Query Startup Services from the Registry

AID2112302014.YAML

#####aid_begin
#description: fetch the information from startup services registry
#id: aid2112302014
#processtype: query
#category: registry
#sourcelink: <na>
#tacticidlist: <na>
#techniqueidlist: <na>
#compatibleos: |-
#  windows 7
#  windows 8.*
#  windows 10
#  windows 11
#  windows server 2008 r2
#  windows server 2012
#  windows server 2012 r2
#  windows server 2016
#  windows server 2019
#compatibleengine: |-
#  powershell 2
#  powershell 3
#  powershell 4
#  powershell 5.*
#  powershell 7.*
#bgcommandlist: |-
#  get-bgregistry
#notes: |- 
#  adversaries may achieve persistence by adding a program to a startup folder or referencing it with a registry run key. adding an entry to the "run keys" in the registry or startup folder will cause the program referenced to be executed when a user logs in.	the adversaries uses these registries to control automatic startup of services during the boot.
#####aid_end
commands:
- Get-BGRegistry -StartKey "HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce"
- Get-BGRegistry -StartKey "HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices"
- Get-BGRegistry -StartKey "HKU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce"
- Get-BGRegistry -StartKey "HKU\Software\Microsoft\Windows\CurrentVersion\RunServices"

Last updated