T1060 Registry Run Keys / Startup Folder

When adversaries gain initial access to a system, they try to maintain their foothold to achieve persistence on the system.


Run Keys in the Registry and Startup Folder in Users directory are “old but gold” locations that are utilized by attackers for persistence. Adding an entry to the Run Keys, or creating a shortcut in Startup Folder is enough to execute malicious code when a user logs in. Our research has found that Registry Run Keys / Startup Folder is the eighth most prevalent ATT&CK technique used by adversaries in their malware.


Introduction

Adversaries use built-in Windows features to execute their malicious executables to run at system startup or when a user logs in. For example, they schedule execution of their codes with Windows Task Scheduler as explained in our previous blog post, MITRE ATT&CK T1053 Scheduled Task. Other most common methods are utilizing Run Keys in the Registry and Startup Folder, which were included as a technique in the MITRE ATT&CK Framework, T1060 Registry Run Keys / Startup Folder. In the new sub-technique version of MITRE ATT&CK, it became a sub-technique of the T1547 Boot or Logon Autostart Execution, as T1547.001. 


In this article, we review:

  • registry keys used for persistence

  • startup folders utilized by adversaries

  • its use cases by threat actors and malware

  • red and blue team exercises for this technique


Registry Run Keys

Let’s start with important definitions:

  • Registry: It is a hierarchical database used by Windows to store information, settings and configuration options for the OS, programs and hardware. 

  • Key: A key is a container object similar to folders that may contain subkeys and values. 

  • Value: A value is a name/data pair stored within keys.

  • Root Key: A root key is a key at the root level of the hierarchical database.

  • HKEY_LOCAL_MACHINE (HKLM): It is a  root key that includes settings for the local computer that applies to all users. HKLM includes four subkeys, SAM, SECURITY, SYSTEM and SOFTWARE. The "HKLM\SOFTWARE" subkey contains settings of software and OS.

  • HKEY_CURRENT_USER (HKCU): It is a root key that includes preferences and settings that are specific to the currently logged-in user. HKCU is loaded on login of the user, while HKLM is loaded at boot time.

  • Registry Run Keys: These keys contain settings  to auto launch applications on system startup.


Adversaries utilize the following registry keys to load malware on system startup to achieve persistence:

  • “Run” and “RunOnce” Registry Keys: These keys enable programs to run each time a user logs in [1]. As a recent example, Saigon banking Trojan creates a new entry in the HKCU\Software\Microsoft\Windows\CurrentVersion\Run key to run with every startup for maintaining persistence [2]. The following registry keys are created by default: 

  1. HKCU\Software\Microsoft\Windows\CurrentVersion\Run

  2. HKLM\Software\Microsoft\Windows\CurrentVersion\Run

  3. HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

  4. HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

The following key is not created by default, but you can create and use it:

  1. HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

  • RunServices” and “RunServicesOnce” Registry Keys: These keys include entries for services running in the background and control automatic startup of services. Attackers add new entries to add their malicious executables as background services.

  1. HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

  2. HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

  3. HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

  4. HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

  • Policies “Run” Registry Keys: Policy settings can be used to specify startup programs:

  1. HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

  2. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

  • Winlogon Registry Keys: The following keys control actions that occur when a user logs-in.

  1. HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit : It usually points to userinit.exe. However, an adversary can alter userinit.exe with the malware executable, or add new entries that points to the malware executable. The malware executable will launch at system startup.

  2. HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell :  This key points just one entry, explorer.exe.

  3. HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify : This subkey is used to notify event handles when Secure Attention Sequence (SAS) (Ctrl+Alt+Del) happens and loads a DLL. Adversaries alter this DLL to load their malware.

  • BootExecute Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager: The BootExecute value in this key is launched during boot. Although its default value is “autocheck autochk *”, adversaries can add other commands, scripts or programs to this value.

  • “Shell Folders” and “User Shell Folders” Registry Keys: These keys are also referred to as “startup keys” since they are used by adversaries to set the location of the startup folder.

  1. HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

  2. HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

  3. HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders

  4. HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders


Startup Folder

The Startup Folder in Windows contains applications that run automatically at startup. In default, it can be found in the following locations in Windows 10: 

  • The All Users Startup Folder:

  •  C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp

  • The Current User Startup Folder:

  • C:\Users\[User Name]\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup

Adversaries add their malicious binaries or shortcuts in these folders to achieve persistence. As a recent example, Mekotio banking Trojan creates a LNK (link/shortcut) file in the startup folder [3].


Red and Blue Team Exercises


Red Teaming - How to simulate?


In this exercise, we explain a real command used by the LokiBot info-stealer malware. Briefly, the below command adds a new autostart entry in HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run key to run its malicious .vbs file with wscript.exe (Windows Script Host) at system startup as a persistence mechanism.

Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "JKCGJJ" /t REG_SZ /F /D "%WINDIR%\System32\WScript.exe %LOCALAPPDATA%\jkcgjj\jkcgjj.vbs"

Analysed LokiBot sample:

MD5: 2df7a83872148d20484b66975d30fee6
SHA-1: de22b923a8a6904daa1792b7936b2a1336637e6f
SHA-256: 781b531a40218128d466d79a1c1b94a233c35af926264141b47efa7e5b8e7b57

Blue Teaming - How to detect?


The following Sigma rule can be used to detect creating an entry in registry run keys that includes a Visual Basic Script (.vbs).

title: Persistence via Windows Registry Run Keys with Visual Basic Scripting
status: experimental
description: Detects the addition of a visual basic script to the Windows Registry Run Key. Adversaries may achieve persistence by adding a program to a Registry run key. Adding an entry to the "run keys" in the Registry will cause the program referenced to be executed when a user logs in.
author: Picus Security
references:
  - https://attack.mitre.org/tactics/TA0003/
  - https://attack.mitre.org/tactics/TA0004/
  - https://attack.mitre.org/techniques/T1547/001/
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID: 4688
        NewProcessName: '*\reg.exe'
 ProcessCommandLine|all:
          - '*add*'
          - '*.vbs*'
    selection1:
        ProcessCommandLine:
          - '*\Software\Microsoft\Windows\CurrentVersion\Run*'
          - '*\Software\Microsoft\Windows\CurrentVersion\RunOnce*'
          - '*\Software\Microsoft\Windows\CurrentVersion\RunOnceEx*'
          - '*\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce*'
          - '*\Software\Microsoft\Windows\CurrentVersion\RunServices*'
          - '*\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run*'
    condition: selection and selection1
falsepositives:
    - Unknown
level: high
tags:
    - attack.persistence
    - attack.ta0003
    - attack.privilege_escalation
    - attack.ta0004
    - attack.t1547.001



SOURCE: PICUS

Recent Posts

See All

Build simple fuzzer - part 1

First of all, we are learning here and this fuzzer is in no way going to be a proper tool used against real targets (at least not initially). This is why we are going to code it in python. For real to

Build simple fuzzer - part 2

In the previous part of this mini-series we’ve implemented a very simple fuzzer. As the main idea behind it is being an exercise therefore I don’t think it is capable of finding bugs in complex target