Registry Run Keys / Start Folder

From ATT&CK
Jump to: navigation, search
Registry Run Keys / Start Folder
Technique
ID T1060
Tactic Persistence
Platform Windows Server 2003, Windows Server 2008, Windows Server 2012, Windows XP, Windows 7, Windows 8, Windows Server 2003 R2, Windows Server 2008 R2, Windows Server 2012 R2, Windows Vista, Windows 8.1
Permissions Required User, Administrator
Data Sources Windows Registry, File monitoring
CAPEC ID CAPEC-270

Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.1 The program will be executed under the context of the user and will have the account's associated permissions level.

Adversaries can use these configuration locations to execute malware, such as remote access tools, to maintain persistence through system reboots. Adversaries may also use Masquerading to make the Registry entries look as if they are associated with legitimate programs.

Examples

  • Darkhotel has been known to establish persistence by adding programs to the Run Registry key.2
  • APT29 added Registry Run keys to establish persistence.3
  • A dropper used by Putter Panda installs itself into the ASEP Registry key HKCU\Software\Microsoft\Windows\CurrentVersion\Run with a value named McUpdate.4
  • Lazarus Group malware RomeoAlfa maintains persistence by saving itself in the Start menu folder.5
  • FIN6 has used Registry Run keys to establish persistence for its downloader tools known as HARDTACK and SHIPBREAD.6
  • Patchwork added the path of its second-stage malware to the startup folder to achieve persistence.7
  • TinyZBot can create a shortcut in the Windows startup folder for persistence.8
  • PlugX can add a Run key entry in the Registry to establish persistence.9
  • Sykipot has been known to establish persistence by adding programs to the Run Registry key.10
  • SHIPSHAPE achieves persistence by creating a shortcut in the Startup folder.11
  • BACKSPACE achieves persistence by creating a shortcut to itself in the CSIDL_STARTUP directory.11
  • The "SCOUT" variant of NETEAGLE achieves persistence by adding itself to the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Registry key.11
  • SPACESHIP achieves persistence by creating a shortcut in the current user's Startup folder.11
  • FLASHFLOOD achieves persistence by making an entry in the Registry's Run key.11
  • JHUHUGIT has used a Registry Run key to establish persistence by executing JavaScript code within the rundll32.exe process.12
  • ADVSTORESHELL achieves persistence by adding itself to the HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Registry key.1314
  • One persistence mechanism used by CozyCar is to set itself to be executed at system startup by adding a Registry value under one of the following Registry keys: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run15
  • SeaDuke is capable of persisting via the Registry Run key.16
  • To establish persistence, SslMM identifies the Start Menu Startup directory and drops a link to its own executable disguised as an “Office Start,” “Yahoo Talk,” “MSN Gaming Z0ne,” or “MSN Talk” shortcut.17
  • DustySky achieves persistence by creating a Registry entry in HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run.18
  • HTTPBrowser has established persistence by setting the HKCU\Software\Microsoft\Windows\CurrentVersion\Run key value for wdm to the path of the executable.19 It has also used the Registry entry HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Run vpdn “%ALLUSERPROFILE%\%APPDATA%\vpdn\VPDN_LU.exe” to establish persistence.20
  • Most Sakula samples maintain persistence by setting the Registry Run key SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ in the HKLM or HKCU hive, with the Registry value and file name varying by sample.21
  • Mivast creates the following Registry entry: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Micromedia.22
  • If establishing persistence by installation as a new service fails, one variant of Elise establishes persistence for the created .exe file by setting the following Registry key: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\svchost : %APPDATA%\Microsoft\Network\svchost.exe. Other variants have set the following Registry key for persistence: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\imejp : [self]. 23
  • Variants of Emissary have added Run Registry keys to establish persistence.24
  • S-Type may create a .lnk file to itself that is saved in the Start menu folder. It may also create the Registry key HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ IMJPMIJ8.1{3 characters of Unique Identifier}.25
  • Hi-Zor creates a Registry Run key to establish persistence.26
  • Kasidet creates a Registry Run key to establish persistence.27 28
  • The BlackEnergy 3 variant drops its main DLL component and then creates a .lnk shortcut to that file in the startup folder.29
  • Rover persists by creating a Registry entry in HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\.30
  • Backdoor.Oldrea adds Registry Run keys to achieve persistence.31
  • Trojan.Karagany can create a link to itself in the Startup folder to automatically start itself upon system restart.31
  • Prikormka adds itself to a Registry Run key with the name guidVGA or guidVSA.32
  • Pisloader establishes persistence via a Registry Run key.33
  • BBSRAT has been loaded through DLL side-loading of a legitimate Citrix executable that is set to persist through the registry run key location: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ssonsvr.exe
  • BADNEWS installs a registry Run key to establish persistence.34
  • TINYTYPHON installs itself under Registry Run key to establish persistence.34
  • USBStealer registers itself under a Registry Run key with the name "USB Disk Security."35
  • PowerDuke achieves persistence by using various Registry Run keys.36

