MITRE ATT&CK T1060 Registry Run Keys / Startup Folder

In 2019, Picus Labs analyzed 48813 malware to determine tactics, techniques, and procedures (TTPs) used by adversaries in these malicious files. Picus Labs categorized each observed TTP by utilizing the MITRE ATT&CK® framework. As a result of the present research, 445018 TTPs observed in the last year were mapped to ATT&CK to identify the top 10 most common techniques used by attackers. Our research has found that Registry Run Keys / Startup Folder was the eighth most prevalent ATT&CK technique used by adversaries in their malware. 

When adversaries gain initial access to a system, they try to maintain their foothold to achieve persistence on the system.

Run Keys in the Registry and Startup Folder in Users directory are “old but gold” locations that are utilized by attackers for persistence. Adding an entry to the Run Keys, or creating a shortcut in Startup Folder is enough to execute malicious code when a user logs in. Our research has found that Registry Run Keys / Startup Folder is the eighth most prevalent ATT&CK technique used by adversaries in their malware.

Introduction

Adversaries use built-in Windows features to execute their malicious executables to run at system startup or when a user logs in. For example, they schedule execution of their codes with Windows Task Scheduler as explained in our previous blog post, MITRE ATT&CK T1053 Scheduled Task. Other most common methods are utilizing Run Keys in the Registry and Startup Folder, which were included as a technique in the MITRE ATT&CK Framework, T1060 Registry Run Keys / Startup Folder. In the new sub-technique version of MITRE ATT&CK, it became a sub-technique of the T1547 Boot or Logon Autostart Execution, as T1547.001. 

In this article, we review:

• registry keys used for persistence

• startup folders utilized by adversaries

• its use cases by threat actors and malware

• red and blue team exercises for this technique

Download the Red Report - Top Ten MITRE ATT&CK Techniques

Registry Run Keys

Let’s start with important definitions:

• Registry: It is a hierarchical database used by Windows to store information, settings and configuration options for the OS, programs and hardware. 

• Key: A key is a container object similar to folders that may contain subkeys and values. 

• Value: A value is a name/data pair stored within keys.

• Root Key: A root key is a key at the root level of the hierarchical database.

• HKEY_LOCAL_MACHINE (HKLM): It is a root key that includes settings for the local computer that applies to all users. HKLM includes four subkeys, SAM, SECURITY, SYSTEM and SOFTWARE. The "HKLM\SOFTWARE" subkey contains settings of software and OS.

• HKEY_CURRENT_USER (HKCU): It is a root key that includes preferences and settings that are specific to the currently logged-in user. HKCU is loaded on login of the user, while HKLM is loaded at boot time.

• Registry Run Keys: These keys contain settings to auto-launch applications on system startup.

Adversaries utilize the following registry keys to load malware on system startup to achieve persistence:

1. “Run” and “RunOnce” Registry Keys:

   These keys enable programs to run each time a user logs in [1]. As a recent example, Saigon banking Trojan creates a new entry in the HKCU\Software\Microsoft\Windows\CurrentVersion\Run key to run with every startup for maintaining persistence [2].

   The following registry keys are created by default: 

   • HKCU\Software\Microsoft\Windows\CurrentVersion\Run

   • HKLM\Software\Microsoft\Windows\CurrentVersion\Run

   • HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

   • HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

   The following key is not created by default, but you can create and use it:

   • HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

2. RunServices” and “RunServicesOnce” Registry Keys:

   These keys include entries for services running in the background and control automatic startup of services. Attackers add new entries to add their malicious executables as background services.

   • HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

   • HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

   • HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

   • HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

3. Policies “Run” Registry Keys:

   Policy settings can be used to specify startup programs:

   • HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

   • HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

4. Winlogon Registry Keys:

   The following keys control actions that occur when a user logs-in.

   • HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit : It usually points to userinit.exe. However, an adversary can alter userinit.exe with the malware executable, or add new entries that points to the malware executable. The malware executable will launch at system startup.

   • HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell :  This key points just one entry, explorer.exe.

   • HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify : This subkey is used to notify event handles when Secure Attention Sequence (SAS) (Ctrl+Alt+Del) happens and loads a DLL. Adversaries alter this DLL to load their malware.

5. BootExecute Registry Key:

   HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager: The BootExecute value in this key is launched during boot. Although its default value is “autocheck autochk *”, adversaries can add other commands, scripts or programs to this value.

6. “Shell Folders” and “User Shell Folders” Registry Keys:

   These keys are also referred to as “startup keys” since they are used by adversaries to set the location of the startup folder.

   • HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

   • HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

   • HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders

   • HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders

Startup Folder

The Startup Folder in Windows contains applications that run automatically at startup. In default, it can be found in the following locations in Windows 10: 

• The All Users Startup Folder:
•  C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp
• The Current User Startup Folder:
• C:\Users\[User Name]\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup

Adversaries add their malicious binaries or shortcuts in these folders to achieve persistence. As a recent example, Mekotio banking Trojan creates a LNK (link/shortcut) file in the startup folder [3].

Start your 14-day Free Trial: Simulate MITRE ATT&CK Techniques in minutes

Red and Blue Team Exercises

Red Teaming - How to simulate?

In this exercise, we explain a real command used by the LokiBot info-stealer malware. Briefly, the below command adds a new autostart entry in HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run key to run its malicious .vbs file with wscript.exe (Windows Script Host) at system startup as a persistence mechanism.

Analysed LokiBot sample:

Blue Teaming - How to detect?

The following Sigma rule can be used to detect creating an entry in registry run keys that includes a Visual Basic Script (.vbs).

References

[1] mcleanbyron, “Run and RunOnce Registry Keys.” [Online]. Available: https://docs.microsoft.com/en-us/windows/win32/setupapi/run-and-runonce-registry-keys. [Accessed: 25-Aug-2020]

[2] “Saigon Banking Trojan - Insane Technologies,” 04-Aug-2020. [Online]. Available: https://www.insane.net.au/articles/case-study/saigon-banking-trojan/. [Accessed: 25-Aug-2020]

[3] “Mekotio: These aren’t the security updates you’re looking for…,” 13-Aug-2020. [Online]. Available: https://www.welivesecurity.com/2020/08/13/mekotio-these-arent-the-security-updates-youre-looking-for/. [Accessed: 26-Aug-2020]