For an attacker, gaining initial access is only half the battle. The real prize is staying there. To maintain their foothold within a compromised system, adversaries rely on a variety of persistence techniques. One of the most common and reliable methods in their playbook is Registry Run Key persistence.
This technique is a favorite for a reason: it’s built into the Windows operating system, it’s effective, and it often flies under the radar of security teams who aren’t actively looking for it.
This article will break down what run key persistence is, how attackers abuse this legitimate Windows feature, and most importantly, how you can add specific hunting techniques to your security program to catch it in the act.
At its core, registry run key persistence is a technique where adversaries embed commands within specific keys in the Windows Registry. These commands are then automatically executed when a user logs in or the system boots up.
This method falls under the MITRE ATT&CK technique T1547.001: Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder. It’s a go-to for achieving persistence and can sometimes be used for privilege escalation. Its widespread use by everyone from sophisticated APT groups to common malware loaders makes it a critical area for blue teams to understand.
This isn’t some obscure, undocumented feature. Attackers are simply abusing the way Windows is designed to work. The OS uses specific registry keys to automatically launch programs on startup for legitimate reasons. Adversaries just add their own malicious entries to this list.
There are two primary types of keys they target:
Run keys: Programs listed here will execute every single time a user logs on. This is perfect for long-term persistence.
RunOnce keys: As the name implies, entries in these keys are executed one time and then typically deleted. This is often used for initial setup or first-stage malware execution.
Threat hunters should be intimately familiar with the following registry paths, as they are the most common targets for this technique:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
If you see a suspicious process being written to any of these locations during a sandbox analysis or in your logs, you are likely witnessing this persistence technique firsthand.
RunOnce KeysSavvy attackers who have read the documentation know a couple of tricks to modify the behavior of RunOnce keys:
The Exclamation Mark (!): Prepending an exclamation mark to the key’s value name forces the key to be deleted after the command executes, rather than before (the default behavior). An attacker might do this to ensure their payload runs successfully before the evidence of the key is removed, preventing a failed execution from deleting the key prematurely.
The Asterisk (*): Adding an asterisk to the value name forces the command to execute even if the system is booted in Safe Mode. This is a clear indicator that an attacker is trying to ensure their malware runs under different system conditions and may suggest a more experienced adversary.
This isn’t just theory. Let’s look at how prominent threat actors have used this technique.
In a 2017 campaign, the group APT37 used spear phishing emails containing malicious Microsoft Office documents. When a user opened the document and enabled scripts, it exploited a vulnerability (CVE-2017-0199) to run a malicious HTA script. As part of its execution, this script created a new run key to load the next stage of its malware, a surveyor tool called “Prinky.” This is a classic example of using run keys as an early-stage persistence mechanism.
The Dragonfly group targeted government and industrial sectors for years. Their multi-stage malware used a downloader that would write a file to disk and then create a registry run key to execute it. To blend in, they named the key NTDLL, masquerading as a legitimate system file. This shows how attackers use run keys in conjunction with other techniques like masquerading to evade detection.
Persistence isn’t limited to just the standard Run and RunOnce folders. In one instance, APT41 used a trial version of Cobalt Strike Beacon and made it persistent by creating a malicious service. They did this by writing the necessary configuration to a ServiceDll value under a service-related registry key. This demonstrates a broader application of registry-based persistence, where attackers manipulate keys tied to specific system functions, like services, to launch their tools.
Now for the actionable part. How can you proactively hunt for this activity in your environment?
Monitor Known Registry Locations: This is your starting point. Use tools to continuously monitor the four primary run key paths listed above. Establish a baseline of what is normal for your systems and hunt for any new or anomalous entries. Attackers still use these paths because they work.
Leverage Windows Event Logs & Sysmon: Your native logs are a goldmine. If you have System Monitor (Sysmon) deployed, you can configure it to generate events for registry modifications (Event ID 12, 13, and 14). Filter for writes to the CurrentVersion\Run and RunOnce keys.
Utilize OSquery: Tools like OSquery allow you to query the state of your endpoints like a database. You can run queries to periodically check the contents of the startup_items table, which includes these registry run keys, making it easy to spot unauthorized additions across your fleet.
Analyze Network Traffic: While less common, persistence can be set remotely. The Remote Registry Service allows for network-based registry modifications. Monitor your network traffic for unusual remote procedure calls (RPC) related to registry writes, especially if directed at sensitive keys.
Tune Your EDR/NDR: Your Endpoint Detection and Response (EDR) and Network Detection and Response (NDR) tools are your front lines. Ensure they have signatures and behavioral analytics enabled to specifically detect and alert on modifications to common auto-run locations in the registry.
Perform Malware Analysis: When you get a new malware sample, detonate it in a sandbox (like Cuckoo or a vendor-provided one) and watch its behavior. One of the first things you should look for in the analysis report is any attempt to write to the registry, particularly the run keys. This will confirm the malware’s persistence strategy.
By integrating these checks into your regular threat hunting cycles, you can significantly increase your chances of catching an adversary before they can establish a long-term presence in your environment. Stay vigilant, and happy hunting!
Our products are designed to work with
you and keep your network protected.
Insane Cyber © All Rights Reserved 2025