Registry Run Key Persistence
What is Registry Run Key Persistence?
Registry Run Key PersistenceClassic Windows persistence technique that adds an entry under a Run or RunOnce registry key so a binary or script executes every time a user logs on.
Registry Run-key persistence (MITRE ATT&CK T1547.001) uses well-known autorun locations such as HKCU\Software\Microsoft\Windows\CurrentVersion\Run, the matching HKLM hive, RunOnce, and the Startup folder shortcut keys. When the targeted user logs on, userinit/explorer reads these values and launches each command. The technique is simple, requires no admin rights for HKCU, and is still effective on monitored hosts because the keys also host countless legitimate updaters. Variants include using long binary names, RunOnceEx, and obscure keys like StartupApproved. Detection focuses on Sysmon event 13 (registry value set), baselining expected autoruns with tools like Autoruns, and alerting on values referencing user-writable paths.
● Examples
- 01
An attacker writes "Updater" = "%AppData%\loader.exe" under HKCU\Software\Microsoft\Windows\CurrentVersion\Run.
- 02
Using RunOnce to execute a one-time installer that drops a service for long-term persistence.
● Frequently asked questions
What is Registry Run Key Persistence?
Classic Windows persistence technique that adds an entry under a Run or RunOnce registry key so a binary or script executes every time a user logs on. It belongs to the Attacks & Threats category of cybersecurity.
What does Registry Run Key Persistence mean?
Classic Windows persistence technique that adds an entry under a Run or RunOnce registry key so a binary or script executes every time a user logs on.
How does Registry Run Key Persistence work?
Registry Run-key persistence (MITRE ATT&CK T1547.001) uses well-known autorun locations such as HKCU\Software\Microsoft\Windows\CurrentVersion\Run, the matching HKLM hive, RunOnce, and the Startup folder shortcut keys. When the targeted user logs on, userinit/explorer reads these values and launches each command. The technique is simple, requires no admin rights for HKCU, and is still effective on monitored hosts because the keys also host countless legitimate updaters. Variants include using long binary names, RunOnceEx, and obscure keys like StartupApproved. Detection focuses on Sysmon event 13 (registry value set), baselining expected autoruns with tools like Autoruns, and alerting on values referencing user-writable paths.
How do you defend against Registry Run Key Persistence?
Defences for Registry Run Key Persistence typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Registry Run Key Persistence?
Common alternative names include: Run key persistence, Autorun key persistence.
● Related terms
- attacks№ 975
Scheduled Task Persistence
Persistence and execution technique in which an attacker creates or modifies a Windows scheduled task to run their payload on a trigger such as logon, boot, or a timer.
- attacks№ 1246
WMI Event Subscription Persistence
Persistence technique that registers a permanent WMI event filter and consumer so attacker code runs whenever a chosen system event occurs.
- attacks№ 200
COM Hijacking
A persistence technique that redirects a Windows Component Object Model CLSID lookup to attacker code, executing it whenever a host process instantiates that object.
- attacks№ 515
IFEO Injection
A persistence and privilege-escalation technique that abuses the Windows Image File Execution Options registry key to run attacker code whenever a target executable launches.
- attacks№ 054
AppInit_DLLs
Legacy Windows persistence technique that abuses a registry value so a specified DLL is loaded into every user-mode process linking user32.dll.
- attacks№ 331
DLL Hijacking
An attack that abuses Windows DLL search order to make a legitimate program load an attacker-controlled library instead of the intended one.
● See also
- № 238Cron Persistence
- № 608launchd Persistence