In 2019, Picus Labs analyzed 48813 malware to determine tactics, techniques, and procedures (TTPs) used by adversaries in these malicious files. Picus Labs categorized each observed TTP by utilizing the MITRE ATT&CK® framework. As a result of the present research, 445018 TTPs observed in the last year were mapped to ATT&CK to identify the top 10 most common techniques used by attackers. Our research has found that Registry Run Keys / Startup Folder was the eighth most prevalent ATT&CK technique used by adversaries in their malware.
When adversaries gain initial access
to a system, they try to maintain their foothold to achieve persistence
on the system.
Run Keys
in the Registry and Startup Folder
in Users directory are “old but gold” locations that are utilized by attackers for persistence. Adding an entry to the Run Keys
, or creating a shortcut in Startup Folder
is enough to execute malicious code when a user logs in. Our research has found that Registry Run Keys / Startup Folder
is the eighth most prevalent ATT&CK technique
used by adversaries in their malware.
Introduction
Adversaries use built-in Windows features to execute their malicious executables to run at system startup or when a user logs in. For example, they schedule execution of their codes with Windows Task Scheduler as explained in our previous blog post, MITRE ATT&CK T1053 Scheduled Task. Other most common methods are utilizing Run Keys
in the Registry
and Startup Folder
, which were included as a technique in the MITRE ATT&CK Framework, T1060 Registry Run Keys / Startup Folder
. In the new sub-technique version of MITRE ATT&CK, it became a sub-technique of the T1547 Boot or Logon Autostart Execution
, as T1547.001
.
In this article, we review:
- registry keys used for persistence
- startup folders utilized by adversaries
- its use cases by threat actors and malware
- red and blue team exercises for this technique
Registry Run Keys
Let’s start with important definitions:
- Registry: It is a hierarchical database used by Windows to store information, settings and configuration options for the OS, programs and hardware.
- Key: A key is a container object similar to folders that may contain subkeys and values.
- Value: A value is a name/data pair stored within keys.
- Root Key: A root key is a key at the root level of the hierarchical database.
- HKEY_LOCAL_MACHINE (HKLM): It is a
root key
that includes settings for the local computer that applies to all users.HKLM
includes four subkeys, SAM, SECURITY, SYSTEM and SOFTWARE. The "HKLM\SOFTWARE" subkey contains settings of software and OS. - HKEY_CURRENT_USER (HKCU): It is a
root key
that includes preferences and settings that are specific to the currently logged-in user.HKCU
is loaded on login of the user, whileHKLM
is loaded at boot time. - Registry Run Keys: These keys contain settings to auto launch applications on system startup.
Adversaries utilize the following registry keys to load malware on system startup to achieve persistence:
- “Run” and “RunOnce” Registry Keys:
These keys enable programs to run each time a user logs in [1]. As a recent example, Saigon banking Trojan creates a new entry in the HKCU\Software\Microsoft\Windows\CurrentVersion\Run key to run with every startup for maintaining persistence [2].
The following registry keys are created by default:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
The following key is not created by default, but you can create and use it:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
- RunServices” and “RunServicesOnce” Registry Keys:
These keys include entries for services running in the background and control automatic startup of services. Attackers add new entries to add their malicious executables as background services.
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
- Policies “Run” Registry Keys:
Policy settings can be used to specify startup programs:
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
- HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
- Winlogon Registry Keys:
The following keys control actions that occur when a user logs-in.HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
: It usually points to userinit.exe. However, an adversary can alter userinit.exe with the malware executable, or add new entries that points to the malware executable. The malware executable will launch at system startup.HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
: This key points just one entry, explorer.exe.HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
: This subkey is used to notify event handles when Secure Attention Sequence (SAS) (Ctrl+Alt+Del) happens and loads a DLL. Adversaries alter this DLL to load their malware.
- BootExecute Registry Key:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager:
TheBootExecute
value in this key is launched during boot. Although its default value is “autocheck autochk *”, adversaries can add other commands, scripts or programs to this value. - “Shell Folders” and “User Shell Folders” Registry Keys:
These keys are also referred to as “startup keys” since they are used by adversaries to set the location of the startup folder.
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
Startup Folder
The Startup Folder in Windows contains applications that run automatically at startup. In default, it can be found in the following locations in Windows 10:
- The All Users Startup Folder:
- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp
- The Current User Startup Folder:
- C:\Users\[User Name]\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
Adversaries add their malicious binaries or shortcuts in these folders to achieve persistence. As a recent example, Mekotio banking Trojan creates a LNK (link/shortcut) file in the startup folder [3].
Red and Blue Team Exercises
Red Teaming - How to simulate?
In this exercise, we explain a real command used by the LokiBot info-stealer malware. Briefly, the below command adds a new autostart entry in HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run key to run its malicious .vbs file with wscript.exe (Windows Script Host) at system startup as a persistence mechanism.
Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "JKCGJJ" /t REG_SZ /F /D "%WINDIR%\System32\WScript.exe %LOCALAPPDATA%\jkcgjj\jkcgjj.vbs" |
Analysed LokiBot sample:
MD5: 2df7a83872148d20484b66975d30fee6 |
Blue Teaming - How to detect?
The following Sigma
rule can be used to detect creating an entry in registry run keys that includes a Visual Basic Script (.vbs).
title: Persistence via Windows Registry Run Keys with Visual Basic Scripting |
References
[1] mcleanbyron, “Run and RunOnce Registry Keys.” [Online]. Available: https://docs.microsoft.com/en-us/windows/win32/setupapi/run-and-runonce-registry-keys. [Accessed: 25-Aug-2020]
[2] “Saigon Banking Trojan - Insane Technologies,” 04-Aug-2020. [Online]. Available: https://www.insane.net.au/articles/case-study/saigon-banking-trojan/. [Accessed: 25-Aug-2020]
[3] “Mekotio: These aren’t the security updates you’re looking for…,” 13-Aug-2020. [Online]. Available: https://www.welivesecurity.com/2020/08/13/mekotio-these-arent-the-security-updates-youre-looking-for/. [Accessed: 26-Aug-2020]