![]() HKLM\Software\Microsoft\Windows\CurrentVersion\Run HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce HKCU\Software\Microsoft\Windows\CurrentVersion\Run The most common Run keys created by default on Windows systems are: Placing a program within a startup folder will also cause that program to execute when a user logs in. Adding an entry to the "Run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. Startup Items technique ( MITRE T1547.001 ): Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry Run key. AppData and its subfolders are a notorious example.ģ. We should investigate services whose executables are located in an unusual folder. When Windows boots up, it starts programs or applications called services that perform background system functions. Services Creation technique ( MITRE T1543.003 ): Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. Attackers often invent very convincing names for their scheduled tasks and this might pass unobserved by a less scrutinous eye.Ģ. Scheduled Task technique ( MITRE T1053.005 ): Adversaries may abuse the Windows Task Scheduler to perform task scheduling for initial or recurring execution of malicious code. Some of the most common techniques exploited by the attackers are:ġ. Several techniques exist to achieve this tactic – an exhaustive list of those techniques are describe within the MITRE ATT
0 Comments
Leave a Reply. |