# Registry Run Keys / Start Folder

Registry Run Keys / Start Folder
Technique
ID T1060
Tactic Persistence
Platform Windows Server 2003, Windows Server 2008, Windows Server 2012, Windows XP, Windows 7, Windows 8, Windows Server 2003 R2, Windows Server 2008 R2, Windows Server 2012 R2, Windows Vista, Windows 8.1, Windows 10
Permissions Required User, Administrator
Data Sources Windows Registry, File monitoring
CAPEC ID CAPEC-270

Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.1 The program will be executed under the context of the user and will have the account's associated permissions level.

Adversaries can use these configuration locations to execute malware, such as remote access tools, to maintain persistence through system reboots. Adversaries may also use Masquerading to make the Registry entries look as if they are associated with legitimate programs.

## Examples

• APT29 added Registry Run keys to establish persistence.2
• Darkhotel has been known to establish persistence by adding programs to the Run Registry key.3
• FIN10 has established persistence by using the Registry option in PowerShell Empire to add a Run key.45
• FIN6 has used Registry Run keys to establish persistence for its downloader tools known as HARDTACK and SHIPBREAD.6
• FIN7 malware has created a Registry Run key pointing to its malicious LNK file to establish persistence.7
• Lazarus Group malware RomeoAlfa maintains persistence by saving itself in the Start menu folder.8
• Patchwork added the path of its second-stage malware to the startup folder to achieve persistence.9
• A dropper used by Putter Panda installs itself into the ASEP Registry key HKCU\Software\Microsoft\Windows\CurrentVersion\Run with a value named McUpdate.10
• ADVSTORESHELL achieves persistence by adding itself to the HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Registry key.111213
• BACKSPACE achieves persistence by creating a shortcut to itself in the CSIDL_STARTUP directory.14
• BADNEWS installs a registry Run key to establish persistence.15
• BBSRAT has been loaded through DLL side-loading of a legitimate Citrix executable that is set to persist through the registry run key location: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ssonsvr.exe
• Backdoor.Oldrea adds Registry Run keys to achieve persistence.16
• The BlackEnergy 3 variant drops its main DLL component and then creates a .lnk shortcut to that file in the startup folder.17
• CORESHELL has established persistence by creating autostart extensibility point (ASEP) Registry entries in the Run key and other Registry keys, as well as by creating shortcuts in the Internet Explorer Quick Start folder.18
• ChChes establishes persistence by adding a Registry Run key.19
• One persistence mechanism used by CozyCar is to set itself to be executed at system startup by adding a Registry value under one of the following Registry keys:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run20
• DustySky achieves persistence by creating a Registry entry in HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run.21
• If establishing persistence by installation as a new service fails, one variant of Elise establishes persistence for the created .exe file by setting the following Registry key: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\svchost : %APPDATA%\Microsoft\Network\svchost.exe. Other variants have set the following Registry key for persistence: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\imejp : [self]. 22
• Variants of Emissary have added Run Registry keys to establish persistence.23
• EvilGrab adds a Registry Run key for ctfmon.exe to establish persistence.19
• FLASHFLOOD achieves persistence by making an entry in the Registry's Run key.14
• HTTPBrowser has established persistence by setting the HKCU\Software\Microsoft\Windows\CurrentVersion\Run key value for wdm to the path of the executable.24 It has also used the Registry entry HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Run vpdn “%ALLUSERPROFILE%\%APPDATA%\vpdn\VPDN_LU.exe” to establish persistence.25
• Hi-Zor creates a Registry Run key to establish persistence.26
• JHUHUGIT has used a Registry Run key to establish persistence by executing JavaScript code within the rundll32.exe process.27
• Kasidet creates a Registry Run key to establish persistence.28 29
• Mivast creates the following Registry entry: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Micromedia.30
• The "SCOUT" variant of NETEAGLE achieves persistence by adding itself to the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Registry key.14
• POWERSOURCE achieves persistence by setting a Registry Run key, with the path depending on whether the victim account has user or administrator access.31
• Pisloader establishes persistence via a Registry Run key.32
• PlugX can add a Run key entry in the Registry to establish persistence.3319
• PowerDuke achieves persistence by using various Registry Run keys.34
• Prikormka adds itself to a Registry Run key with the name guidVGA or guidVSA.35
• Pteranodon copies itself to the Startup folder to establish persistence.36
• RTM tries to add a Registry Run key under the name "Windows Update" to establish persistence.37
• RedLeaves attempts to add a shortcut file in the Startup folder to achieve persistence; if this fails, it attempts to add Registry Run keys.19
• Rover persists by creating a Registry entry in HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\.38
• S-Type may create a .lnk file to itself that is saved in the Start menu folder. It may also create the Registry key HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ IMJPMIJ8.1{3 characters of Unique Identifier}.39
• SHIPSHAPE achieves persistence by creating a shortcut in the Startup folder.14
• SNUGRIDE establishes persistence through a Registry Run key.40
• SPACESHIP achieves persistence by creating a shortcut in the current user's Startup folder.14
• Most Sakula samples maintain persistence by setting the Registry Run key SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ in the HKLM or HKCU hive, with the Registry value and file name varying by sample.41
• SeaDuke is capable of persisting via the Registry Run key or a .lnk file stored in the Startup directory.42
• To establish persistence, SslMM identifies the Start Menu Startup directory and drops a link to its own executable disguised as an “Office Start,” “Yahoo Talk,” “MSN Gaming Z0ne,” or “MSN Talk” shortcut.43
• Sykipot has been known to establish persistence by adding programs to the Run Registry key.44
• TINYTYPHON installs itself under Registry Run key to establish persistence.15
• TinyZBot can create a shortcut in the Windows startup folder for persistence.45
• Trojan.Karagany can create a link to itself in the Startup folder to automatically start itself upon system restart.16
• USBStealer registers itself under a Registry Run key with the name "USB Disk Security."46

## Mitigation

Identify and block potentially malicious software that may be executed through run key or startup folder persistence using whitelisting47 tools like AppLocker4849 or Software Restriction Policies50 where appropriate.51

## Detection

Monitor Registry for changes to run keys that do not correlate with known software, patch cycles, etc. Monitor the start folder for additions or changes. Tools such as Sysinternals Autoruns may also be used to detect system changes that could be attempts at persistence, including listing the run keys' Registry locations and startup folders.52 Suspicious program execution as startup programs may show up as outlier processes that have not been seen before when compared against historical data.

Changes to these locations typically happen under normal conditions when legitimate software is installed. To increase confidence of malicious activity, data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement.