-
Notifications
You must be signed in to change notification settings - Fork 245
Registry
This persistence technique will create a registry key and value of your choosing. For supported registry keys in this module, see the "TABLE OF SUPPORTED REGISTRY KEYS" section. In this module, you will supply a registry key, value and system command to execute.
Non-admin privileges
- -c - command to execute
- -a - arguments to command to execute (if applicable)
- -k - registry key to modify
- -v - registry value to create/delete
- -m - method (add, remove, check, list)
- -o - optional add-on for env variable obfuscation (env) if applicable
-
hklmrun -
HKLM\Software\Microsoft\Windows\CurrentVersion\Run -
hklmrunonce -
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce -
hklmrunonceex -
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx -
hkcurun -
HKCU\Software\Microsoft\Windows\CurrentVersion\Run -
hkcurunonce -
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
The below registry keys have pre-defined values. Therefore, a value does not need specified for these. Also, the "env" optional add-on is not supported with pre-defined registry key values.
-
logonscript -
HKCU\Environment\UserInitMprLogonScript -
stickynotes -
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\RESTART_STICKY_NOTES -
userinit -
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
| Registry Key Code (-k) | Registry Key | Registry Value | Admin Privileges Required? | Supports Env Optional Add-On (-o env)? |
|---|---|---|---|---|
| hkcurun | HKCU\Software\Microsoft\Windows\CurrentVersion\Run | User supplied | No | Yes |
| hkcurunonce | HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce | User supplied | No | Yes |
| logonscript | HKCU\Environment | UserInitMprLogonScript | No | No |
| stickynotes | HKCU\Software\Microsoft\Windows\CurrentVersion\Run | RESTART_STICKY_NOTES | No | No |
| hklmrun | HKLM\Software\Microsoft\Windows\CurrentVersion\Run | User supplied | Yes | Yes |
| hklmrunonce | HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce | User supplied | Yes | Yes |
| hklmrunonceex | HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx | User supplied | Yes | Yes |
| userinit | HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon | Userinit | Yes | No |
- If using the environmental optional add-on (-o env), the command and/or arguments are added in the value entered in an environmental registry key, based on registry hive.
- For HKCU - HKCU\Environment
- For HKLM - HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment
- The registry key specified will have the value entered added as %value%. The %value% will be looked up in the associated environmental registry key and value, which will contain the actual command and argument you specified to execute.
- If using the environmental optional add-on (-o env), both the registry key value and its associated environmental registry key value will be removed.
SharPersist -t reg -c "C:\Windows\System32\cmd.exe" -a "/c calc.exe" -k "hkcurun" -v "Test Stuff" -m add
SharPersist -t reg -c "C:\Windows\System32\cmd.exe" -a "/c calc.exe" -k "hkcurun" -v "Test Stuff" -m add -o env
SharPersist -t reg -c "C:\Windows\System32\cmd.exe" -a "/c calc.exe" -k "logonscript" -m add
SharPersist -t reg -k "hkcurun" -v "Test Stuff" -m remove
SharPersist -t reg -k "hkcurun" -v "Test Stuff" -m remove -o env
SharPersist -t reg -k "logonscript" -m remove
SharPersist -t reg -c "C:\Windows\System32\cmd.exe" -a "/c calc.exe" -k "hkcurun" -v "Test Stuff" -m check
SharPersist -t reg -k "hkcurun" -m list