Registry Persistence via Shell Folders¶
Adversaries can establish persistence by adding an entry to the “run keys” in the registry or startup folder. The referenced program will be executed when a user logs in.
| id: | f8b1720c-7116-4ec3-b38a-402f984e4972 |
|---|---|
| categories: | detect |
| confidence: | low |
| os: | windows |
| created: | 7/22/2019 |
| updated: | 7/22/2019 |
MITRE ATT&CK™ Mapping¶
| tactics: | Persistence |
|---|---|
| techniques: | T1060 Registry Run Keys / Startup Folder |
Query¶
registry where
registry_path == "\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\*Shell Folders*"