This note documents detection patterns related to Registry Run Keys within Windows environments.
Direct Indicators
| Log | Event ID | Meaning | Forensic Value | Notes |
|---|
| Sysmon | 13 | Registry value set | Critical | Primary detection point for Run / RunOnce persistence creation. Review target key, value name, payload path, user context. |
| Sysmon | 12 | Registry object create/delete | High | Useful when keys are newly created or removed. |
| Security | 4657 | Registry value modified | High | Native registry auditing if enabled. |
| Sysmon | 1 | Process creation | Critical | Hunt for reg.exe, powershell.exe, cmd.exe, mshta.exe writing Run keys. |
| Security | 4688 | Process creation | High | Useful for command-line correlation. |
| Sysmon | 11 | File create | Medium | Payload often written immediately before persistence. |
| PowerShell | 4104 | Script block logging | Critical | Captures New-ItemProperty / Set-ItemProperty activity. |
Indirect Indicators
| Indicator | What To Look For | Forensic Value | Notes |
|---|
| Run key payload in temp path | AppData, Temp, Public | Critical | Strong malicious signal |
| Encoded PowerShell | base64 in registry value | Critical | Common stealth persistence |
| Non-standard autorun location | HKCU used by unexpected account | High | Useful for low-privilege persistence |
| Delayed execution after logon | Payload triggers at user logon | High | Correlate with 4624 |
Common Tools
| Tool | Usage |
|---|
| reg.exe | Native registry persistence |
| PowerShell | Set-ItemProperty / New-ItemProperty |
| Cobalt Strike | Registry autorun persistence |
| Empire | Registry persistence modules |
| SharpPersist | Common red team persistence |
Relevant Artifacts
- HKCU\Software\Microsoft\Windows\CurrentVersion\Run
- HKLM\Software\Microsoft\Windows\CurrentVersion\Run
- RunOnce keys
- Sysmon 12/13
- Security 4657
- Prefetch for reg.exe / powershell.exe
- Amcache / ShimCache
- MFT / USN for payload drop
MITRE ATT&CK References
- T1547.001 Registry Run Keys / Startup Folder
Decision Tree
- Was Run key created?
- What process wrote it?
- What payload executes?
- Is payload signed / expected?
- Did execution occur after logon?
Example Detection Templates
KQL
Sysmon
| where EventID == 13
| where TargetObject has @"\CurrentVersion\Run"
Sigma
title: Registry Run Key Persistence
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 13
condition: selection
Mitigation & Hardening
| Control Area | Mitigation | Effectiveness | Notes |
|---|
| Autorun monitoring | Alert on Run keys | Critical | Core coverage |
| PowerShell logging | Enable 4104 | High | Script visibility |
