An adversary adds a new entry to the \'run keys\' in the Windows registry so that an application of their choosing is executed when a user logs in. In this way, the adversary can get their executable to operate and run on the target system with the authorized user's level of permissions. This attack is a good way for an adversary to run persistent spyware on a user's machine, such as a keylogger.
Description
Attack Execution Flow
3
1
Step 1
Explore[Determine target system] The adversary must first determine the system they wish to target. This attack only works on Windows.
AI Translation
[Determina il sistema target] L'attaccante deve prima determinare il sistema che desidera colpire. Questo attacco funziona solo su Windows.
2
Step 2
Experiment[Gain access to the system] The adversary needs to gain access to the system in some way so that they can modify the Windows registry.
Gain physical access to a system either through shoulder surfing a password or accessing a system that is left unlocked.
Gain remote access to a system through a variety of means.
AI Translation
[Ottenere l'accesso al sistema] L'avversario deve ottenere l'accesso al sistema in qualche modo in modo da poter modificare il registro di Windows.
Ottenere l'accesso fisico a un sistema, ad esempio attraverso shoulder surfing di una password o accedendo a un sistema lasciato sbloccato.
Ottenere l'accesso remoto a un sistema attraverso diverse modalità.
Attack Techniques
-
Gain physical access to a system either through shoulder surfing a password or accessing a system that is left unlocked.
-
Gain remote access to a system through a variety of means.IT: Ottenere l'accesso fisico a un sistema tramite shoulder surfing di una password o accedendo a un sistema lasciato sbloccato.
3
Step 3
Exploit[Modify Windows registry] The adversary will modify the Windows registry by adding a new entry to the 'run keys' referencing a desired program. This program will be run whenever the user logs in.
AI Translation
[Modifica del registro di Windows] L'attore malevolo modificherà il registro di Windows aggiungendo una nuova voce ai "run keys" che fa riferimento a un programma desiderato. Questo programma verrà eseguito ogni volta che l'utente effettua l'accesso.
Mitigations
1
Identify Programs That May Be Used To Acquire Process Information And Block Them By Using A Software Restriction Policy Or Tools That Restrict Program Execution By Using A Process Allowlist.
Consequences
Security Scopes Affected
Integrity
Potential Impacts
Gain Privileges
Modify Data
Relationships
Parent CAPECs
Related ATT&CK Techniques
2
T1547.001
Registry Run Keys / Startup Folder
Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. …
T1547.014
Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine. Active Setup is …