Mitigation

Identify and block potentially malicious software that may be executed through run key or startup folder persistence using whitelisting37 tools like AppLocker3839 or Software Restriction Policies40 where appropriate.41

Detection

Monitor Registry for changes to run keys that do not correlate with known software, patch cycles, etc. Monitor the start folder for additions or changes. Tools such as Sysinternals Autoruns may also be used to detect system changes that could be attempts at persistence, including listing the run keys' Registry locations and startup folders.42 Suspicious program execution as startup programs may show up as outlier processes that have not been seen before when compared against historical data.

Changes to these locations typically happen under normal conditions when legitimate software is installed. To increase confidence of malicious activity, data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement.

References

  1. ^  Microsoft. (n.d.). Run and RunOnce Registry Keys. Retrieved November 12, 2014.
  2. ^  Kaspersky Lab's Global Research and Analysis Team. (2014, November). The Darkhotel APT A Story of Unusual Hospitality. Retrieved November 12, 2014.
  3. ^  Dunwoody, M. and Carr, N.. (2016, September 27). No Easy Breach DerbyCon 2016. Retrieved October 4, 2016.
  4. ^  Crowdstrike Global Intelligence Team. (2014, June 9). CrowdStrike Intelligence Report: Putter Panda. Retrieved January 22, 2016.
  5. ^  Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Remote Administration Tools & Content Staging Malware Report. Retrieved March 16, 2016.
  6. ^  FireEye Threat Intelligence. (2016, April). Follow the Money: Dissecting the Operations of the Cyber Crime Group FIN6. Retrieved June 1, 2016.
  7. ^  Cymmetria. (2016). Unveiling Patchwork - The Copy-Paste APT. Retrieved August 3, 2016.
  8. ^  Cylance. (2014, December). Operation Cleaver. Retrieved December 4, 2014.
  9. ^  Vasilenko, R. (2013, December 17). An Analysis of PlugX Malware. Retrieved November 24, 2015.
  10. ^  Blasco, J. (2013, March 21). New Sykipot developments [Blog]. Retrieved November 12, 2014.
  11. a b c d e  FireEye Labs. (2015, April). APT30 AND THE MECHANICS OF A LONG-RUNNING CYBER ESPIONAGE OPERATION. Retrieved May 1, 2015.
  12. ^  ESET. (2016, October). En Route with Sednit - Part 1: Approaching the Target. Retrieved November 8, 2016.
  13. ^  Kaspersky Lab's Global Research and Analysis Team. (2015, December 4). Sofacy APT hits high profile targets with updated toolset. Retrieved December 10, 2015.
  14. ^  ESET. (2016, October). En Route with Sednit - Part 2: Observing the Comings and Goings. Retrieved November 21, 2016.
  15. ^  F-Secure Labs. (2015, April 22). CozyDuke: Malware Analysis. Retrieved December 10, 2015.
  16. ^  Grunzweig, J.. (2015, July 14). Unit 42 Technical Analysis: Seaduke. Retrieved August 3, 2016.
  17. ^  Baumgartner, K., Golovkin, M.. (2015, May). The MsnMM Campaigns: The Earliest Naikon APT Campaigns. Retrieved December 17, 2015.
  18. ^  ClearSky. (2016, January 7). Operation DustySky. Retrieved January 8, 2016.
  19. ^  Shelmire, A.. (2015, July 6). Evasive Maneuvers. Retrieved January 22, 2016.
  20. ^  Desai, D.. (2015, August 14). Chinese cyber espionage APT group leveraging recently leaked Hacking Team exploits to target a Financial Services Firm. Retrieved January 26, 2016.
  21. ^  Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, July 30). Sakula Malware Family. Retrieved January 26, 2016.
  1. ^  Stama, D.. (2015, February 6). Backdoor.Mivast. Retrieved February 15, 2016.
  2. ^  Falcone, R., et al.. (2015, June 16). Operation Lotus Blossom. Retrieved February 15, 2016.
  3. ^  Falcone, R. and Miller-Osborn, J.. (2016, February 3). Emissary Trojan Changelog: Did Operation Lotus Blossom Cause It to Evolve?. Retrieved February 15, 2016.
  4. ^  Gross, J. (2016, February 23). Operation Dust Storm. Retrieved February 25, 2016.
  5. ^  Fidelis Cybersecurity. (2015, December 16). Fidelis Threat Advisory #1020: Dissecting the Malware Involved in the INOCNATION Campaign. Retrieved March 24, 2016.
  6. ^  Yadav, A., et al. (2016, January 29). Malicious Office files dropping Kasidet and Dridex. Retrieved March 24, 2016.
  7. ^  Manuel, J. and Plantado, R.. (2015, August 9). Win32/Kasidet. Retrieved March 24, 2016.
  8. ^  F-Secure Labs. (2014). BlackEnergy & Quedagh: The convergence of crimeware and APT attacks. Retrieved March 24, 2016.
  9. ^  Ray, V., Hayashi, K. (2016, February 29). New Malware ‘Rover’ Targets Indian Ambassador to Afghanistan. Retrieved February 29, 2016.
  10. a b  Symantec Security Response. (2014, July 7). Dragonfly: Cyberespionage Attacks Against Energy Suppliers. Retrieved April 8, 2016.
  11. ^  Cherepanov, A.. (2016, May 17). Operation Groundbait: Analysis of a surveillance toolkit. Retrieved May 18, 2016.
  12. ^  Grunzweig, J., et al. (2016, May 24). New Wekby Attacks Use DNS Requests As Command and Control Mechanism. Retrieved August 17, 2016.
  13. a b  Settle, A., et al. (2016, August 8). MONSOON - Analysis Of An APT Campaign. Retrieved September 22, 2016.
  14. ^  Calvet, J. (2014, November 11). Sednit Espionage Group Attacking Air-Gapped Networks. Retrieved January 4, 2017.
  15. ^  Adair, S.. (2016, November 9). PowerDuke: Widespread Post-Election Spear Phishing Campaigns Targeting Think Tanks and NGOs. Retrieved January 11, 2017.
  16. ^  Beechey, J. (2010, December). Application Whitelisting: Panacea or Propaganda?. Retrieved November 18, 2014.
  17. ^  Tomonaga, S. (2016, January 26). Windows Commands Abused by Attackers. Retrieved February 2, 2016.
  18. ^  NSA Information Assurance Directorate. (2014, August). Application Whitelisting Using Microsoft AppLocker. Retrieved March 31, 2016.
  19. ^  Corio, C., & Sayana, D. P. (2008, June). Application Lockdown with Software Restriction Policies. Retrieved November 18, 2014.
  20. ^  Microsoft. (2012, June 27). Using Software Restriction Policies and AppLocker Policies. Retrieved April 7, 2016.
  21. ^  Russinovich, M. (2016, January 4). Autoruns for Windows v13.51. Retrieved June 6, 2016.