diff --git a/Windows Registry/Highly Targeted Registry Keys.csv b/Windows Registry/Highly Targeted Registry Keys.csv index f1b2d6e..d607134 100644 --- a/Windows Registry/Highly Targeted Registry Keys.csv +++ b/Windows Registry/Highly Targeted Registry Keys.csv @@ -1,7 +1,7 @@ Registry (Sub)Key Name,Importance Description,MITRE,Registry Operation,Recommended SACL,Referneces HKEY_CURRENT_USER\Environment\UserInitMprLogonScript,User logon scripts are used to establish persistence as they execute at logon initialization ,T1037.001,RegSetValue*,No,"Boot or Logon Initialization Scripts: Logon Script (Windows), Sub-technique T1037.001 - Enterprise | MITRE ATT&CKĀ®" -HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run,"Used for persistence. HKCU - non-system user, will run whne the user logs in",T1547.001,RegSetValue*,No,https://labs.jumpsec.com/running-once-running-twice-pwned-windows-registry-run-keys/ -HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce,"Used for persistence. HKCU - non-system user, will run whne the user logs in. Removed after user logs in. ",T1547.001,RegSetValue*,No,https://labs.jumpsec.com/running-once-running-twice-pwned-windows-registry-run-keys/ +HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run,"Used for persistence. HKCU - non-system user, will run when the user logs in",T1547.001,RegSetValue*,No,https://labs.jumpsec.com/running-once-running-twice-pwned-windows-registry-run-keys/ +HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce,"Used for persistence. HKCU - non-system user, will run when the user logs in. Removed after user logs in. ",T1547.001,RegSetValue*,No,https://labs.jumpsec.com/running-once-running-twice-pwned-windows-registry-run-keys/ HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run,"Used for persistence. HKLM - Admin/System user, will run everytime the machine boots",T1547.001,RegSetValue*,No,https://labs.jumpsec.com/running-once-running-twice-pwned-windows-registry-run-keys/ HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce,"Used for persistence. HKLM - Admin/System user, will run when the machine boots and willl be removed after execution",T1547.001,RegSetValue*,No,https://labs.jumpsec.com/running-once-running-twice-pwned-windows-registry-run-keys/ HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx,"Used for persistence. HKLM - Admin/System user, will run when the machine boots and willl be removed after execution",T1547.001,RegSetValue*,No,https://attack.mitre.org/techniques/T1547/001/ @@ -18,4 +18,4 @@ HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_ HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls,Persistence. DLLs that are added get loaded by user32.dll. ,T1546.010,"RegCreateKey*, RegSetValue*",No,https://www.elastic.co/blog/ten-process-injection-techniques-technical-survey-common-and-trending-process HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost,Persistence. Malware can create a service via a dll by setting image path to svchost.exe -k <>,TA0003,"RegCreateKey, RegSetValue",No, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit,Reconnaissance to see what audit policies are in place. Built-in to Seatbelt. ,TA0043,RegQueryKey ,Yes, -HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SysmonDrv\Parameters\ ,Reconnaissance. Detection where processname != sysmon service binary (Sysmon.exe/Sysmon64.exe),TA0043,RegQueryKey ,Yes, \ No newline at end of file +HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SysmonDrv\Parameters\ ,Reconnaissance. Detection where processname != sysmon service binary (Sysmon.exe/Sysmon64.exe),TA0043,RegQueryKey ,Yes,