Registry Run Keys / Start Folder

From enterprise
Jump to: navigation, search
Registry Run Keys / Start Folder
Technique
ID T1060
Tactic Persistence
Platform Windows
Permissions Required User, Administrator
Data Sources Windows Registry, File monitoring
CAPEC ID CAPEC-270

Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.1 The program will be executed under the context of the user and will have the account's associated permissions level.

Adversaries can use these configuration locations to execute malware, such as remote access tools, to maintain persistence through system reboots. Adversaries may also use Masquerading to make the Registry entries look as if they are associated with legitimate programs.

Examples

  • APT29 added Registry Run keys to establish persistence.2
  • APT3 places scripts in the startup folder for persistence. 3
  • BRONZE BUTLER has used a batch script that adds a Registry Run key to establish malware persistence.4
  • Darkhotel has been known to establish persistence by adding programs to the Run Registry key.5
  • FIN10 has established persistence by using the Registry option in PowerShell Empire to add a Run key.67
  • FIN6 has used Registry Run keys to establish persistence for its downloader tools known as HARDTACK and SHIPBREAD.8
  • FIN7 malware has created a Registry Run key pointing to its malicious LNK file to establish persistence.9
  • Lazarus Group malware RomeoAlfa maintains persistence by saving itself in the Start menu folder.10
  • Magic Hound malware has used Registry Run keys to establish persistence.11
  • Patchwork added the path of its second-stage malware to the startup folder to achieve persistence.12
  • A dropper used by Putter Panda installs itself into the ASEP Registry key HKCU\Software\Microsoft\Windows\CurrentVersion\Run with a value named McUpdate.13
  • ADVSTORESHELL achieves persistence by adding itself to the HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Registry key.141516
  • BACKSPACE achieves persistence by creating a shortcut to itself in the CSIDL_STARTUP directory.17
  • BADNEWS installs a registry Run key to establish persistence.18
  • BBSRAT has been loaded through DLL side-loading of a legitimate Citrix executable that is set to persist through the registry run key location: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ssonsvr.exe
  • Backdoor.Oldrea adds Registry Run keys to achieve persistence.19
  • The BlackEnergy 3 variant drops its main DLL component and then creates a .lnk shortcut to that file in the startup folder.20
  • CORESHELL has established persistence by creating autostart extensibility point (ASEP) Registry entries in the Run key and other Registry keys, as well as by creating shortcuts in the Internet Explorer Quick Start folder.21
  • ChChes establishes persistence by adding a Registry Run key.22
  • One persistence mechanism used by CozyCar is to set itself to be executed at system startup by adding a Registry value under one of the following Registry keys:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
    HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
    HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run23
  • DownPaper uses PowerShell to add a Registry Run key in order to establish persistence.24
  • DustySky achieves persistence by creating a Registry entry in HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run.25
  • If establishing persistence by installation as a new service fails, one variant of Elise establishes persistence for the created .exe file by setting the following Registry key: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\svchost : %APPDATA%\Microsoft\Network\svchost.exe. Other variants have set the following Registry key for persistence: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\imejp : [self]. 26
  • Variants of Emissary have added Run Registry keys to establish persistence.27
  • EvilGrab adds a Registry Run key for ctfmon.exe to establish persistence.22
  • FLASHFLOOD achieves persistence by making an entry in the Registry's Run key.17
  • Gazer can establish persistence by creating a .lnk file in the Start menu. 2829
  • HTTPBrowser has established persistence by setting the HKCU\Software\Microsoft\Windows\CurrentVersion\Run key value for wdm to the path of the executable.30 It has also used the Registry entry HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Run vpdn “%ALLUSERPROFILE%\%APPDATA%\vpdn\VPDN_LU.exe” to establish persistence.31
  • Helminth establishes persistence by creating a shortcut in the Start Menu folder.32
  • Hi-Zor creates a Registry Run key to establish persistence.33
  • JHUHUGIT has used a Registry Run key to establish persistence by executing JavaScript code within the rundll32.exe process.34
  • Kasidet creates a Registry Run key to establish persistence.35 36
  • Matroyshka can establish persistence by adding Registry Run keys.3738
  • Mivast creates the following Registry entry: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Micromedia.39
  • The "SCOUT" variant of NETEAGLE achieves persistence by adding itself to the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Registry key.17
  • POWERSOURCE achieves persistence by setting a Registry Run key, with the path depending on whether the victim account has user or administrator access.40
  • Pisloader establishes persistence via a Registry Run key.41
  • PlugX can add a Run key entry in the Registry to establish persistence.4222
  • PowerDuke achieves persistence by using various Registry Run keys.43
  • Prikormka adds itself to a Registry Run key with the name guidVGA or guidVSA.44
  • Pteranodon copies itself to the Startup folder to establish persistence.45
  • RTM tries to add a Registry Run key under the name "Windows Update" to establish persistence.46
  • Reaver creates a shortcut file and saves it in a Startup folder to establish persistence.47
  • RedLeaves attempts to add a shortcut file in the Startup folder to achieve persistence; if this fails, it attempts to add Registry Run keys.22
  • Rover persists by creating a Registry entry in HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\.48
  • S-Type may create a .lnk file to itself that is saved in the Start menu folder. It may also create the Registry key HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ IMJPMIJ8.1{3 characters of Unique Identifier}.49
  • SHIPSHAPE achieves persistence by creating a shortcut in the Startup folder.17
  • SNUGRIDE establishes persistence through a Registry Run key.50
  • SPACESHIP achieves persistence by creating a shortcut in the current user's Startup folder.17
  • Most Sakula samples maintain persistence by setting the Registry Run key SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ in the HKLM or HKCU hive, with the Registry value and file name varying by sample.51
  • ... further results

Mitigation

Identify and block potentially malicious software that may be executed through run key or startup folder persistence using whitelisting52 tools like AppLocker5354 or Software Restriction Policies55 where appropriate.56

Detection

Monitor Registry for changes to run keys that do not correlate with known software, patch cycles, etc. Monitor the start folder for additions or changes. Tools such as Sysinternals Autoruns may also be used to detect system changes that could be attempts at persistence, including listing the run keys' Registry locations and startup folders.57 Suspicious program execution as startup programs may show up as outlier processes that have not been seen before when compared against historical data.

Changes to these locations typically happen under normal conditions when legitimate software is installed. To increase confidence of malicious activity, data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement.

References

  1. ^  Microsoft. (n.d.). Run and RunOnce Registry Keys. Retrieved November 12, 2014.
  2. ^  Dunwoody, M. and Carr, N.. (2016, September 27). No Easy Breach DerbyCon 2016. Retrieved October 4, 2016.
  3. ^  Moran, N., et al. (2014, November 21). Operation Double Tap. Retrieved January 14, 2016.
  4. ^  Counter Threat Unit Research Team. (2017, October 12). BRONZE BUTLER Targets Japanese Enterprises. Retrieved January 4, 2018.
  5. ^  Kaspersky Lab's Global Research and Analysis Team. (2014, November). The Darkhotel APT A Story of Unusual Hospitality. Retrieved November 12, 2014.
  6. ^  FireEye iSIGHT Intelligence. (2017, June 16). FIN10: Anatomy of a Cyber Extortion Operation. Retrieved June 25, 2017.
  7. ^  Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016.
  8. ^  FireEye Threat Intelligence. (2016, April). Follow the Money: Dissecting the Operations of the Cyber Crime Group FIN6. Retrieved June 1, 2016.
  9. ^  Carr, N., et al. (2017, April 24). FIN7 Evolution and the Phishing LNK. Retrieved April 24, 2017.
  10. ^  Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Remote Administration Tools & Content Staging Malware Report. Retrieved March 16, 2016.
  11. ^  Lee, B. and Falcone, R. (2017, February 15). Magic Hound Campaign Attacks Saudi Targets. Retrieved December 27, 2017.
  12. ^  Cymmetria. (2016). Unveiling Patchwork - The Copy-Paste APT. Retrieved August 3, 2016.
  13. ^  Crowdstrike Global Intelligence Team. (2014, June 9). CrowdStrike Intelligence Report: Putter Panda. Retrieved January 22, 2016.
  14. ^  Kaspersky Lab's Global Research and Analysis Team. (2015, December 4). Sofacy APT hits high profile targets with updated toolset. Retrieved December 10, 2015.
  15. ^  ESET. (2016, October). En Route with Sednit - Part 2: Observing the Comings and Goings. Retrieved November 21, 2016.
  16. ^  Bitdefender. (2015, December). APT28 Under the Scope. Retrieved February 23, 2017.
  17. a b c d e  FireEye Labs. (2015, April). APT30 AND THE MECHANICS OF A LONG-RUNNING CYBER ESPIONAGE OPERATION. Retrieved May 1, 2015.
  18. ^  Settle, A., et al. (2016, August 8). MONSOON - Analysis Of An APT Campaign. Retrieved September 22, 2016.
  19. ^  Symantec Security Response. (2014, July 7). Dragonfly: Cyberespionage Attacks Against Energy Suppliers. Retrieved April 8, 2016.
  20. ^  F-Secure Labs. (2014). BlackEnergy & Quedagh: The convergence of crimeware and APT attacks. Retrieved March 24, 2016.
  21. ^  Anthe, C. et al. (2015, October 19). Microsoft Security Intelligence Report Volume 19. Retrieved December 23, 2015.
  22. a b c d  PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017.
  23. ^  F-Secure Labs. (2015, April 22). CozyDuke: Malware Analysis. Retrieved December 10, 2015.
  24. ^  ClearSky Cyber Security. (2017, December). Charming Kitten. Retrieved December 27, 2017.
  25. ^  ClearSky. (2016, January 7). Operation DustySky. Retrieved January 8, 2016.
  26. ^  Falcone, R., et al.. (2015, June 16). Operation Lotus Blossom. Retrieved February 15, 2016.
  27. ^  Falcone, R. and Miller-Osborn, J.. (2016, February 3). Emissary Trojan Changelog: Did Operation Lotus Blossom Cause It to Evolve?. Retrieved February 15, 2016.
  28. ^  ESET. (2017, August). Gazing at Gazer: Turla’s new second stage backdoor. Retrieved September 14, 2017.
  29. ^  Kaspersky Lab's Global Research & Analysis Team. (2017, August 30). Introducing WhiteBear. Retrieved September 21, 2017.
  1. ^  Shelmire, A.. (2015, July 6). Evasive Maneuvers. Retrieved January 22, 2016.
  2. ^  Desai, D.. (2015, August 14). Chinese cyber espionage APT group leveraging recently leaked Hacking Team exploits to target a Financial Services Firm. Retrieved January 26, 2016.
  3. ^  Falcone, R. and Lee, B.. (2016, May 26). The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor. Retrieved May 3, 2017.
  4. ^  Fidelis Cybersecurity. (2015, December 16). Fidelis Threat Advisory #1020: Dissecting the Malware Involved in the INOCNATION Campaign. Retrieved March 24, 2016.
  5. ^  ESET. (2016, October). En Route with Sednit - Part 1: Approaching the Target. Retrieved November 8, 2016.
  6. ^  Yadav, A., et al. (2016, January 29). Malicious Office files dropping Kasidet and Dridex. Retrieved March 24, 2016.
  7. ^  Manuel, J. and Plantado, R.. (2015, August 9). Win32/Kasidet. Retrieved March 24, 2016.
  8. ^  ClearSky Cyber Security and Trend Micro. (2017, July). Operation Wilted Tulip: Exposing a cyber espionage apparatus. Retrieved August 21, 2017.
  9. ^  Minerva Labs LTD and ClearSky Cyber Security. (2015, November 23). CopyKittens Attack Group. Retrieved September 11, 2017.
  10. ^  Stama, D.. (2015, February 6). Backdoor.Mivast. Retrieved February 15, 2016.
  11. ^  Brumaghin, E. and Grady, C.. (2017, March 2). Covert Channels and Poor Decisions: The Tale of DNSMessenger. Retrieved March 8, 2017.
  12. ^  Grunzweig, J., et al. (2016, May 24). New Wekby Attacks Use DNS Requests As Command and Control Mechanism. Retrieved August 17, 2016.
  13. ^  Vasilenko, R. (2013, December 17). An Analysis of PlugX Malware. Retrieved November 24, 2015.
  14. ^  Adair, S.. (2016, November 9). PowerDuke: Widespread Post-Election Spear Phishing Campaigns Targeting Think Tanks and NGOs. Retrieved January 11, 2017.
  15. ^  Cherepanov, A.. (2016, May 17). Operation Groundbait: Analysis of a surveillance toolkit. Retrieved May 18, 2016.
  16. ^  Kasza, A. and Reichel, D.. (2017, February 27). The Gamaredon Group Toolset Evolution. Retrieved March 1, 2017.
  17. ^  Faou, M. and Boutin, J.. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017.
  18. ^  Grunzweig, J. and Miller-Osborn, J. (2017, November 10). New Malware with Ties to SunOrcal Discovered. Retrieved November 16, 2017.
  19. ^  Ray, V., Hayashi, K. (2016, February 29). New Malware ‘Rover’ Targets Indian Ambassador to Afghanistan. Retrieved February 29, 2016.
  20. ^  Gross, J. (2016, February 23). Operation Dust Storm. Retrieved September 19, 2017.
  21. ^  FireEye iSIGHT Intelligence. (2017, April 6). APT10 (MenuPass Group): New Tools, Global Campaign Latest Manifestation of Longstanding Threat. Retrieved June 29, 2017.
  22. ^  Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, July 30). Sakula Malware Family. Retrieved January 26, 2016.
  23. ^  Beechey, J. (2010, December). Application Whitelisting: Panacea or Propaganda?. Retrieved November 18, 2014.
  24. ^  Tomonaga, S. (2016, January 26). Windows Commands Abused by Attackers. Retrieved February 2, 2016.
  25. ^  NSA Information Assurance Directorate. (2014, August). Application Whitelisting Using Microsoft AppLocker. Retrieved March 31, 2016.
  26. ^  Corio, C., & Sayana, D. P. (2008, June). Application Lockdown with Software Restriction Policies. Retrieved November 18, 2014.
  27. ^  Microsoft. (2012, June 27). Using Software Restriction Policies and AppLocker Policies. Retrieved April 7, 2016.
  28. ^  Russinovich, M. (2016, January 4). Autoruns for Windows v13.51. Retrieved June 6, 2016.