When adversaries gain initial access to a system, they try to maintain their foothold to achieve persistence on the system.
Run Keys in the Registry and Startup Folder in Users directory are “old but gold” locations that are utilized by attackers for persistence. Adding an entry to the Run Keys, or creating a shortcut in Startup Folder is enough to execute malicious code when a user logs in. Our research has found that Registry Run Keys / Startup Folder is the eighth most prevalent ATT&CK technique used by adversaries in their malware.
Introduction
Adversaries use built-in Windows features to execute their malicious executables to run at system startup or when a user logs in. For example, they schedule execution of their codes with Windows Task Scheduler as explained in our previous blog post, MITRE ATT&CK T1053 Scheduled Task. Other most common methods are utilizing Run Keys in the Registry and Startup Folder, which were included as a technique in the MITRE ATT&CK Framework, T1060 Registry Run Keys / Startup Folder. In the new sub-technique version of MITRE ATT&CK, it became a sub-technique of the T1547 Boot or Logon Autostart Execution, as T1547.001.
In this article, we review:
registry keys used for persistence
startup folders utilized by adversaries
its use cases by threat actors and malware
red and blue team exercises for this technique
Registry Run Keys
Let’s start with important definitions:
Registry: It is a hierarchical database used by Windows to store information, settings and configuration options for the OS, programs and hardware.
Key: A key is a container object similar to folders that may contain subkeys and values.
Value: A value is a name/data pair stored within keys.
Root Key: A root key is a key at the root level of the hierarchical database.
HKEY_LOCAL_MACHINE (HKLM): It is a root key that includes settings for the local computer that applies to all users. HKLM includes four subkeys, SAM, SECURITY, SYSTEM and SOFTWARE. The "HKLM\SOFTWARE" subkey contains settings of software and OS.
HKEY_CURRENT_USER (HKCU): It is a root key that includes preferences and settings that are specific to the currently logged-in user. HKCU is loaded on login of the user, while HKLM is loaded at boot time.
Registry Run Keys: These keys contain settings to auto launch applications on system startup.
Adversaries utilize the following registry keys to load malware on system startup to achieve persistence:
“Run” and “RunOnce” Registry Keys: These keys enable programs to run each time a user logs in [1]. As a recent example, Saigon banking Trojan creates a new entry in the HKCU\Software\Microsoft\Windows\CurrentVersion\Run key to run with every startup for maintaining persistence [2]. The following registry keys are created by default:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
The following key is not created by default, but you can create and use it:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
RunServices” and “RunServicesOnce” Registry Keys: These keys include entries for services running in the background and control automatic startup of services. Attackers add new entries to add their malicious executables as background services.
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
Policies “Run” Registry Keys: Policy settings can be used to specify startup programs:
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
Winlogon Registry Keys: The following keys control actions that occur when a user logs-in.
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit : It usually points to userinit.exe. However, an adversary can alter userinit.exe with the malware executable, or add new entries that points to the malware executable. The malware executable will launch at system startup.
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell : This key points just one entry, explorer.exe.
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify : This subkey is used to notify event handles when Secure Attention Sequence (SAS) (Ctrl+Alt+Del) happens and loads a DLL. Adversaries alter this DLL to load their malware.
BootExecute Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager: The BootExecute value in this key is launched during boot. Although its default value is “autocheck autochk *”, adversaries can add other commands, scripts or programs to this value.
“Shell Folders” and “User Shell Folders” Registry Keys: These keys are also referred to as “startup keys” since they are used by adversaries to set the location of the startup folder.
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
Startup Folder
The Startup Folder in Windows contains applications that run automatically at startup. In default, it can be found in the following locations in Windows 10:
The All Users Startup Folder:
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp
The Current User Startup Folder:
C:\Users\[User Name]\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
Adversaries add their malicious binaries or shortcuts in these folders to achieve persistence. As a recent example, Mekotio banking Trojan creates a LNK (link/shortcut) file in the startup folder [3].
Red and Blue Team Exercises
Red Teaming - How to simulate?
In this exercise, we explain a real command used by the LokiBot info-stealer malware. Briefly, the below command adds a new autostart entry in HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run key to run its malicious .vbs file with wscript.exe (Windows Script Host) at system startup as a persistence mechanism.
Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "JKCGJJ" /t REG_SZ /F /D "%WINDIR%\System32\WScript.exe %LOCALAPPDATA%\jkcgjj\jkcgjj.vbs"Analysed LokiBot sample:
MD5: 2df7a83872148d20484b66975d30fee6
SHA-1: de22b923a8a6904daa1792b7936b2a1336637e6f
SHA-256: 781b531a40218128d466d79a1c1b94a233c35af926264141b47efa7e5b8e7b57Blue Teaming - How to detect?
The following Sigma rule can be used to detect creating an entry in registry run keys that includes a Visual Basic Script (.vbs).
title: Persistence via Windows Registry Run Keys with Visual Basic Scripting
status: experimental
description: Detects the addition of a visual basic script to the Windows Registry Run Key. Adversaries may achieve persistence by adding a program to a Registry run key. Adding an entry to the "run keys" in the Registry will cause the program referenced to be executed when a user logs in.
author: Picus Security
references:
- https://attack.mitre.org/tactics/TA0003/
- https://attack.mitre.org/tactics/TA0004/
- https://attack.mitre.org/techniques/T1547/001/
logsource:
product: windows
service: security
detection:
selection:
EventID: 4688
NewProcessName: '*\reg.exe'
ProcessCommandLine|all:
- '*add*'
- '*.vbs*'
selection1:
ProcessCommandLine:
- '*\Software\Microsoft\Windows\CurrentVersion\Run*'
- '*\Software\Microsoft\Windows\CurrentVersion\RunOnce*'
- '*\Software\Microsoft\Windows\CurrentVersion\RunOnceEx*'
- '*\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce*'
- '*\Software\Microsoft\Windows\CurrentVersion\RunServices*'
- '*\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run*'
condition: selection and selection1
falsepositives:
- Unknown
level: high
tags:
- attack.persistence
- attack.ta0003
- attack.privilege_escalation
- attack.ta0004
- attack.t1547.001SOURCE: PICUS