002. Beyond Good Old Run Key

Hello everyone! Today we're going to talk about a very common sub-technique - T1547.001: Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder. But let's look at an interesting example, of course.

I think, almost any malware family uses this sub-technique for persistense. Why? Because Run keys and startup folders also commonly used by legitimate software to autorun, so this way adversaries may blend with the compromised environment.

If we look into MITRE ATT&CK page for this sub-technique, we may notice that there are more interesting registry keys. For example, this one on the screenshot.


It's less common, of course, but recently we observed it to be used by Paper Werewolf activity cluster. And there's quite interesting thing about it. On one hand, using this key is not very common and may allow adversaries to bypass certain defenses, but on the other hand - the fact it's not very common makes such behavior really easy to detect!
By the way, if you want to learn more about less common persistence mechanisms, make sure to check Beyond good ol’ Run key at Hexacorn blog!
See you tomorrow!

Comments

Popular posts from this blog

033. Free Google Threat Intelligence Course

001. The Zeltser Challenge

012. They Want to Know Everything About Your System!