Registry Persistence via Run Keys

Adversaries can establish persistence by adding an entry to the “run keys” in the registry or startup folder. The referenced program will be executed when a user logs in.

id:c457d0c5-3ec8-4e9e-93f5-6ddcbfeec498
categories:enrich
confidence:low
os:windows
created:7/26/2019
updated:7/26/2019

MITRE ATT&CK™ Mapping

tactics:Persistence
techniques:T1060 Registry Run Keys / Startup Folder

Query

registry where
  registry_path == "*\\Software\\Microsoft\\Windows\\CurrentVersion\\Run*"

Contributors