Run and Run Once

Run and RunOnce Keys: An Overview

• Run Keys: These are used to launch persistence applications and services during the system startup or user logon. The programs listed under these keys are automatically executed every time the system boots up or a user logs on. They are found in several locations within the Windows Registry, but the most commonly referenced are:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

  Entries in the HKEY_LOCAL_MACHINE hive are executed for all users, while those in the HKEY_CURRENT_USER hive are only executed for the currently logged-in user.

• RunOnce Keys: These keys are similar to the Run keys, but the programs listed under them are only executed once, at the next system startup or user logon, and then removed from the Registry. This can be useful for software that needs to finalize configurations or perform cleanup tasks after installation. Locations include:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce

Legitimate Uses

Legitimately, software developers use these keys to ensure necessary services and applications start automatically to provide a seamless user experience. For example, antivirus software might use Run keys to start protection services at boot time, or an installer might use RunOnce to complete setup tasks the next time the computer starts.

Abuse by Threat Actors

Threat actors exploit these keys to establish persistence for their malware. By inserting malicious paths into these keys, they can ensure their malware executes each time the computer starts or when a user logs on. This technique is commonly used because it is straightforward and effective, especially for maintaining long-term access to a compromised system.

Examples of Suspicious Entries

A suspicious entry in a Run or RunOnce key might look like this:

• A program executing from a temporary or unusual directory, e.g.,

  Copy

  HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
  "SecurityUpdate"="C:\Users\user\AppData\Local\Temp\update.exe"

• Entries with obfuscated or random names, which do not match known software, e.g.,

  Copy

  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  "kjhfgds"="C:\Windows\System32\kjhfgds.exe"

• Paths that include known locations for malware persistence or unusual script execution, e.g.,

  Copy

  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
  "CustomScript"="powershell.exe -ExecutionPolicy Bypass -File C:\Users\user\Documents\script.ps1"

Detection and Analysis

For digital forensic analysts, identifying suspicious or unknown entries in these keys is crucial. Tools such as autoruns from Sysinternals can be used to inspect these locations efficiently. Analysts should look for entries that do not correspond to installed software, that reference executables in unusual locations, or that appear to use obfuscation techniques. Verifying the legitimacy of each entry and conducting further investigation on unknown or suspicious items is essential for identifying and mitigating potential threats.

In summary, while Run and RunOnce keys serve important functions in Windows OS for legitimate software, they are also common targets for abuse by threat actors seeking to maintain persistence on compromised systems. Identifying and investigating unusual or unknown entries in these Registry locations is a critical task for security professionals and digital forensic analysts to prevent and mitigate malicious activities.