Registry Keys Used For Persistence

Description

The search looks for modifications to registry keys that can be used to launch an application or service at system startup.

Content Mapping

This content is not mapped to any local saved search. Add mapping


Use Case

Advanced Threat Detection

Category

Endpoint Compromise

Alert Volume

The search looks for modifications to registry keys that can be used to launch an application or service at system startup.

SPL Difficulty

None

Journey

Stage 1

MITRE ATT&CK Tactics

Persistence
Privilege Escalation

MITRE ATT&CK Techniques

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

MITRE Threat Groups

APT18
APT19
APT29
APT3
APT32
APT33
APT37
APT39
APT41
BRONZE BUTLER
Cobalt Group
Dark Caracal
Darkhotel
Dragonfly 2.0
FIN10
FIN6
FIN7
Gamaredon Group
Gorgon Group
Honeybee
Inception
Ke3chang
Kimsuky
Lazarus Group
Leviathan
Machete
Magic Hound
Molerats
MuddyWater
PROMETHIUM
Patchwork
Putter Panda
RTM
Rocke
Sharpshooter
Silence
Threat Group-3390
Tropic Trooper
Turla
Wizard Spider

Kill Chain Phases

Actions On Objectives

Data Sources

Windows Security

   Help

Registry Keys Used For Persistence Help

To successfully implement this search, you must be ingesting data that records registry activity from your hosts to populate the endpoint data model in the registry node. This is typically populated via endpoint detection-and-response products, such as Carbon Black or endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report reads and writes to the registry.

   Search

Open in Search