Description
Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.(Citation: Microsoft Run Key) These programs will be executed under the context of the user and will have the account's associated permissions level.
The following run keys are created by default on Windows systems:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
Run keys may exist under multiple hives.(Citation: Microsoft Wow6432Node 2018)(Citation: Malwarebytes Wow6432Node 2016) The HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx is also available but is not created by default on Windows Vista and newer. Registry run key entries can reference programs directly or list them as a dependency.(Citation: Microsoft Run Key) For example, it is possible to load a DLL at logon using a "Depend" key with RunOnceEx: reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /d "C:\temp\evil[.]dll" (Citation: Oddvar Moe RunOnceEx Mar 2018)
Placing a program within a startup folder will also cause that program to execute when a user logs in. There is a startup folder location for individual user accounts as well as a system-wide startup folder that will be checked regardless of which user account logs in. The startup folder path for the current user is C:\Users\\[Username]\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup. The startup folder path for all users is C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp.
The following Registry keys can be used to set startup folder items for persistence:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
The following Registry keys can control automatic startup of services during boot:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices
Using policy settings to specify startup programs creates corresponding values in either of two Registry keys:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
Programs listed in the load value of the registry key HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows run automatically for the currently logged-on user.
By default, the multistring BootExecute value of the registry key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager is set to autocheck autochk *. This value causes Windows, at startup, to check the file-system integrity of the hard disks if the system has been shut down abnormally. Adversaries can add other programs or processes to this registry value which will automatically launch at boot.
Adversaries can use these configuration locations to execute malware, such as remote access tools, to maintain persistence through system reboots. Adversaries may also use Masquerading to make the Registry entries look as if they are associated with legitimate programs.
Platforms
Threat Groups (56)
| ID | Group | Context |
|---|---|---|
| G0073 | APT19 | An [APT19](https://attack.mitre.org/groups/G0073) HTTP malware variant establishes persistence by setting the Registry key <code>HKCU\Software\Microso... |
| G0067 | APT37 | [APT37](https://attack.mitre.org/groups/G0067)'s has added persistence via the Registry key <code>HKCU\Software\Microsoft\CurrentVersion\Run\</code>.(... |
| G0087 | APT39 | [APT39](https://attack.mitre.org/groups/G0087) has maintained persistence using the startup folder.(Citation: FireEye APT39 Jan 2019) |
| G1018 | TA2541 | [TA2541](https://attack.mitre.org/groups/G1018) has placed VBS files in the Startup folder and used Registry run keys to establish persistence for mal... |
| G0048 | RTM | [RTM](https://attack.mitre.org/groups/G0048) has used Registry run keys to establish persistence for the [RTM](https://attack.mitre.org/software/S0148... |
| G0059 | Magic Hound | [Magic Hound](https://attack.mitre.org/groups/G0059) malware has used Registry Run keys to establish persistence.(Citation: Unit 42 Magic Hound Feb 20... |
| G1046 | Storm-1811 | [Storm-1811](https://attack.mitre.org/groups/G1046) has created Windows Registry Run keys that execute various batch scripts to establish persistence ... |
| G0100 | Inception | [Inception](https://attack.mitre.org/groups/G0100) has maintained persistence by modifying Registry run key value <code>HKEY_CURRENT_USER\Software\M... |
| G0007 | APT28 | [APT28](https://attack.mitre.org/groups/G0007) has deployed malware that has copied itself to the startup directory for persistence.(Citation: TrendMi... |
| G0139 | TeamTNT | [TeamTNT](https://attack.mitre.org/groups/G0139) has added batch scripts to the startup folder.(Citation: ATT TeamTNT Chimaera September 2020) |
| G0065 | Leviathan | [Leviathan](https://attack.mitre.org/groups/G0065) has used JavaScript to create a shortcut file in the Startup folder that points to its main backdoo... |
| G0019 | Naikon | [Naikon](https://attack.mitre.org/groups/G0019) has modified a victim's Windows Run registry to establish persistence.(Citation: Bitdefender Naikon Ap... |
| G0091 | Silence | [Silence](https://attack.mitre.org/groups/G0091) has used <code>HKCU\Software\Microsoft\Windows\CurrentVersion\Run</code>, <code>HKLM\Software\Microso... |
| G0078 | Gorgon Group | [Gorgon Group](https://attack.mitre.org/groups/G0078) malware can create a .lnk file and add a Registry Run key to establish persistence.(Citation: Un... |
| G0016 | APT29 | [APT29](https://attack.mitre.org/groups/G0016) added Registry Run keys to establish persistence.(Citation: Mandiant No Easy Breach) |
| G0128 | ZIRCONIUM | [ZIRCONIUM](https://attack.mitre.org/groups/G0128) has created a Registry Run key named <code>Dropbox Update Setup</code> to establish persistence for... |
| G0040 | Patchwork | [Patchwork](https://attack.mitre.org/groups/G0040) has added the path of its second-stage malware to the startup folder to achieve persistence. One of... |
