Registry Run Keys / Startup Folder

Persistence via Startup Files and Registry Manipulation

Attackers frequently leverage Startup files and Registry Run Keys to establish persistence, ensuring their malicious code executes during system boot or user login. Detecting and remediating these methods is critical in incident response.

Key Persistence Techniques

1. Startup Files

Files placed in startup folders execute automatically when a user logs in.

Paths to Check:

  • User-Specific Startup Folder:

    C:\Users\[Username]\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup

  • System-Wide Startup Folder:

    C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup

2. Registry Run Keys

Attackers use specific registry keys to configure automatic execution of malicious files or scripts.

Common Registry Keys:

User-Specific:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce

System-Wide:

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce

3. Explorer Shell Folders

These registry keys define user environment folders and can be manipulated to execute malicious files.

Keys:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserShellFolders

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellFolders

4. Service Startup Keys

Startup entries specific to services.

Keys:

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices

5. Policy-Based Startup Programs

Attackers may use group policy-based startup programs.

Keys:

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

Detection Techniques

1. Using Autoruns

Autoruns is a powerful tool to detect persistence mechanisms.

Steps:

  1. Open Autoruns as Administrator.

  2. Focus on the Logon and Explorer tabs.

    • Suspicious Entries:

      • Control Path showing unknown or unexpected executables.

      • Entries without a Publisher or Description.

      • Entries pointing to non-standard file paths (e.g., C:\Temp\, C:\Users\Public\).

  3. Investigate flagged items:

    • Right-click on a suspicious entry → Jump to Image or Jump to Entry.

2. Event Logs Analysis

Registry changes generate event logs, which can reveal suspicious activity.

Event ID:

  • 4657: Registry value modification detected.

Steps:

  1. Open Event Viewer.

  2. Navigate to:

    Windows Logs -> Security

  3. Filter by Event ID 4657.

  4. Review logs for suspicious modifications:

    • Focus on changes to Run keys or Policies\Explorer\Run.

What to Focus On

  1. Entries without Publisher/Description:

    • Legitimate startup items usually have these fields populated.

    • Unpopulated fields increase the likelihood of malicious intent.

  2. Unusual File Paths:

    • Files located in temporary or non-standard directories are suspect.

    • Examples:

      C:\Temp\malicious.exe
C:\Users\Public\script.ps1

  3. Event Log Analysis:

    • Use Event ID 4657 to track registry changes.

    • Cross-reference timestamps with known attack timelines.

Eradication Steps

  1. Remove Malicious Startup Files:

    • Navigate to the Startup Folder.

    • Delete malicious files:

      del "C:\Users\[Username]\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\[MaliciousFile]"

  2. Remove Malicious Registry Entries:

    • Open Registry Editor (regedit).

    • Navigate to the affected Run or RunOnce keys.

    • Delete malicious entries.

  3. Validate Changes:

    • Re-scan the system using Autoruns to confirm removal.

    • Recheck logs for further suspicious entries.

Key Takeaways

  • Startup and Registry Manipulation are widely used persistence mechanisms.

  • Autoruns simplifies identifying and analyzing startup entries.

  • Event Logs (4657) are invaluable for tracking registry modifications.

  • Always cross-reference suspicious entries with known attack timelines and external threat intelligence.

By systematically analyzing these persistence mechanisms, incident responders can effectively identify and neutralize threats.

PreviousServicesNextFiles

Last updated