Run Keys/Startup Folder

Attackers use Registry Run Keys and the Startup Folder in Windows to maintain persistence by ensuring that their malicious programs are executed automatically whenever a user logs into the system. These methods allow the attackers to maintain a foothold on the system, even after reboots, enabling them to continue their malicious activities. Here's a detailed explanation of how these techniques are used:

Registry Run Keys

Windows Registry is a crucial component of the Windows operating system, functioning as a hierarchical database that stores configuration settings and options for the OS and installed applications. It is divided into several hives, each containing keys and values that regulate various aspects of the system's behavior. Among these keys are "run keys," which are specifically designated to manage programs that should be executed automatically either when the system starts or when a user logs in. This functionality is intended to facilitate the seamless launch of necessary applications and services that need to be active from the moment the system becomes operational.

Key Registry Locations:

There are several critical registry locations that attackers commonly target to establish persistence through run keys. These locations include:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run: This registry key is user-specific, meaning it affects only the currently logged-in user. Programs listed under this key will automatically execute each time that particular user logs in. This allows attackers to maintain persistence on a per-user basis, ensuring that their malicious code runs with the same permissions as the logged-in user.

HKLM\Software\Microsoft\Windows\CurrentVersion\Run: This registry key, in contrast, affects all users on the system. Programs listed here will execute at login regardless of which user logs in, making it a powerful location for attackers to target if they want to ensure their malicious code affects all user accounts on the machine. This can be particularly impactful if the malicious code requires higher privileges or if the attacker wants to affect the system more broadly.

How Attackers Use Run Keys:

Attackers exploit run keys by inserting malicious entries that ensure their code executes automatically at system startup or user login. They employ both direct and indirect methods to achieve this.

Direct References: In the most straightforward approach, attackers add entries that directly reference the path to a malicious executable. For instance, an attacker might create a registry entry that points to a trojan executable stored in an obscure directory. Each time the user logs in, the system executes this executable, thereby running the attacker's code. This method is highly effective and ensures the persistent execution of malware with minimal effort. The direct reference technique is often used because it is simple to implement and guarantees that the malicious executable will be invoked during the login process.

Indirect References: More sophisticated attackers may use indirect references to obscure their activities and evade detection. One common technique involves using legitimate programs as dependencies. For example, by leveraging the "Depend" key with RunOnceEx, attackers can specify a legitimate program that indirectly loads a malicious DLL at logon. This method is subtler than direct referencing because it disguises the true nature of the executed code. By embedding the malicious payload within a legitimate process, attackers can make it harder for security software and manual inspections to identify the threat. This approach not only achieves persistence but also enhances the stealth of the malicious activity.

Additional Registry Locations:

Besides the primary run keys, attackers might also exploit other registry locations and techniques to maintain persistence:

HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce and HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce: These keys are used to execute programs a single time upon the next login. While typically used for setup scripts or configuration tasks, attackers can abuse them to run malicious code that sets up additional persistent mechanisms, such as creating new entries in the primary run keys.

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run: This lesser-known key is sometimes used by attackers to bypass common monitoring tools that focus on the more well-known run keys. By placing entries here, attackers can achieve the same persistence while reducing the likelihood of detection.

HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Run and HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit: These keys are particularly useful for sophisticated attacks as they can be used to manipulate the login process itself. The Userinit key, for example, can be modified to execute a custom shell or additional processes during user logon, providing attackers with a powerful persistence mechanism.

Startup Folder

The Startup Folder in Windows is a built-in feature designed to facilitate the automatic launch of programs when a user logs into their account. This mechanism ensures that essential applications and services are immediately available to the user, improving the convenience and efficiency of the computing experience. Windows provides two primary startup folders for this purpose:

User-Specific Startup Folder: Located at %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup, this folder is specific to each individual user account on the system. Programs placed in this folder will execute only when the corresponding user logs into their account. This folder allows users to customize their startup environment, ensuring that personal or work-related applications are ready as soon as they log in.

System-Wide Startup Folder: Located at %ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Startup, this folder applies to all users on the system. Any program placed in this folder will execute regardless of which user logs in, making it a useful location for administrators to ensure that necessary applications or scripts are launched for every user. This system-wide folder is often used for applications that need to run across multiple user accounts, such as antivirus software, monitoring tools, or corporate policies.

How Attackers Use the Startup Folder:

Placing Malicious Files: One common method attackers use to exploit the startup folder is by placing malicious executables, scripts, or shortcuts directly into these folders. When the user logs in, these items are executed automatically, inheriting the permissions of the logged-in user. If the attacker can place a malicious file in the startup folder of a user with administrative privileges, the file will execute with those elevated privileges, potentially allowing the attacker to gain greater control over the system. This method is straightforward and highly effective, as it leverages the intended functionality of the startup folder to ensure persistence.

Shortcut Manipulation: Attackers may also use shortcuts (.lnk files) to achieve persistence. Instead of placing the actual malicious executable in the startup folder, they create a shortcut that points to a malicious program located elsewhere on the system. This can add a layer of obfuscation, making it less obvious that a malicious program is being executed. For instance, a shortcut in the startup folder might appear to reference a legitimate system utility, but actually point to a malicious executable hidden in a less scrutinized directory. This technique can also be used to execute scripts or commands that initiate other stages of an attack.

Indicators of Compromise in Registry Run Keys

Unexpected or Suspicious Entries: One of the primary indicators of compromise within registry run keys is the presence of unexpected or suspicious entries in key locations such as HKCU\Software\Microsoft\Windows\CurrentVersion\Run and HKLM\Software\Microsoft\Windows\CurrentVersion\Run. These entries might reference executables or scripts that are not recognized by the user or system administrators, suggesting that they were added without proper authorization.

Executable Names and Paths: Run key entries that reference executables with unusual, unknown, or randomized names are significant indicators of compromise. Malicious actors often use random or non-descriptive names to avoid detection. Additionally, the paths of these executables can provide clues. Executables located in non-standard directories such as temporary folders, user profiles, or obscure subdirectories may indicate malicious intent, as legitimate applications typically reside in more predictable locations.

Encoded or Obfuscated Entries: Entries with encoded or obfuscated names or command lines are highly suspicious. Attackers often use encoding schemes such as base64 or obfuscation techniques to hide the true nature of the executable or command. These entries might appear as long, seemingly random strings of characters that do not conform to typical naming conventions used by legitimate software.

Scripts and Indirect Loading: Registry run keys that reference scripts or use indirect loading methods, such as specifying a legitimate program as a dependency, are also indicators of compromise. For instance, entries that load scripts (e.g., .ps1, .vbs) or Dynamic Link Libraries (DLLs) through methods like RunOnceEx using a "Depend" key should be scrutinized. These techniques allow attackers to execute malicious code in a less conspicuous manner.

Registry Permissions and Ownership: Unauthorized changes to registry key permissions or ownership can indicate compromise. Attackers may alter the permissions of registry keys to ensure that their entries cannot be easily modified or deleted by legitimate users or security software. Monitoring for changes in the permissions of critical registry keys can help identify potential tampering.

Uncommon File Extensions: The presence of uncommon or suspicious file extensions in run key entries is another indicator. Attackers might use file extensions such as .scr (screensaver files that can execute code), .pif (Program Information Files), or dual extensions like file.txt.exe to mask the true nature of the executable. These extensions are not typically used by standard software for startup purposes.

Multiple Entries for the Same Executable: Another sign of compromise is the presence of multiple run key entries pointing to the same executable. This redundancy can indicate an attacker’s attempt to ensure that their malicious code persists even if one of the entries is discovered and removed. Legitimate software generally does not require multiple startup entries for the same executable.

File Metadata Discrepancies: Discrepancies in file metadata, such as creation or modification dates that do not align with known software installation times, can be indicative of malicious activity. If the timestamps of executables referenced in run keys suggest they were added recently without corresponding legitimate software updates or installations, further investigation is warranted.

