of a Cyber Extortion Operation. Retrieved June 25, 2017.
- Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016.
- FireEye Threat Intelligence. (2016, April). Follow the Money: Dissecting the Operations of the Cyber Crime Group FIN6. Retrieved June 1, 2016.
- Carr, N., et al. (2017, April 24). FIN7 Evolution and the Phishing LNK. Retrieved April 24, 2017.
- Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Remote Administration Tools & Content Staging Malware Report. Retrieved March 16, 2016.
- Sherstobitoff, R. (2018, February 12). Lazarus Resurfaces, Targets Global Banks and Bitcoin Users. Retrieved February 19, 2018.
- Axel F, Pierre T. (2017, October 16). Leviathan: Espionage actor spearphishes maritime and defense targets. Retrieved February 15, 2018.
- FireEye. (2018, March 16). Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries. Retrieved April 11, 2018.
- Lee, B. and Falcone, R. (2017, February 15). Magic Hound Campaign Attacks Saudi Targets. Retrieved December 27, 2017.
- Singh, S. et al.. (2018, March 13). Iranian Threat Group Updates Tactics, Techniques and Procedures in Spear Phishing Campaign. Retrieved April 11, 2018.
- Cymmetria. (2016). Unveiling Patchwork - The Copy-Paste APT. Retrieved August 3, 2016.
- Crowdstrike Global Intelligence Team. (2014, June 9). CrowdStrike Intelligence Report: Putter Panda. Retrieved January 22, 2016.
- Kaspersky Lab's Global Research and Analysis Team. (2015, December 4). Sofacy APT hits high profile targets with updated toolset. Retrieved December 10, 2015.
- ESET. (2016, October). En Route with Sednit - Part 2: Observing the Comings and Goings. Retrieved November 21, 2016.
- Bitdefender. (2015, December). APT28 Under the Scope. Retrieved February 23, 2017.
- FireEye Labs. (2015, April). APT30 AND THE MECHANICS OF A LONG-RUNNING CYBER ESPIONAGE OPERATION. Retrieved May 1, 2015.
- Settle, A., et al. (2016, August 8). MONSOON - Analysis Of An APT Campaign. Retrieved September 22, 2016.
- Symantec Security Response. (2014, July 7). Dragonfly: Cyberespionage Attacks Against Energy Suppliers. Retrieved April 8, 2016.
- F-Secure Labs. (2014). BlackEnergy & Quedagh: The convergence of crimeware and APT attacks. Retrieved March 24, 2016.
- Ladley, F. (2012, May 15). Backdoor.Briba. Retrieved February 21, 2018.
- Anthe, C. et al. (2015, October 19). Microsoft Security Intelligence Report Volume 19. Retrieved December 23, 2015.
- PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017.
- F-Secure Labs. (2015, April 22). CozyDuke: Malware Analysis. Retrieved December 10, 2015.
- Hayashi, K. (2005, August 18). Backdoor.Darkmoon. Retrieved February 23, 2018.
- ClearSky Cyber Security. (2017, December). Charming Kitten. Retrieved December 27, 2017.
- ClearSky. (2016, January 7). Operation DustySky. Retrieved January 8, 2016.
- Falcone, R., et al.. (2015, June 16). Operation Lotus Blossom. Retrieved February 15, 2016.
- Falcone, R. and Miller-Osborn, J.. (2016, February 3). Emissary Trojan Changelog: Did Operation Lotus Blossom Cause It to Evolve?. Retrieved February 15, 2016.
- ESET. (2017, August). Gazing at Gazer: Turla’s new second stage backdoor. Retrieved September 14, 2017.
- Kaspersky Lab's Global Research & Analysis Team. (2017, August 30). Introducing WhiteBear. Retrieved September 21, 2017.
- Shelmire, A.. (2015, July 6). Evasive Maneuvers. Retrieved January 22, 2016.
- Desai, D.. (2015, August 14). Chinese cyber espionage APT group leveraging recently leaked Hacking Team exploits to target a Financial Services Firm. Retrieved January 26, 2016.
- Falcone, R. and Lee, B.. (2016, May 26). The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor. Retrieved May 3, 2017.
- Fidelis Cybersecurity. (2015, December 16). Fidelis Threat Advisory #1020: Dissecting the Malware Involved in the INOCNATION Campaign. Retrieved March 24, 2016.
- ESET. (2016, October). En Route with Sednit - Part 1: Approaching the Target. Retrieved November 8, 2016.
- Yadav, A., et al. (2016, January 29). Malicious Office files dropping Kasidet and Dridex. Retrieved March 24, 2016.
- Manuel, J. and Plantado, R.. (2015, August 9). Win32/Kasidet. Retrieved March 24, 2016.
- ClearSky Cyber Security and Trend Micro. (2017, July). Operation Wilted Tulip: Exposing a cyber espionage apparatus. Retrieved August 21, 2017.
- Minerva Labs LTD and ClearSky Cyber Security. (2015, November 23). CopyKittens Attack Group. Retrieved September 11, 2017.
- Stama, D.. (2015, February 6). Backdoor.Mivast. Retrieved February 15, 2016.
- McAfee. (2015, March 2). Netwire RAT Behind Recent Targeted Attacks. Retrieved February 15, 2018.
- Brumaghin, E. and Grady, C.. (2017, March 2). Covert Channels and Poor Decisions: The Tale of DNSMessenger. Retrieved March 8, 2017.
- Elovitz, S. & Ahl, I. (2016, August 18). Know Your Enemy: New Financially-Motivated & Spear-Phishing Group. Retrieved February 26, 2018.
- Grunzweig, J., et al. (2016, May 24). New Wekby Attacks Use DNS Requests As Command and Control Mechanism. Retrieved August 17, 2016.
- Vasilenko, R. (2013, December 17). An Analysis of PlugX Malware. Retrieved November 24, 2015.
- Adair, S.. (2016, November 9). PowerDuke: Widespread Post-Election Spear Phishing Campaigns Targeting Think Tanks and NGOs. Retrieved January 11, 2017.
- PowerShellMafia. (2012, May 26). PowerSploit - A PowerShell Post-Exploitation Framework. Retrieved February 6, 2018.
- PowerSploit. (n.d.). PowerSploit. Retrieved February 6, 2018.
- Cherepanov, A.. (2016, May 17). Operation Groundbait: Analysis of a surveillance toolkit. Retrieved May 18, 2016.
- Kasza, A. and Reichel, D.. (2017, February 27). The Gamaredon Group Toolset Evolution. Retrieved March 1, 2017.
- Nicolas Verdier. (n.d.). Retrieved January 29, 2018.
- Beechey, J. (2010, December). Application Whitelisting: Panacea or Propaganda?. Retrieved November 18, 2014.
- Tomonaga, S. (2016, January 26). Windows Commands Abused by Attackers. Retrieved February 2, 2016.
- NSA Information Assurance Directorate. (2014, August). Application Whitelisting Using Microsoft AppLocker. Retrieved March 31, 2016.
- Corio, C., & Sayana, D. P. (2008, June). Application Lockdown with Software Restriction Policies. Retrieved November 18, 2014.
- Microsoft. (2012, June 27). Using Software Restriction Policies and AppLocker Policies. Retrieved April 7, 2016.
- Russinovich, M. (2016, January 4). Autoruns for Windows v13.51. Retrieved June 6, 2016.