In which registry hive does Windows store startup program information for a given user?
|
S0045 ADVSTORESHELL ADVSTORESHELL achieves persistence by adding itself to the Show Agent Tesla can add itself to the Registry as a startup program to establish persistence.[8][9] S1025 AmadeyAmadey has changed the Startup folder to the one containing its executable by overwriting the registry keys.[10][11] S0622 AppleSeedAppleSeed has the ability to create the Registry key name APT18 establishes persistence via the An APT19 HTTP malware variant establishes persistence by setting the Registry key APT28 has deployed malware that has copied itself to the startup directory for persistence.[16] G0016 APT29APT29 added Registry Run keys to establish persistence.[17] G0022 APT3APT3 places scripts in the startup folder for persistence.[18] G0050 APT32APT32 established persistence using Registry Run keys, both to execute PowerShell and VBS scripts as well as to execute their backdoor directly.[19][20][21] G0064 APT33APT33 has deployed a tool known as DarkComet to the Startup folder of a victim, and used Registry run keys to gain persistence.[22][23] G0067 APT37APT37's has added persistence via the Registry key
APT39 has maintained persistence using the startup folder.[26] G0096 APT41APT41 created and modified startup files for
persistence.[27][28] APT41 added a registry key in Aria-body has established persistence via the Startup folder or Run Registry key.[30] S0373 AstarothAstaroth creates a startup item for persistence. [31] S1029 AuTo StealerAuTo Stealer can place malicious executables in a victim's AutoRun registry key or StartUp directory, depending on the AV product installed, to maintain persistence.[32] S0640 AvaddonAvaddon uses registry run keys for persistence.[33] S0414 BabySharkBabyShark has added a Registry key to ensure all future macros are enabled for Microsoft Word and Excel as well as for additional persistence.[34][35] S0093 Backdoor.OldreaBackdoor.Oldrea adds Registry Run keys to achieve persistence.[36][37] S0031 BACKSPACEBACKSPACE achieves persistence by creating a shortcut to itself in the CSIDL_STARTUP directory.[38] S0128 BADNEWSBADNEWS installs a registry Run key to establish persistence.[39] S0337 BadPatchBadPatch establishes a foothold by adding a link to the malware executable in the startup folder.[40] S0534 BazarBazar can create or add files to Registry Run Keys to establish persistence.[41][42] S0127 BBSRATBBSRAT has been loaded through DLL side-loading of a legitimate Citrix executable that is set to persist through the Registry Run key location Bisonal has added itself to the Registry key BitPaymer has set the run key The BlackEnergy 3 variant drops its main DLL component and then creates a .lnk shortcut to that file in the startup folder.[46] S0635 BoomBoxBoomBox can establish persistence by writing the Registry value Briba creates run key Registry entries pointing to malicious DLLs dropped to disk.[48] G0060 BRONZE BUTLERBRONZE BUTLER has used a batch script that adds a Registry Run key to establish malware persistence.[49] S0471 build_downerbuild_downer has the ability to add itself to the Registry Run key for persistence.[50] S0030 CarbanakCarbanak stores a configuration files in the startup directory to automatically execute commands in order to persist across reboots.[51] S0484 CarberpCarberp has maintained persistence by placing itself inside the current user's startup folder.[52] S0348 Cardinal RATCardinal RAT establishes Persistence by setting the Chaes has added persistence via the Registry key ChChes establishes persistence by adding a Registry Run key.[55] S1041 ChinoxyChinoxy has established persistence via the Clambling can establish persistence by adding a Registry run key.[57][58] G0080 Cobalt GroupCobalt Group has used Registry Run keys for persistence. The group has also set a Startup path to launch the PowerShell shell command and download Cobalt Strike.[59] S0338 Cobian RATCobian RAT creates an autostart Registry key to ensure persistence.[60] S0244 ComnieComnie achieves persistence by adding a shortcut of itself to the startup path in the Registry.[61] S0608 ConfickerConficker adds Registry Run keys to establish persistence.[62] G0142 ConfuciusConfucius has dropped malicious files into the startup folder CORESHELL has established persistence by creating autostart extensibility point (ASEP) Registry entries in the Run key and other Registry keys, as well as by creating shortcuts in the Internet Explorer Quick Start folder.[64] S0046 CozyCarOne persistence mechanism used by CozyCar is to set itself to be executed at system startup by adding a Registry value under one of the following Registry keys: Crimson can add Registry run keys for persistence.[66][67] S0235 CrossRATCrossRAT uses run keys for persistence on Windows G0070 Dark CaracalDark Caracal's version of Bandook adds a registry key to DarkComet adds several Registry entries to enable automatic execution at every system startup.[69][70] G0012 DarkhotelDarkhotel has been known to establish persistence by adding programs to the Run Registry key.[71] S1021 DnsSystemDnsSystem can write itself to the Startup folder to gain persistence.[72] S0186 DownPaperDownPaper uses PowerShell to add a Registry Run key in order to establish persistence.[73] G0035 DragonflyDragonfly has added the registry value ntdll to the Registry Run key to establish persistence.[74] S0062 DustySkyDustySky achieves persistence by creating a Registry entry in If establishing persistence by installation as a new service fails, one variant of Elise establishes persistence for the created .exe file by setting the following Registry key: Variants of Emissary have added Run Registry keys to establish persistence.[78] S0367 EmotetEmotet has been observed adding the downloaded payload to the Empire can modify the registry run keys EvilBunny has created Registry keys for persistence in EvilGrab adds a Registry Run key for ctfmon.exe to establish persistence.[55] S0568 EVILNUMEVILNUM can achieve persistence through the Registry Run key.[84][85] S0512 FatDukeFatDuke has used FELIXROOT adds a shortcut file to the startup folder for persistence.[87] G0051 FIN10FIN10 has established persistence by using the Registry option in PowerShell Empire to add a Run key.[88][82] G0037 FIN6FIN6 has used Registry Run keys to establish persistence for its downloader tools known as HARDTACK and SHIPBREAD.[89] G0046 FIN7FIN7 malware has created Registry Run and RunOnce keys to establish persistence, and has also added items to the Startup folder.[90][91] S0355 Final1stspyFinal1stspy creates a Registry Run key to establish persistence.[92] S0182 FinFisherFinFisher establishes persistence by creating the Registry key
Flagpro has dropped an executable file to the startup directory.[95] S0036 FLASHFLOODFLASHFLOOD achieves persistence by making an entry in the Registry's Run key.[38] S0381 FlawedAmmyyFlawedAmmyy has established persistence via the FunnyDream can use a Registry Run Key and the Startup folder to establish persistence.[56] G0047 Gamaredon GroupGamaredon Group tools have registered Run keys in the registry to give malicious VBS files persistence.[96][97][98] S0168 GazerGazer can establish persistence by creating a .lnk file in the Start menu.[99][100] S0666 GelsemiumGelsemium can set persistence with a Registry run key.[101] S0032 gh0st RATgh0st RAT has added a Registry Run key to establish persistence.[102][103] S0249 Gold DragonGold Dragon establishes persistence in the Startup folder.[104] G0078 Gorgon GroupGorgon Group malware can create a .lnk file and add a Registry Run key to establish persistence.[105] S0531 GrandoreiroGrandoreiro can use run keys and create link files in the startup folder for persistence.[106][107] S0417 GRIFFONGRIFFON has used a persistence module that stores the implant inside the Registry, which executes at logon.[108] S0632 GrimAgentGrimAgent can set persistence with a Registry run key.[109] S0561 GuLoaderGuLoader can establish persistence via the Registry under Hancitor has added Registry Run keys to establish persistence.[111] S0170 HelminthHelminth establishes persistence by creating a shortcut in the Start Menu folder.[112] S1027 Heyoka BackdoorHeyoka Backdoor can establish persistence with the auto start function including using the value
Hi-Zor creates a Registry Run key to establish persistence.[114] G0126 HigaisaHigaisa added a spoofed binary to the start-up folder for persistence.[115][116] S0070 HTTPBrowserHTTPBrowser has established persistence by setting the IcedID has established persistence by creating a Registry run key.[119] G0100 InceptionInception has maintained persistence by modifying Registry run key value Some InnaputRAT variants establish persistence by modifying the Registry key InvisiMole can place a lnk file in the Startup Folder to achieve persistence.[122] S0015 IxesheIxeshe can achieve persistence by adding itself to the JCry has created payloads in the Startup directory to maintain persistence. [124] S0044 JHUHUGITJHUHUGIT has used a Registry Run key to establish persistence by executing JavaScript code within the rundll32.exe process.[125] S0088 KasidetKasidet creates a Registry Run key to establish persistence.[126][127] S0265 KazuarKazuar adds a sub-key under several Registry run keys.[128] G0004 Ke3changSeveral Ke3chang backdoors achieved persistence by adding a Run key.[129] G0094 KimsukyKimsuky has placed scripts in the startup folder for persistence and modified the Koadic has added persistence to the KOCTOPUS can set the AutoRun Registry key with a PowerShell command.[134] S0356 KONNIA version of KONNI has dropped a Windows shortcut into the Startup folder to establish persistence.[135] G0032 Lazarus GroupLazarus Group has maintained persistence by loading malicious code into a startup folder or by adding a Registry Run key.[136][137][138][139][140] G0140 LazyScripterLazyScripter has achieved persistence via writing a PowerShell script to the autorun registry key.[134] G0065 LeviathanLeviathan has used JavaScript to create a shortcut file in the Startup folder that points to its main backdoor.[141][142] S0513 LiteDukeLiteDuke can create persistence by adding a shortcut in the LoJax has modified the Registry key LookBack sets up a Registry Run key to establish a persistence mechanism.[144] S0532 LuciferLucifer can persist by setting Registry key values Machete used the startup folder for persistence.[146][147] G0059 Magic HoundMagic Hound malware has used Registry Run keys to establish persistence.[148] S0652 MarkiRATMarkiRAT can drop its payload into the Startup directory to ensure it automatically runs when the compromised system is started.[149] S0167 MatryoshkaMatryoshka can establish persistence by adding Registry Run keys.[150][151] S0449 MazeMaze has created a file named "startup_vrun.bat" in the Startup folder of a virtual machine to establish persistence.[152] S0500 MCMDMCMD can use Registry Run Keys for persistence.[153] S0455 MetamorfoMetamorfo has configured persistence to the Registry ket Mivast creates the following Registry entry: MoleNet can achieve persitence on the infected machine by setting the Registry run key.[159] G0021 MoleratsMolerats saved malicious files within the AppData and Startup folders to maintain persistence.[160] S1026 MongallMongall can establish persistence with the auto start function including using the value
Mosquito establishes persistence under the Registry key MuddyWater has added Registry Run key Mustang Panda has created the registry key Naikon has modified a victim's Windows Run registry to establish persistence.[169] S0228 NanHaiShuNanHaiShu modifies the %regrun% Registry to point itself to an autostart mechanism.[170] S0336 NanoCoreNanoCore creates a RunOnce key in the Registry to execute its VBS scripts each time the user logs on to the machine.[171] S0247 NavRATNavRAT creates a Registry key to ensure a file gets executed upon reboot in order to establish persistence.[172] S0630 NebulaeNebulae can achieve persistence through a Registry Run key.[169] S0034 NETEAGLEThe "SCOUT" variant of NETEAGLE achieves persistence by adding itself to the NETWIRE creates a Registry start-up entry to establish persistence.[173][174][110][175] S0385 njRATnjRAT has added persistence via the Registry key NOKKI has established persistence by writing the payload to the Registry key ObliqueRAT can gain persistence by a creating a shortcut in the infected user's Startup directory.[179] S0340 OctopusOctopus achieved persistence by placing a malicious executable in the startup directory and has added the Okrum establishes persistence by creating a .lnk shortcut to itself in the Startup folder.[181] C0006 Operation HoneybeeDuring Operation Honeybee, the threat actors used batch files that allowed them to establish persistence by adding the following Registry key:
During Operation Sharpshooter, a first-stage downloader installed Rising Sun to Patchwork has added the path of its second-stage malware to the startup folder to achieve persistence. One of its file stealers has also persisted by adding a Registry Run key.[184][185] S0124 PisloaderPisloader establishes persistence via a Registry Run key.[186] S0254 PLAINTEEPLAINTEE gains persistence by adding the Registry key PlugX adds Run key entries in the Registry to establish persistence.[188][55][189] S0428 PoetRATPoetRAT has added a registry key in the hive for persistence.[190] S0012 PoisonIvyPoisonIvy creates run key Registry entries pointing to a malicious executable dropped to disk.[191] S0139 PowerDukePowerDuke achieves persistence by using various Registry Run keys.[192] S0441 PowerShowerPowerShower sets up persistence with a Registry run key.[193] S0145 POWERSOURCEPOWERSOURCE achieves persistence by setting a Registry Run key, with the path depending on whether the victim account has user or administrator access.[194] S0194 PowerSploitPowerSploit's POWERTON can install a Registry Run key for persistence.[197] S0113 PrikormkaPrikormka adds itself to a Registry Run key with the name guidVGA or guidVSA.[198] G0056 PROMETHIUMPROMETHIUM has used Registry run keys to establish persistence.[199] S0147 PteranodonPteranodon copies itself to the Startup folder to establish persistence.[200] S0196 PUNCHBUGGYPUNCHBUGGY has been observed using a Registry Run key.[201][202] S0192 PupyPupy adds itself to the startup folder or adds itself to the Registry key A dropper used by Putter Panda installs itself into the ASEP Registry key QakBot can maintain persistence by creating an auto-run Registry key.[205][206][207][208] S0262 QuasarRATIf the QuasarRAT client process does not have administrator privileges it will add a registry key to Ramsay has created Registry Run keys to establish persistence.[211] S0662 RCSessionRCSession has the ability to modify a Registry Run key to establish persistence.[57][212] S0172 ReaverReaver creates a shortcut file and saves it in a Startup folder to establish persistence.[213] S0153 RedLeavesRedLeaves attempts to add a shortcut file in the Startup folder to achieve persistence. If this fails, it attempts to add Registry Run keys.[55][214] S0332 RemcosRemcos can add itself to the Registry key Remexi utilizes Run Registry keys in the HKLM hive as a persistence mechanism.[216] S0379 Revenge RATRevenge RAT creates a Registry key at Rifdoor has created a new registry entry at Rocke's miner has created UPX-packed files in the Windows Start Menu Folder.[219] S0270 RogueRobinRogueRobin created a shortcut in the Windows startup folder to launch a PowerShell script each time the user logs in to establish persistence.[220] S0090 RoverRover persists by creating a Registry entry in RTM tries to add a Registry Run key under the name "Windows Update" to establish persistence.[222] G0048 RTMRTM has used Registry run keys to establish persistence for the RTM Trojan and other tools, such as a modified version of TeamViewer remote desktop software.[222][223] S0253 RunningRATRunningRAT adds itself to the Registry key Ryuk has used the Windows command line to create a Registry entry under S-Type may create a .lnk file to itself that is saved in the Start menu folder. It may also create the Registry key
Saint Bot has established persistence by being copied to the Startup directory or through the Most Sakula samples maintain persistence by setting the Registry Run key SDBbot has the ability to add a value to the Registry Run key to establish persistence if it detects it is running with regular user privilege. [229][230] S0053 SeaDukeSeaDuke is capable of persisting via the Registry Run key or a .lnk file stored in the Startup directory.[231] S0345 SeasaltSeasalt creates a Registry entry to ensure infection after reboot under ServHelper may attempt to establish persistence via the SharpStage has the ability to create persistence for the malware using the Registry autorun key and startup folder.[159] S0444 ShimRatShimRat has installed a registry based start-up key SHIPSHAPE achieves persistence by creating a shortcut in the Startup folder.[38] G0121 SidewinderSidewinder has added paths to executables in the Registry to establish persistence.[235][236][237] G0091 SilenceSilence has used SILENTTRINITY can establish a LNK file in the startup folder for persistence.