Detect Registry Run Keys / Startup Folder in IBM QRadar
Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the 'run keys' in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level. The following run keys are created by default on Windows systems: HKCU\Software\Microsoft\Windows\CurrentVersion\Run, HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce, HKLM\Software\Microsoft\Windows\CurrentVersion\Run, and HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce. Additional persistence can be achieved through the Startup folder at C:\Users\[Username]\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup and the system-wide C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp. The BootExecute value under Session Manager and the load value under HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows are also abusable.
MITRE ATT&CK
- Tactic
- Persistence Privilege Escalation
- Technique
- T1547 Boot or Logon Autostart Execution
- Sub-technique
- T1547.001 Registry Run Keys / Startup Folder
- Canonical reference
- https://attack.mitre.org/techniques/T1547/001/
QRadar Detection Query
SELECT
DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
LOGSOURCENAME(logsourceid) AS LogSource,
"username" AS User,
"RegistryKey",
"RegistryValueName",
"RegistryValueData",
"Image" AS ProcessImage,
"CommandLine",
sourceip,
CASE
WHEN "RegistryValueData" ILIKE '%\\Temp\\%'
OR "RegistryValueData" ILIKE '%\\Downloads\\%'
OR "RegistryValueData" ILIKE '%\\Public\\%'
OR "RegistryValueData" ILIKE '%Recycle.Bin%'
OR "RegistryValueData" ILIKE '%\\ProgramData\\%'
THEN 1 ELSE 0
END AS SuspiciousPath,
CASE
WHEN LOWER("RegistryValueData") SIMILAR TO '%.vbs%|%.js%|%.bat%|%.cmd%|%.ps1%|%.hta%|%.wsh%|%.wsf%'
THEN 1 ELSE 0
END AS ScriptExt
FROM events
WHERE LOGSOURCETYPEID = 12
AND CATEGORYNAME(category) IN ('Registry Value Set', 'Registry Key Created', 'Registry Key Renamed')
AND (
"RegistryKey" ILIKE '%\\CurrentVersion\\Run%'
OR "RegistryKey" ILIKE '%\\CurrentVersion\\RunOnce%'
OR "RegistryKey" ILIKE '%\\CurrentVersion\\RunOnceEx%'
OR "RegistryKey" ILIKE '%\\CurrentVersion\\RunServices%'
OR "RegistryKey" ILIKE '%\\CurrentVersion\\Policies\\Explorer\\Run%'
OR "RegistryKey" ILIKE '%\\Windows NT\\CurrentVersion\\Windows%'
OR "RegistryKey" ILIKE '%\\Control\\Session Manager\\BootExecute%'
)
AND "Image" NOT ILIKE '%\\msiexec.exe'
AND "Image" NOT ILIKE '%\\TrustedInstaller.exe'
AND "Image" NOT ILIKE '%\\TiWorker.exe'
AND "Image" NOT ILIKE '%\\ccmexec.exe'
AND "Image" NOT ILIKE '%\\MpSigStub.exe'
AND (
"RegistryValueData" ILIKE '%\\Temp\\%'
OR "RegistryValueData" ILIKE '%\\Downloads\\%'
OR "RegistryValueData" ILIKE '%\\Public\\%'
OR "RegistryValueData" ILIKE '%Recycle.Bin%'
OR "RegistryValueData" ILIKE '%\\ProgramData\\%'
OR LOWER("RegistryValueData") SIMILAR TO '%.vbs%|%.js%|%.bat%|%.cmd%|%.ps1%|%.hta%|%.wsh%|%.wsf%'
)
ORDER BY starttime DESC
LAST 24 HOURSQRadar AQL query ingesting Sysmon registry events (EventCode 12/13/14) to detect Run Key persistence where the registered executable path points to writable or suspicious locations, or uses script file extensions. Filters out known-good Windows maintenance processes and enriches with SuspiciousPath and ScriptExt flags.
Data Sources
Required Tables
False Positives & Tuning
- Third-party antivirus or endpoint security products updating their own Run key entries from ProgramData subdirectories during definition or engine updates
- Enterprise software deployment tools (IBM BigFix, SCCM client) writing run keys referencing scripts in temporary staging directories during patch cycles
- User-installed productivity applications (e.g., AutoHotkey scripts, Outlook macros) registered via Run key pointing to scripts in user AppData or Documents folders
Other platforms for T1547.001
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Registry Run Key Persistence (HKCU)
Expected signal: Sysmon Event ID 13: RegistryValueSet on HKCU\Software\Microsoft\Windows\CurrentVersion\Run with ValueName 'df00tech-test' and Details 'C:\Windows\System32\calc.exe'. MDE DeviceRegistryEvents with ActionType 'RegistryValueSet'.
- Test 2Startup Folder Persistence via Batch Script
Expected signal: Sysmon Event ID 11: FileCreate for df00tech-test.bat in the Startup folder path. Security Event ID 4688 showing cmd.exe creating the file.
- Test 3RunOnceEx Dependency DLL Loading
Expected signal: Sysmon Event ID 12: Registry key created for RunOnceEx\0001\Depend. Sysmon Event ID 13: Value set with DLL path. MDE DeviceRegistryEvents captures both the key creation and value set.
- Test 4HKLM Run Key via PowerShell
Expected signal: Sysmon Event ID 13: RegistryValueSet with Image=powershell.exe. Sysmon Event ID 1: Process creation for powershell.exe with the Set-ItemProperty command. PowerShell ScriptBlock Log Event ID 4104.
References (8)
- https://attack.mitre.org/techniques/T1547/001/
- https://learn.microsoft.com/en-us/windows/win32/setupapi/run-and-runonce-registry-keys
- https://oddvar.moe/2018/03/21/persistence-using-runonceex-hidden-from-autoruns-exe/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.001/T1547.001.md
- https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry_set
- https://web.archive.org/web/20160214140250/http://blog.cylance.com/windows-registry-persistence-part-2-the-run-keys-and-search-order
- https://docs.microsoft.com/en-us/windows/win32/sysinfo/32-bit-and-64-bit-application-data-in-the-registry
- https://blog.malwarebytes.com/cybercrime/2013/10/hiding-in-plain-sight/
Unlock Pro Content
Get the full detection package for T1547.001 including response playbook, investigation guide, and atomic red team tests.