| G0037 | FIN6 | [FIN6](https://attack.mitre.org/groups/G0037) has used Registry Run keys to establish persistence for its downloader tools known as HARDTACK and SHIPB... |
| G0010 | Turla | A [Turla](https://attack.mitre.org/groups/G0010) Javascript backdoor added a local_update_check value under the Registry key <code>HKLM\SOFTWARE\Micro... |
| G0024 | Putter Panda | A dropper used by [Putter Panda](https://attack.mitre.org/groups/G0024) installs itself into the ASEP Registry key <code>HKCU\Software\Microsoft\Windo... |
Associated Software (201)
| ID | Name | Type | Context |
|---|---|---|---|
| S0082 | Emissary | Malware | Variants of [Emissary](https://attack.mitre.org/software/S0082) have added Run Registry keys to establish persistence.(Citation: Emissary Trojan Feb 2... |
| S0124 | Pisloader | Malware | [Pisloader](https://attack.mitre.org/software/S0124) establishes persistence via a Registry Run key.(Citation: Palo Alto DNS Requests) |
| S0396 | EvilBunny | Malware | [EvilBunny](https://attack.mitre.org/software/S0396) has created Registry keys for persistence in <code>[HKLM|HKCU]\…\CurrentVersion\Run</code>.(Citat... |
| S0198 | NETWIRE | Malware | [NETWIRE](https://attack.mitre.org/software/S0198) creates a Registry start-up entry to establish persistence.(Citation: McAfee Netwire Mar 2015)(Cita... |
| S0386 | Ursnif | Malware | [Ursnif](https://attack.mitre.org/software/S0386) has used Registry Run keys to establish automatic execution at system startup.(Citation: TrendMicro ... |
| S0093 | Backdoor.Oldrea | Malware | [Backdoor.Oldrea](https://attack.mitre.org/software/S0093) adds Registry Run keys to achieve persistence.(Citation: Symantec Dragonfly)(Citation: Giga... |
| S0028 | SHIPSHAPE | Malware | [SHIPSHAPE](https://attack.mitre.org/software/S0028) achieves persistence by creating a shortcut in the Startup folder.(Citation: FireEye APT30) |
| S1044 | FunnyDream | Malware | [FunnyDream](https://attack.mitre.org/software/S1044) can use a Registry Run Key and the Startup folder to establish persistence.(Citation: Bitdefende... |
| S0331 | Agent Tesla | Malware | [Agent Tesla](https://attack.mitre.org/software/S0331) can add itself to the Registry as a startup program to establish persistence.(Citation: Fortine... |
| S1029 | AuTo Stealer | Malware | [AuTo Stealer](https://attack.mitre.org/software/S1029) can place malicious executables in a victim's AutoRun registry key or StartUp directory, depen... |
| S0090 | Rover | Malware | [Rover](https://attack.mitre.org/software/S0090) persists by creating a Registry entry in <code>HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVe... |
| S0182 | FinFisher | Malware | [FinFisher](https://attack.mitre.org/software/S0182) establishes persistence by creating the Registry key <code>HKCU\Software\Microsoft\Windows\Run</c... |
| S0670 | WarzoneRAT | Malware | [WarzoneRAT](https://attack.mitre.org/software/S0670) can add itself to the `HKCU\Software\Microsoft\Windows\CurrentVersion\Run` and `HKCU\Software\Mi... |
| S0449 | Maze | Malware | [Maze](https://attack.mitre.org/software/S0449) has created a file named "startup_vrun.bat" in the Startup folder of a virtual machine to establish pe... |
| S0355 | Final1stspy | Malware | [Final1stspy](https://attack.mitre.org/software/S0355) creates a Registry Run key to establish persistence.(Citation: Unit 42 Nokki Oct 2018) |
| S0337 | BadPatch | Malware | [BadPatch](https://attack.mitre.org/software/S0337) establishes a foothold by adding a link to the malware executable in the startup folder.(Citation:... |
| S1199 | LockBit 2.0 | Malware | [LockBit 2.0](https://attack.mitre.org/software/S1199) can use a Registry Run key to establish persistence at startup.(Citation: FBI Lockbit 2.0 FEB 2... |
| S0332 | Remcos | Tool | [Remcos](https://attack.mitre.org/software/S0332) can add itself to the Registry key <code>HKCU\Software\Microsoft\Windows\CurrentVersion\Run</code> f... |
| S0265 | Kazuar | Malware | [Kazuar](https://attack.mitre.org/software/S0265) adds a sub-key under several Registry run keys.(Citation: Unit 42 Kazuar May 2017) |
| S0568 | EVILNUM | Malware | [EVILNUM](https://attack.mitre.org/software/S0568) can achieve persistence through the Registry Run key.(Citation: ESET EvilNum July 2020)(Citation: P... |
References
- Arntz, P. (2016, March 30). Hiding in Plain Sight. Retrieved August 3, 2020.
- Microsoft. (2018, May 31). 32-bit and 64-bit Application Data in the Registry. Retrieved August 3, 2020.
- Microsoft. (n.d.). Run and RunOnce Registry Keys. Retrieved September 12, 2024.
- Moe, O. (2018, March 21). Persistence using RunOnceEx - Hidden from Autoruns.exe. Retrieved June 29, 2018.
- Russinovich, M. (2016, January 4). Autoruns for Windows v13.51. Retrieved June 6, 2016.
Frequently Asked Questions
What is T1547.001 (Registry Run Keys / Startup Folder)?
T1547.001 is a MITRE ATT&CK technique named 'Registry Run Keys / Startup Folder'. It belongs to the Persistence, Privilege Escalation tactic(s). Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause th...
How can T1547.001 be detected?
Detection of T1547.001 (Registry Run Keys / Startup Folder) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1547.001?
Follow defense-in-depth principles including network segmentation, least privilege access, security monitoring, and regular patching to reduce the risk of this technique.
Which threat groups use T1547.001?
Known threat groups using T1547.001 include: APT19, APT37, APT39, TA2541, RTM, Magic Hound, Storm-1811, Inception.