Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
CAPEC-270:Modification of Registry Run Keys
Attack Pattern ID:270
Version:v3.9
Attack Pattern Name:Modification of Registry Run Keys
Abstraction:Detailed
Status:Stable
Likelihood of Attack:Medium
Typical Severity:Medium
DetailsContent HistoryRelated WeaknessesReports
▼Description
An adversary adds a new entry to the "run keys" in the Windows registry so that an application of their choosing is executed when a user logs in. In this way, the adversary can get their executable to operate and run on the target system with the authorized user's level of permissions. This attack is a good way for an adversary to run persistent spyware on a user's machine, such as a keylogger.
▼Extended Description
▼Alternate Terms
▼Relationships
NatureTypeIDName
ChildOfS203Manipulate Registry Information
CanFollowS555Remote Services with Stolen Credentials
CanPrecedeS529Malware-Directed Internal Reconnaissance
CanPrecedeD568Capture Credentials via Keylogger
CanPrecedeS646Peripheral Footprinting
Nature: ChildOf
Type: Standard
ID: 203
Name: Manipulate Registry Information
Nature: CanFollow
Type: Standard
ID: 555
Name: Remote Services with Stolen Credentials
Nature: CanPrecede
Type: Standard
ID: 529
Name: Malware-Directed Internal Reconnaissance
Nature: CanPrecede
Type: Detailed
ID: 568
Name: Capture Credentials via Keylogger
Nature: CanPrecede
Type: Standard
ID: 646
Name: Peripheral Footprinting
▼Execution Flow
Explore
1.

Determine target system

The adversary must first determine the system they wish to target. This attack only works on Windows.

Technique
Experiment
1.

Gain access to the system

The adversary needs to gain access to the system in some way so that they can modify the Windows registry.

Technique
Gain physical access to a system either through shoulder surfing a password or accessing a system that is left unlocked.
Gain remote access to a system through a variety of means.
Exploit
1.

Modify Windows registry

The adversary will modify the Windows registry by adding a new entry to the "run keys" referencing a desired program. This program will be run whenever the user logs in.

Technique
▼Prerequisites
The adversary must have gained access to the target system via physical or logical means in order to carry out this attack.
▼Skills Required
▼Resources Required
▼Indicators
▼Consequences
ScopeLikelihoodImpactNote
IntegrityN/AModify DataGain PrivilegesN/A
Scope: Integrity
Likelihood: N/A
Impact: Modify Data, Gain Privileges
Note: N/A
▼Mitigations
Identify programs that may be used to acquire process information and block them by using a software restriction policy or tools that restrict program execution by using a process allowlist.
▼Example Instances
▼Related Weaknesses
IDName
CWE-15External Control of System or Configuration Setting
ID: CWE-15
Name: External Control of System or Configuration Setting
▼Taxonomy Mappings
Taxonomy NameEntry IDEntry Name
ATTACK1547.001Boot or Logon Autostart Execution: Registry Run Keys / Start Folder
ATTACK1547.014Boot or Logon Autostart Execution: Active
Taxonomy Name: ATTACK
Entry ID: 1547.001
Entry Name: Boot or Logon Autostart Execution: Registry Run Keys / Start Folder
Taxonomy Name: ATTACK
Entry ID: 1547.014
Entry Name: Boot or Logon Autostart Execution: Active
▼Notes
▼References
Details not found