Run keys are registry locations that Windows checks when a user logs on.
If an attacker can write a value under one of these keys, Windows can launch the configured command during logon. Run values persist across logons. RunOnce values are intended to execute once and then be removed.
HKCU run keys provide current-user persistence. HKLM run keys affect all users and require local administrator rights.
When enumerating Run key persistence opportunities, try to identify:
- HKCU and HKLM autorun values
- Values pointing to user-writable paths
- Payloads staged before registry writes
- Recently modified autorun keys
- Suspicious value names mimicking vendors
- Use of encoded PowerShell, script hosts or LOLBins
Enumeration
Query current-user Run keys:
reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Run"
reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce"
Query machine-wide Run keys:
reg query "HKLM\Software\Microsoft\Windows\CurrentVersion\Run"
reg query "HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce"
Check 32-bit view on 64-bit Windows:
reg query "HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run"
reg query "HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce"
PowerShell alternatives:
Get-ItemProperty "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run" -ErrorAction SilentlyContinue
Get-ItemProperty "HKLM:\Software\Microsoft\Windows\CurrentVersion\Run" -ErrorAction SilentlyContinue
Use Autoruns when available to review logon autoruns quickly.
Interesting findings include:
- Unknown value names under Run or RunOnce
- Values launching from
%APPDATA%,%TEMP%,%LOCALAPPDATA%,C:\Users\PublicorC:\ProgramData - Values executing
powershell.exe,wscript.exe,cscript.exe,mshta.exe,rundll32.exeorregsvr32.exe - Base64 or long command strings
- HKLM Run values created near the time of compromise
Once a writable Run key has been identified, persistence can be added by writing a value that points to the payload.
Persistence
HKCU Run Key
HKCU Run persistence executes when the current user logs on.
- Place the payload in a stable path
- Add a Run value
- Log off and back on
- Verify payload execution
Add a current-user Run value:
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v OneDriveUpdate /t REG_EXPAND_SZ /d "%LOCALAPPDATA%\Microsoft\WindowsApps\updater.exe" /f
PowerShell alternative:
New-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run" -Name "OneDriveUpdate" -PropertyType ExpandString -Value "$env:LOCALAPPDATA\Microsoft\WindowsApps\updater.exe" -Force
Verify:
reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v OneDriveUpdate
HKLM Run Key
HKLM Run persistence affects all users and requires administrative rights.
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v WindowsTelemetry /t REG_EXPAND_SZ /d "C:\ProgramData\Microsoft\Windows\updater.exe" /f
RunOnce
RunOnce is useful for one-time execution after logon, but it should not be treated as durable persistence.
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce" /v UpdateCheck /t REG_EXPAND_SZ /d "%LOCALAPPDATA%\Microsoft\WindowsApps\updater.exe" /f
Remediation
Patch the weakness:
- Remove unauthorized values from HKCU and HKLM Run and RunOnce keys.
- Delete payload files referenced by removed autorun values.
- Remove writable staging locations used by the payload.
- Restore legitimate autoruns from a known-good baseline if vendor values were modified.
- Restrict administrative rights required to write HKLM autoruns.
Detect abuse:
- Monitor Sysmon Event IDs
12and13for Run and RunOnce key changes. - Review Security Event ID
4657where registry auditing is enabled. - Alert on autoruns pointing to user-writable paths or script interpreters.
- Correlate Run key writes with
reg.exe, PowerShellNew-ItemPropertyorSet-ItemProperty. - Review logon-time process creation from
explorer.exeoruserinit.exethat matches new Run key values.