Registry Persistence via Shell Folders¶
Adversaries can establish persistence by adding an entry to the “run keys” in the registry or startup folder. The referenced program will be executed when a user logs in.
id: | f8b1720c-7116-4ec3-b38a-402f984e4972 |
---|---|
categories: | detect |
confidence: | low |
os: | windows |
created: | 7/22/2019 |
updated: | 7/22/2019 |
MITRE ATT&CK™ Mapping¶
tactics: | Persistence |
---|---|
techniques: | T1060 Registry Run Keys / Startup Folder |
Query¶
registry where
registry_path == "\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\*Shell Folders*"