run-and-run-once-persistence

Technique Info

Concept Note

• CONCEPT - Registry Run and Run Once Keys

Instructions

With Cobalt Strike

Prerequisite

• reg_set depends on https://github.com/trustedsec/CS-Remote-OPs-BOF

Run

1. Place beacon at %LOCALAPPDATA%\Microsoft\WindowsApps\updater.exe
2. run beacon command: reg_set HKCU Software\Microsoft\Windows\CurrentVersion\Run Updater REG_EXPAND_SZ %LOCALAPPDATA%\Microsoft\WindowsApps\updater.exe

RunOnce

1. Place beacon at %LOCALAPPDATA%\Microsoft\WindowsApps\updater.exe
2. run beacon command: reg_set HKCU Software\Microsoft\Windows\CurrentVersion\RunOnce Updater REG_EXPAND_SZ %LOCALAPPDATA%\Microsoft\WindowsApps\updater.exe

Without Cobalt Strike

Using reg.exe Command Line

Run (Persistent)

1. Place payload at %LOCALAPPDATA%\Microsoft\WindowsApps\updater.exe
2. Add registry entry:

   reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Updater" /t REG_EXPAND_SZ /d "%LOCALAPPDATA%\Microsoft\WindowsApps\updater.exe" /f

RunOnce (Single Execution)

1. Place payload at %LOCALAPPDATA%\Microsoft\WindowsApps\updater.exe

2. Add registry entry:

   reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce" /v "Updater" /t REG_EXPAND_SZ /d "%LOCALAPPDATA%\Microsoft\WindowsApps\updater.exe" /f

Using PowerShell

Run (Persistent)

1. Place payload at %LOCALAPPDATA%\Microsoft\WindowsApps\updater.exe

2. Add registry entry:

   Set-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run" -Name "Updater" -Value "$env:LOCALAPPDATA\Microsoft\WindowsApps\updater.exe"

RunOnce (Single Execution)

1. Place payload at %LOCALAPPDATA%\Microsoft\WindowsApps\updater.exe

2. Add registry entry:

   Set-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\RunOnce" -Name "Updater" -Value "$env:LOCALAPPDATA\Microsoft\WindowsApps\updater.exe"

Verification

• Check registry entries:

  reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Run"
  reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce"

• Or with PowerShell:

  Get-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run"
  Get-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\RunOnce"

Cleanup

• Remove registry entries:

  reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Updater" /f
  reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce" /v "Updater" /f

Related

Related Notes

All Related Notes

TABLE file.ctime as "Created", tags as "Tags"
FROM "New Notes"
WHERE contains(tags, "windows") OR contains(tags, "active-directory") OR contains(tags, "persistence")
SORT file.ctime DESC

windows

TABLE file.ctime as "Created", tags as "Tags"
FROM "New Notes"
WHERE contains(tags, "windows")
SORT file.ctime DESC

active-directory

TABLE file.ctime as "Created", tags as "Tags"
FROM "New Notes"
WHERE contains(tags, "active-directory")
SORT file.ctime DESC

persistence

TABLE file.ctime as "Created", tags as "Tags"
FROM "New Notes"
WHERE contains(tags, "persistence")
SORT file.ctime DESC