Registry Run Keys / Startup Folder — Malware Persistence

In the world of today, Cyber Adversaries are on rise. They are targeting every kind of organization to gain access and then hide themselves for long time in order to hunt down every bit of information required. Increasing number of malwares have been found today and every now and then we come to hear about Malware Attacks, Ransomware Attacks that the adversaries have been hiding for years before shutting down all the systems or before asking for ransom.

The first and the foremost thing for the adversaries once they have gained access to a system is that they need themselves to hide and also to persist on the system. In case the system is restarted or shutdown, the malware should work and they should have access to the system. This technique is mapped to Boot or Logon Autostart Execution — MITRE ATT&CK T1547 and is a sub-technique number 001.

In this case the attackers tries to hide themselves by following means.

A. Adding programs to start at boot time.
B. Adding programs to StartUp folders.
C. Adding programs to Autorun.
D. Run Keys in Windows Registry 

There are multiple ways of opening Registry Editor on Windows. At first we can search for it and can open it directly.

Secondly, we can use CMD+R to open up RUN Prompt and type regedit and hit enter.

There are 5 Hives in total which can be seen clearly in the above screenshot.

1. HKEY_CLASSES_ROOT → Contains File Extensions Association Information
2. HKEY_CURRENT_USER → Contains configuration information for Windows and software specific to the currently logged in user
3. HKEY_LOCAL_MACHINE → Contains configuration information for the software you have installed, as well as for the Windows operating system itself.
4. HKEY_USERS → Contains user-specific configuration information for all currently active users on the computer. This means the user logged in at the moment (you) and any other users who have also logged in but have since “switched users.”
5. HKEY_CURRENT_CONFIG → HKEY_CURRENT_CONFIG is a shortcut to the HKEY_LOCAL_MACHINE hive. More specifically, to that hive’s \SYSTEM\CurrentControlSet\Hardware Profiles\Current\ registry key. It’s there that the information is truly stored — HKEY_CURRENT_CONFIG just provides a quick way to get there.

These hives stored keys, subkeys, and values in other words hives stores information in KEY:VALUE pairs.

The attackers always try to have access to HKLM as it required admin privilege's and also contains all the settings for all the users. In case they are not able to gain access to HKLM they will target the HKCU which only requires the currently login user privilege’s.

As we now understand what these HIVES means, let us take a look onto the actual Keys which attackers take leverage of.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

These 2 keys i.e. RUN and RUNONCE comes pre-installed with the operating system. There is another Registry Key named RunOnceEx which does not comes preinstalled but can be created. These are for processes, i.e. the RUN and RUNONCE starts a separate process but RUNONCEEX does not starts a separate process which means that you can be more persistent.

So, we can conclude that,

1. Run → Runs commands/programs every-time user logs onto the system.
2. RunOnce → Runs commands/programs every-time user logs onto the system. As soon as the command/program returns success it clears the associated keys.
3. RunOnceEx → Clears the registry key on completion of the command

Similarly, we have RunServices and RunServiceOnce keys as well. Which are responsible for the services running in the background and also for the services which are required to be started-up as soon as the user logs onto the system.

1. HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
2. HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOncce
3. HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
4. HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

Similar to these the attackers can also take leverage of Windows Policies Keys to set up program/services to be run at the start-up.

1. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
2. HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

The other important registry keys include WinLogon Keys which hold the information of the programs/services etc. to run as soon as the user logs onto the system.

1. UserInit (userinit.exe)

This program runs as soon as the user logs onto the system and sets everything to their default settings. The details can be found in the below screenshot and it can be seen that there are multiple keys with their values assigned. Which means that once the user will log onto the system, these are the default settings which will be initialized.

The attackers can take leverage of this tool and can modify its parameter to put the malware. So, that whenever the user will login or the system boots up the malware will be started along with it.

2. Shell

This Key contains the default value of explorer.exe. This can also be taken advantage of and attackers can set it to malwares executables.

3. BootExecute

This runs autocheck autochk * during the boot time. This by default performs File System/Disk troubleshooting during the boot time. If modified, the malware will once the autochek succeeds.

The attackers can take leverage of this, by modifying the value and adding malware samples/executable to it!

4. Shell Folders & User Shell Folders

These folders contains the keys for the startup programs. Adversaries can take advantage of these keys by modifying them to add their malicious programs.

1. HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
2. HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

1. HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
2. HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders

These are few of the places where adversaries can keep themselves hidden. In my next article I will be showing you how to actually exploit these locations from adversary point of view and will add mitigations to it.

Also, note that these locations are the bare-minimum to be looked after as starting from a low level adversary to top level, these locations will definitely be exploited.