Comment on page
Query all Run, RunOnce, and RunOnceEx Registry Keys
AID2112302012.YAML
#####aid_begin
#description: fetch the information from registry run keys (run, runonce, and runonceex)
#id: aid2112302012
#processtype: query
#category: registry
#sourcelink: <na>
#tacticidlist: <na>
#techniqueidlist: <na>
#compatibleos: |-
# windows 7
# windows 8.*
# windows 10
# windows 11
# windows server 2008 r2
# windows server 2012
# windows server 2012 r2
# windows server 2016
# windows server 2019
#compatibleengine: |-
# powershell 2
# powershell 3
# powershell 4
# powershell 5.*
# powershell 7.*
#bgcommandlist: |-
# get-bgregistry
#notes: |-
# adversaries may achieve persistence by adding a program to a startup folder or referencing it with a registry run key. adding an entry to the "run keys" in the registry or startup folder will cause the program referenced to be executed when a user logs in.
#####aid_end
commands:
- Get-BGRegistry -StartKey "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"
- Get-BGRegistry -StartKey "HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce"
- Get-BGRegistry -StartKey "HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx"
- Get-BGRegistry -StartKey "HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce"
- Get-BGRegistry -StartKey "HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx"