In 2019, Picus Labs analyzed 48813 malware to determine tactics, techniques, and procedures (TTPs) used by adversaries in these malicious files. Picus Labs categorized each observed TTP by utilizing the MITRE ATT&CK® framework. As a result of the present research, 445018 TTPs observed in the last year were mapped to ATT&CK to identify the top 10 most common techniques used by attackers. Our research has found that Registry Run Keys / Startup Folder was the eighth most prevalent ATT&CK technique used by adversaries in their malware.
When adversaries gain
initial access to a system, they try to maintain their foothold to achieve
persistence on the system.
Run Keys in the
Registry and Startup Folder in Users directory are “old but gold” locations that are utilized by attackers for persistence. Adding an entry to the
Run Keys, or creating a shortcut in
Startup Folder is enough to execute malicious code when a user logs in. Our research has found that
Registry Run Keys / Startup Folder is the
eighth most prevalent ATT&CK technique used by adversaries in their malware.
Adversaries use built-in Windows features to execute their malicious executables to run at system startup or when a user logs in. For example, they schedule execution of their codes with Windows Task Scheduler as explained in our previous blog post, MITRE ATT&CK T1053 Scheduled Task. Other most common methods are utilizing
Run Keys in the
Startup Folder, which were included as a technique in the MITRE ATT&CK Framework,
T1060 Registry Run Keys / Startup Folder. In the new sub-technique version of MITRE ATT&CK, it became a sub-technique of the
T1547 Boot or Logon Autostart Execution, as
In this article, we review:
- registry keys used for persistence
- startup folders utilized by adversaries
- its use cases by threat actors and malware
- red and blue team exercises for this technique
Registry Run Keys
Let’s start with important definitions:
- Registry: It is a hierarchical database used by Windows to store information, settings and configuration options for the OS, programs and hardware.
- Key: A key is a container object similar to folders that may contain subkeys and values.
- Value: A value is a name/data pair stored within keys.
- Root Key: A root key is a key at the root level of the hierarchical database.
- HKEY_LOCAL_MACHINE (HKLM): It is a
root keythat includes settings for the local computer that applies to all users.
HKLMincludes four subkeys, SAM, SECURITY, SYSTEM and SOFTWARE. The "HKLM\SOFTWARE" subkey contains settings of software and OS.
- HKEY_CURRENT_USER (HKCU): It is a
root keythat includes preferences and settings that are specific to the currently logged-in user.
HKCUis loaded on login of the user, while
HKLMis loaded at boot time.
- Registry Run Keys: These keys contain settings to auto launch applications on system startup.
Adversaries utilize the following registry keys to load malware on system startup to achieve persistence:
- “Run” and “RunOnce” Registry Keys:
These keys enable programs to run each time a user logs in . As a recent example, Saigon banking Trojan creates a new entry in the HKCU\Software\Microsoft\Windows\CurrentVersion\Run key to run with every startup for maintaining persistence .
The following registry keys are created by default:
The following key is not created by default, but you can create and use it:
- RunServices” and “RunServicesOnce” Registry Keys:
These keys include entries for services running in the background and control automatic startup of services. Attackers add new entries to add their malicious executables as background services.
- Policies “Run” Registry Keys:
Policy settings can be used to specify startup programs:
- Winlogon Registry Keys:
The following keys control actions that occur when a user logs-in.
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit: It usually points to userinit.exe. However, an adversary can alter userinit.exe with the malware executable, or add new entries that points to the malware executable. The malware executable will launch at system startup.
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell: This key points just one entry, explorer.exe.
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify: This subkey is used to notify event handles when Secure Attention Sequence (SAS) (Ctrl+Alt+Del) happens and loads a DLL. Adversaries alter this DLL to load their malware.
- BootExecute Registry Key:
BootExecutevalue in this key is launched during boot. Although its default value is “autocheck autochk *”, adversaries can add other commands, scripts or programs to this value.
- “Shell Folders” and “User Shell Folders” Registry Keys:
These keys are also referred to as “startup keys” since they are used by adversaries to set the location of the startup folder.
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
The Startup Folder in Windows contains applications that run automatically at startup. In default, it can be found in the following locations in Windows 10:
- The All Users Startup Folder:
- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp
- The Current User Startup Folder:
- C:\Users\[User Name]\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
Adversaries add their malicious binaries or shortcuts in these folders to achieve persistence. As a recent example, Mekotio banking Trojan creates a LNK (link/shortcut) file in the startup folder .
Red and Blue Team Exercises
Red Teaming - How to simulate?
In this exercise, we explain a real command used by the LokiBot info-stealer malware. Briefly, the below command adds a new autostart entry in HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run key to run its malicious .vbs file with wscript.exe (Windows Script Host) at system startup as a persistence mechanism.
Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "JKCGJJ" /t REG_SZ /F /D "%WINDIR%\System32\WScript.exe %LOCALAPPDATA%\jkcgjj\jkcgjj.vbs"
Analysed LokiBot sample:
Blue Teaming - How to detect?
Sigma rule can be used to detect creating an entry in registry run keys that includes a Visual Basic Script (.vbs).
title: Persistence via Windows Registry Run Keys with Visual Basic Scripting
 mcleanbyron, “Run and RunOnce Registry Keys.” [Online]. Available: https://docs.microsoft.com/en-us/windows/win32/setupapi/run-and-runonce-registry-keys. [Accessed: 25-Aug-2020]
 “Saigon Banking Trojan - Insane Technologies,” 04-Aug-2020. [Online]. Available: https://www.insane.net.au/articles/case-study/saigon-banking-trojan/. [Accessed: 25-Aug-2020]
 “Mekotio: These aren’t the security updates you’re looking for…,” 13-Aug-2020. [Online]. Available: https://www.welivesecurity.com/2020/08/13/mekotio-these-arent-the-security-updates-youre-looking-for/. [Accessed: 26-Aug-2020]