Registry Persistence via Run Keys

Adversaries can establish persistence by adding an entry to the “run keys” in the registry or startup folder. The referenced program will be executed when a user logs in.

id:c457d0c5-3ec8-4e9e-93f5-6ddcbfeec498 categories:enrich confidence:low os:windows created:7/26/2019 updated:7/26/2019

MITRE ATT&CK™ Mapping

tactics:Persistence techniques:T1060 Registry Run Keys / Startup Folder

Query

registry where
  registry_path == "*\\Software\\Microsoft\\Windows\\CurrentVersion\\Run*"

Contributors

• Endgame