[Red Team] ATT&CK - Auto Start - Registry Run Key, Startup Folder

0x01 Foreword

An attacker can achieve persistence by adding the program to the startup folder or referencing it using the registry run key.

Adding an entry to the "run key" in the registry or in the startup folder will cause the referenced program to execute when the user logs in.These programs will execute in the context of the user, with the relevant privilege level of the account.

0x02Startup folder

Placing a program in the startup folder also causes the program to execute when the user logs in.There is a startup folder location for individual user accounts and a system-wide startup folder that will be checked no matter which user account is logged in.

Where: The current user's startup folder path is:

C:\Users\[username]\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup