Run / RunOnce Persistence Keys
Location
NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Run (per-user) and SOFTWARE\Microsoft\Windows\CurrentVersion\Run (machine-wide)Description
Registry Run and RunOnce keys that specify programs to execute at user logon (NTUSER.DAT) or system startup (SOFTWARE hive). RunOnce entries are deleted after execution. Both per-user and machine-wide variants exist.
Forensic Value
Run keys are the most common registry persistence mechanism used by malware and attackers. Entries contain the full command line executed at every logon, revealing persistence payloads including encoded PowerShell, mshta calls, or paths to dropped binaries. RunOnce entries execute once and self-delete, but may still be recovered from registry transaction logs or VSS snapshots. Comparing current entries against a known-good baseline immediately identifies attacker additions.
Tools Required
Collection Commands
KAPE
kape.exe --tsource C: --tdest C:\output --target RegistryHives
reg.exe
reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" && reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"
Autoruns
autorunsc.exe -a l -ct -h -s -v -vt > C:\output\autoruns_logon.csv
RegRipper
rip.exe -r C:\output\NTUSER.DAT -p run
Collection Constraints
- •Availability, retention, and field coverage depend on the Windows release, SKU, per-host audit policy, and user activity. Treat absence as inconclusive unless you verified the feature was enabled.
MITRE ATT&CK Techniques
Used in Procedures
Related Blockers
Attack Delivered via Legitimately Signed Update
The malicious artifact carries a valid signature from the vendor's real signing key, so traditional allow-by-signature controls (Authenticode policy, Cosign verification, macOS notarization) do not flag it. Detection must pivot to behavioral indicators, reputation, and anomaly-based signals.
Mining Incident Treated as Low Priority by Stakeholders
Stakeholders frame unauthorized mining as "just a resource cost" and push for immediate process-kill and closure rather than a full investigation. This under-scoping routinely leaves the entry vector open and misses secondary compromise (webshells, backdoors, credential theft) the attacker installed alongside the miner.
Fileless Malware With Minimal On-Disk Footprint
The suspected malware runs primarily in memory with minimal or no on-disk persistence. Traditional file-hash IoC hunts return empty, and disk-image analysis misses the active payload. Response must pivot to memory forensics, ETW, PowerShell script-block logging, and AMSI telemetry.
Attacker Living Off the Land with Native Binaries
The attacker relies on legitimate system binaries (PowerShell, certutil, bitsadmin, regsvr32, rundll32, mshta, wmic) for execution and lateral movement. File-reputation and signature-based detection fails because the binaries are legitimate; detection must shift to behavioral anomaly, parent-child process analysis, and command-line context.
Deep Anti-Forensics: Timestomping, Rootkits, Secure Delete
The attacker has employed anti-forensic techniques: timestomping ($MFT/$STANDARD_INFORMATION manipulation), log clearing (Security.evtx wiped, journalctl truncated), NTFS alternate data stream hiding, rootkits, file-attribute masking, or secure-delete of specific indicators. Standard forensic analysis produces incomplete or misleading results.