[239] S1035 Small SieveSmall Sieve has the ability to add itself to Smoke Loader adds a Registry Run key for persistence and adds a script in the Startup folder to deploy the payload.[241] S0649 SMOKEDHAMSMOKEDHAM has used SNUGRIDE establishes persistence through a Registry Run key.[243] S0035 SPACESHIPSPACESHIP achieves persistence by creating a shortcut in the current user's Startup folder.[38] S0058 SslMMTo establish persistence, SslMM identifies the Start Menu Startup directory and drops a link to its own executable disguised as an "Office Start," "Yahoo Talk," "MSN Gaming Z0ne," or "MSN Talk" shortcut.[244] S1037 STARWHALESTARWHALE can establish persistence by installing itself in the startup folder, whereas the GO variant has created a StrongPity can use the Sykipot has been known to establish persistence by adding programs to the Run Registry key.[247] S0663 SysUpdateSysUpdate can use a Registry Run key to establish persistence.[248] S0011 TaidoorTaidoor has modified the TAINTEDSCRIBE can copy itself into the current user’s Startup folder as "Narrator.exe" for persistence.[250] G0139 TeamTNTTeamTNT has added batch scripts to the startup folder.[251] G0027 Threat Group-3390A Threat Group-3390 tool can add the binary’s path to the Registry key ThreatNeedle can be loaded into the Startup folder ( TINYTYPHON installs itself under Registry Run key to establish persistence.[39] S0004 TinyZBotTinyZBot can create a shortcut in the Windows startup folder for persistence.[254] S0266 TrickBotTrickBot establishes persistence in the Startup folder.[255] S0094 Trojan.KaraganyTrojan.Karagany can create a link to itself in the Startup folder to automatically start itself upon system restart.[36][256] G0081 Tropic TrooperTropic Trooper has created shortcuts in the Startup folder to establish persistence.[257][258] S0178 TruvasysTruvasys adds a Registry Run key to establish persistence.[259] S0647 TurianTurian can establish persistence by adding Registry Run keys.[260] G0010 TurlaA Turla Javascript backdoor added a local_update_check value under the Registry key TURNEDUP is capable of writing to a Registry Run key to establish.[262] S0386 UrsnifUrsnif has used Registry Run keys to establish automatic execution at system startup.[263][264] S0136 USBStealerUSBStealer registers itself under a Registry Run key with the name "USB Disk Security."[265] S0207 VasportVasport copies itself to disk and creates an associated run key Registry entry to establish.[266] S0442 VBShowerVBShower used WarzoneRAT can add itself to the Windshift has created LNK files in the Startup folder to establish persistence.[269] S0141 Winnti for WindowsWinnti for Windows can add a service named Wizard Spider has established persistence via the Registry key HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run and a shortcut within the startup folder.[271][272] S0341 XbashXbash can create a Startup item for persistence if it determines it is on a Windows system.[273] S0251 ZebrocyZebrocy creates an entry in a Registry Run key for the malware to execute on startup.[274][275][276] S0330 Zeus PandaZeus Panda adds persistence by creating Registry Run keys.[277][278] G0128 ZIRCONIUMZIRCONIUM has created a Registry Run key named Where is registry hive data stored?Most of the supporting files for the hives are in the %SystemRoot%\System32\Config directory. These files are updated each time a user logs on.
Where are startup items stored in the registry?The Run subkey—By far the most common registry location for autorun programs is the Run entry, which you'll find at HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run and HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run.
Which hive in the Windows Registry contains the settings for the currently logged in user?HKEY_CLASSES_ROOT HKCR Contains information about file extension associations and the Object Linking and Embedding (OLE) database. HKEY_CURRENT_USER HKCU Contains user information, preferences, and settings for the user that is currently logged on (in this case, you will see your settings).
Which registry hive file contains the Windows user passwords?The Security Account Manager (SAM) is a particular registry hive that stores credentials and account information for local users. User passwords are stored in a hashed format in the SAM registry hive either as an LM hash or an NT hash, depending on Group Policy settings.
|
