Registry Persistence

Overview

Evidence: Registry Items Description: Enumerate Registry Items Category: Persistence Platform: Windows Short Name: rgstrpr Is Parsed: Yes - Registry autoruns parsed with file information Sent to Investigation Hub: Yes Collect File(s): No

Background

Windows registry contains numerous locations where programs can register themselves to run automatically at system startup, user logon, or specific events. Attackers commonly abuse these registry keys to establish persistence.

The collector examines dozens of known autorun registry locations used by both legitimate software and malware for persistence.

Data Collected

Autoruns Registry Table

Field

Description

Example

KeyPath

Full registry key path

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

View

Registry view (32-bit or 64-bit)

256

LastWriteTime

Registry key last write time

2023-10-15T14:30:00

Is32Bit

Whether this is 32-bit registry view

TRUE

EntryName

Registry value or entry name

GoogleUpdate

CommandLine

Command line to execute

"C:\Program Files\Google\Update\GoogleUpdate.exe" /c

File information columns for the main executable

Autoruns Registry Arguments Table

Field

Description

Example

AutorunsRegistryRowID

Foreign key to main entry

File information columns for each argument file path

Collection Method

This collector:

Loads autorun definitions from embedded JSON resource
Searches for registry keys matching patterns
Examines both 32-bit and 64-bit registry views
Parses command lines to extract executables and arguments
Resolves CLSID references to file paths
Collects file information for all referenced executables

Common persistence locations include:

HKLM/HKCU\Software\Microsoft\Windows\CurrentVersion\Run
HKLM/HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
Shell extensions and explorer add-ons
Winlogon registry keys
Active Setup entries
And many other documented persistence locations

Usage

Registry persistence enumeration is essential for detecting malware and unauthorized software. Investigators use this data to identify malicious autoruns, detect persistence mechanisms, track installed software that runs at startup, identify suspicious registry modifications, correlate persistence with malware execution, detect Living Off the Land binaries, and validate system baseline configurations.

Known Limitations

Only captures known persistence locations
New or undocumented locations not included
Requires current autorun definition list
Some legitimate software creates many entries

Notes

This collector examines a comprehensive list of known persistence locations based on security research and MITRE ATT&CK techniques. The parsed command lines and file information enable immediate triage of suspicious entries.

PreviousRegistry Items NextRunMRU

Last updated 47 minutes ago

Was this helpful?