Registry Run Keys / Startup Folder

Information

• Name: Registry Run Keys / Startup Folder

• ID: T1547.001

• Tactics: TA0003, TA0004

• Technique: T1547

Introduction

Registry Run Keys and Startup Folder (T1547.001) is a sub-technique within the MITRE ATT&CK framework categorized under "Boot or Logon Autostart Execution." Adversaries leverage this sub-technique to establish persistence by configuring malicious programs or scripts to execute automatically during system startup or user logon. This persistence ensures that attackers maintain access even after system reboots or user logoffs, allowing them to continue their operations indefinitely.

Deep Dive Into Technique

Adversaries commonly exploit Registry Run Keys and Startup Folder locations to ensure malicious executables, scripts, or commands execute automatically upon system boot or user login. These locations include:

• Registry Run Keys:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce

  • HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run (for 32-bit applications on 64-bit systems)

• Startup Folders:

  • %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup

  • %ProgramData%\Microsoft\Windows\Start Menu\Programs\Startup

Attackers typically perform the following steps:

1. Gain initial access to the target system using methods such as phishing, exploitation, or credential theft.

2. Deploy a malicious payload (e.g., malware, backdoor, script) onto the target system.

3. Modify registry entries or drop malicious shortcuts/scripts into the startup folders.

4. Ensure the payload executes automatically upon user login or system reboot, maintaining persistent access.

Attackers frequently use scripting languages (PowerShell, VBScript, batch scripts) or compiled binaries to execute malicious commands or payloads. They may also employ obfuscation techniques to evade detection, making it challenging for defenders to identify and remediate the threat.

When this Technique is Usually Used

This technique is commonly used by adversaries during the following attack scenarios and stages:

• Persistence Stage: Ensuring continuous access to compromised systems after initial compromise or exploitation.

• Privilege Escalation: Leveraging startup execution to execute malicious payloads with elevated privileges if registry entries or startup folders are writable by privileged accounts.

• Lateral Movement: Maintaining footholds on multiple compromised endpoints across a network.

• Advanced Persistent Threat (APT) Campaigns: Establishing long-term, stealthy persistence for espionage, data exfiltration, and monitoring activities.

• Ransomware Attacks: Ensuring ransomware payloads execute automatically upon startup or login, maximizing the impact and likelihood of ransom payment.

How this Technique is Usually Detected

Detection of malicious modifications to registry run keys and startup folders can be achieved through various methods, tools, and indicators of compromise (IoCs):

• Endpoint Detection and Response (EDR) solutions: Monitoring registry modifications, startup folder changes, and suspicious processes.

• Security Information and Event Management (SIEM): Correlating logs from endpoints, registries, and file systems to detect anomalous changes.

• Registry Auditing: Enabling Windows registry auditing to detect unauthorized changes to run keys.

• File Integrity Monitoring (FIM): Monitoring startup folders and registry hives for unauthorized additions, deletions, or modifications.

• Threat Hunting Techniques: Proactively searching for suspicious registry entries, startup scripts, or unusual processes that execute during system startup.

• Behavioral Analysis: Detecting anomalous behavior patterns such as unusual scripts executing at login, unexpected process execution, or unknown binaries running from startup locations.

Indicators of Compromise (IoCs) include:

• Unexpected registry keys or values in Run/RunOnce locations.

• Unrecognized scripts or executables in startup folders.

• Suspicious process execution from registry-defined autorun locations.

• Presence of obfuscated or encoded scripts in startup folders or registry keys.

• Unusual persistence mechanisms discovered by EDR or threat hunting activities.

Why it is Important to Detect This Technique

Early detection of Registry Run Keys and Startup Folder modifications is crucial due to the following impacts and risks:

• Long-term Persistence: Attackers maintain continuous access, enabling extended reconnaissance, data exfiltration, and lateral movement across networks.

• Privilege Escalation Risks: Malicious scripts or executables executed at startup may run with elevated privileges, increasing potential damage.

• Stealth and Evasion: Attackers frequently use obfuscation and hidden persistence methods, complicating detection and remediation efforts.

• System Stability and Integrity: Unauthorized modifications to registry keys or startup folders can lead to system instability, crashes, or degraded performance.

• Data Loss and Breaches: Persistent access facilitates data theft, intellectual property exfiltration, and exposure of sensitive information.

• Ransomware Impact: Automatic execution of ransomware payloads upon startup could lead to rapid encryption of critical data, causing severe operational disruptions.

Early detection and remediation of this technique significantly reduce the potential damage, limit attacker dwell time, and minimize the risk of widespread compromise.

Examples

Real-world examples of adversaries utilizing Registry Run Keys and Startup Folder persistence include:

• APT41 (Winnti Group):

  • Attack Scenario: APT41 leverages registry run keys to persistently execute backdoor payloads on compromised systems.

  • Tools Used: Custom malware, backdoors, and scripts configured to execute from registry run keys.

  • Impact: Persistent espionage, data theft, and lateral movement across targeted networks.

• TrickBot Malware:

  • Attack Scenario: TrickBot banking trojan and modular malware use registry run keys extensively for persistence and continued execution after reboots.

  • Tools Used: Malicious executables, PowerShell scripts, and registry modifications.

  • Impact: Credential harvesting, financial fraud, lateral movement, and deployment of additional malware payloads (e.g., Ryuk ransomware).

• Emotet Malware:

  • Attack Scenario: Emotet malware places malicious payloads in the startup folder or registry run keys to maintain persistent access and execute upon startup.

  • Tools Used: Malicious scripts, executables, and registry modifications.

  • Impact: Data exfiltration, credential theft, lateral movement, and delivery of secondary malware payloads.

• FIN7 Threat Actor:

  • Attack Scenario: FIN7 leverages registry run keys to ensure malicious payloads execute persistently across reboots, facilitating long-term compromise and data theft.

  • Tools Used: Customized payloads, PowerShell scripts, and registry modifications.

  • Impact: Financial fraud, theft of sensitive data, and lateral movement within victim environments.

These examples emphasize the widespread use and effectiveness of Registry Run Keys and Startup Folder persistence across various threat actors, attack scenarios, and malware families.