Indicators of Compromise in the Startup Folder

Unexpected Files and Shortcuts: Unexpected or suspicious programs found in the user-specific or system-wide startup folders (%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup and %ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Startup) are primary indicators of compromise. These could include executable files, scripts, or shortcuts that were not intentionally placed by the user or system administrator.

File Names and Locations: Files with unusual or obfuscated names are significant indicators. Attackers often use non-descriptive or random names to evade detection. Additionally, shortcuts that reference executables in non-standard or hidden directories should raise alarms, as legitimate software typically resides in well-known locations like the Program Files directory.

Hidden or System Attributes: Files in the startup folders that have hidden or system attributes set are suspicious. These attributes can be used by attackers to make the files less visible to users and standard file management tools. Legitimate startup items generally do not require such attributes and are typically visible in the file explorer.

Scripts and Non-Standard File Types: The presence of script files, such as .vbs (VBScript), .ps1 (PowerShell), .js (JavaScript), .bat (batch files), or .cmd (command files), in the startup folders is another indicator of compromise. These scripts can execute commands or payloads upon login, and their presence in startup folders is not typical for most legitimate software.

File Size Anomalies: Unusually large files in the startup folders can indicate compromise. Most legitimate startup items are relatively small in size, as they typically only need to initiate or trigger larger applications. Large files might contain more complex payloads or be used to store additional malicious components.

Multiple References to the Same Executable: Similar to the registry run keys, the presence of multiple startup items referencing the same executable suggests an attacker's attempt to create redundancy. This strategy ensures that the malicious code persists even if one entry is discovered and removed.

Fake or Missing Digital Signatures: Files with no digital signatures or fake signatures are also indicative of malicious activity. Legitimate software vendors often sign their executables to verify authenticity and integrity. Using tools like sigcheck can help verify the legitimacy of digital signatures on files within the startup folders.

Recently Added or Modified Files: Files that were recently added or modified in the startup folders, especially if they do not correspond to known system updates or software installations, should be closely inspected. Attackers often add or modify files to establish persistence soon after gaining access to a system.

General Indicators of Compromise

Unexpected System Changes: Unexpected changes to system settings, particularly those related to startup processes, can be indicative of compromise. This includes changes to registry run keys, startup folders, and other autostart locations. Monitoring tools and practices that detect and alert on such changes are critical for early detection.

Behavioral Anomalies: Behavioral anomalies, such as unusual patterns of system or network activity, can also indicate compromise. For example, if a normally dormant system process suddenly begins making network connections or consuming significant system resources, it may be executing malicious code injected by an attacker.

System and User Account Activity: Unusual system or user account activity, such as unexpected logins or the execution of unknown programs, should be investigated. This can include high-privilege accounts running unfamiliar executables or scripts at login, which could suggest an attacker is leveraging compromised credentials for persistence.

Network Connections at Startup: Unexpected network connections initiated at system startup or user login are another red flag. Attackers may establish remote connections to command-and-control (C2) servers as soon as their malicious code is executed. Monitoring network activity for unusual outbound connections during these times can help identify such attempts.

File Integrity and Permission Changes: Monitoring file integrity and permissions for critical system areas, including the registry and startup folders, can reveal unauthorized modifications. File integrity monitoring (FIM) tools can track changes to these locations in real-time, providing alerts on suspicious activities.

Presence of Redundant Persistence Mechanisms: The presence of redundant persistence mechanisms, where attackers use both registry run keys and startup folders simultaneously, is a strong indicator of compromise. This redundancy ensures that their malicious code remains active even if one method is detected and removed.

Automated Execution of Unknown Programs: Automated execution of unknown or unauthorized programs at system startup or user login is a clear indicator of compromise. Cross-referencing these programs with a known-good list of installed applications can help identify anomalies.

Modifications to Critical System Files: Modifications to critical system files, such as those related to the Windows login process (e.g., Winlogon registry keys), can also indicate compromise. Attackers might alter these files to load malicious code during the login process, ensuring persistence.