Detailedlikelihood: Mediumseverity: MediumStable

CAPEC-270Modification of Registry Run Keys

Abstraction
Detailed
Status
Stable
Likelihood
Medium
Severity
Medium

Description

An adversary adds a new entry to the "run keys" in the Windows registry so that an application of their choosing is executed when a user logs in. In this way, the adversary can get their executable to operate and run on the target system with the authorized user's level of permissions. This attack is a good way for an adversary to run persistent spyware on a user's machine, such as a keylogger.

Related weaknesses· 1

CWE-15

MITRE ATT&CK crosswalk· 2

T1547.001: Boot or Logon Autostart Execution: Registry Run Keys / Start FolderT1547.014: Boot or Logon Autostart Execution: Active

Related attack patterns· 5

CAPEC-203 (ChildOf)CAPEC-568 (CanPrecede)CAPEC-529 (CanPrecede)CAPEC-646 (CanPrecede)CAPEC-555 (CanFollow)

Exploits1

TypeTargetConfidenceTier
WeaknessExternal Control of System or Configuration Settingcwe-15100%live

Related to2

TypeTargetConfidenceTier
SubTechniqueRegistry Run Keys / Startup Foldert1547.001100%live
SubTechniqueActive Setupt1547.014100%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CAPEC
Run Software at Logon
Sub-technique
Registry Run Keys / Startup Folder
Technique
Boot or Logon Autostart Execution
CAPEC
Manipulate Registry Information
CAPEC
Collect Data from Registries
Sub-technique
Active Setup
Sourced from MITRE CAPEC. Curated by Adam Lundqvist, SQUR.