| ID | F0012 |
| Objective(s) | Persistence |
| Related ATT&CK Sub-Technique | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
Malware may add an entry to the Windows Registry run keys or startup folder to enable persistence. [1]
See ATT&CK: Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder.
| Name | Date | Description |
|---|---|---|
| TrickBot | 2016 | Trojan spyware program that has mainly been used for targeting banking sites. |
| Poison-Ivy | 2005 | After the Poison-Ivy server is running on the target machine, the attacker can use a Windows GUI client to control the target computer. [2] |
| Hupigon | 2013 | Hupigon drops the file "Systen.dll" and adds the registry entry: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\BITS DllName = "%System%\Systen.dll". [3] |
| Terminator | May 2013 | The Terminator rat sets "2019" as Windows' startup folder by modifying a registry value. [4] |
[1] https://threatvector.cylance.com/en_us/home/windows-registry-persistence-part-2-the-run-keys-and-search-order.html
[2] https://www.cyber.nj.gov/threat-profiles/trojan-variants/poison-ivy
[3] https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/HUPIGON
[4] https://www.fireeye.com/content/dam/fireeye-www/current-threats/pdfs/pf/file/fireeye-hot-knives-through-butter.pdf