Listen to this Post
Introduction
Attackers frequently abuse Windows Registry Run keys (T1547.001) to maintain persistence on compromised systems. While traditional `reg.exe` modifications are well-documented, adversaries increasingly leverage PowerShell, VBScript, regini.exe, and `mshta.exe` to evade detection. This article explores detection strategies, including Sysmon logging, script-block auditing, and SACL monitoring, to uncover these stealthy persistence mechanisms.
Learning Objectives
- Understand how attackers exploit Registry Run keys beyond
reg.exe. - Learn to detect stealthy persistence via Sysmon, PowerShell logging, and SACLs.
- Implement defensive measures to mitigate Run key abuse.
You Should Know
1. Detecting Run Key Modifications with Sysmon
Attackers often modify Registry Run keys using:
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MaliciousEntry" /t REG_SZ /d "C:\malware.exe" /f
Detection Steps:
- Enable Sysmon Event ID 13 (Registry value set):
<RuleGroup name="" groupRelation="or"> <RegistryEvent onmatch="include"> <TargetObject name="technique_id" condition="contains">T1547.001</TargetObject> </RegistryEvent> </RuleGroup>
- Monitor for suspicious parent processes (e.g.,
mshta.exe,powershell.exe).
2. PowerShell Script-Block Logging for Stealthy Modifications
Attackers may use PowerShell to modify Run keys:
Set-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run" -Name "Backdoor" -Value "C:\evil.exe"
Detection Steps:
1. Enable PowerShell Script Block Logging:
New-Item -Path "HKLM:\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" -Force Set-ItemProperty -Path "HKLM:\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" -Name "EnableScriptBlockLogging" -Value 1
2. Review Event ID 4104 for suspicious registry modifications.
3. Monitoring Startup Folders with SACLs
Attackers may bypass Run keys by dropping shortcuts in Startup folders.
Detection Steps:
1. Audit File Access with SACLs:
icacls "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup" /grant S-1-5-32-544:(OI)(CI)(IO)(F)
2. Monitor Event ID 4663 (File access auditing) for unexpected writes.
4. Hunting for LOLBin-Based Persistence (regini.exe, mshta.exe)
Attackers abuse trusted binaries (regini.exe, mshta.exe) to modify Run keys stealthily.
Detection Steps:
1. Log Process Creation (Sysmon Event ID 1):
<RuleGroup name="" groupRelation="or"> <ProcessCreate onmatch="include"> <CommandLine condition="contains">regini.exe</CommandLine> <CommandLine condition="contains">mshta.exe</CommandLine> </ProcessCreate> </RuleGroup>
5. Mitigating Run Key Persistence
Defensive Measures:
1. Restrict Registry Modifications via GPO:
Set-ItemProperty -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System" -Name "DisableRegistryTools" -Value 1
2. Enable Attack Surface Reduction (ASR) Rules:
Add-MpPreference -AttackSurfaceReductionRules_Ids 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 -AttackSurfaceReductionRules_Actions Enabled
What Undercode Say
- Key Takeaway 1: Attackers increasingly use LOLBins (
regini.exe,mshta.exe) to modify Run keys, bypassing traditional detection. - Key Takeaway 2: Comprehensive logging (Sysmon, PowerShell, SACLs) is essential to detect stealthy persistence.
Analysis:
While Run key abuse is a well-known technique, attackers continue evolving their methods to evade detection. Organizations must adopt multi-layered logging (registry, process, file) and restrict unnecessary registry modifications. Future threats may leverage AI-driven obfuscation, making behavioral analysis critical.
Prediction
As endpoint detection improves, attackers will shift toward more fileless and LOLBin-heavy persistence techniques. AI-powered malware may dynamically alter registry keys, requiring adaptive defenses like real-time memory analysis and stricter application control.
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Nextron Systems – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
