Hunting for Persistence with Cympire: Part I — Registry Run Keys

Adam Goss
5 min readFeb 8

Hey friend, welcome to this short series on hunting for persistence!

In this series, I have joined up with the team at Cympire to teach you how to hunt for adversary persistence mechanisms in your environment. Cympire is “The Most Advanced Cybersecurity Training & Assessment Platform” and it will provide you with a virtualized battleground to test your cyber capabilities!

Each entry in this series will cover a persistence mechanism adversaries use in the real world to maintain access to systems they compromise. Accompanying this will be a gamified scenario where you can practice the skills you learn for FREE. So let’s dig in and upskill our threat hunting capabilities!

Once an attacker gains initial access to a machine they will try to keep this access by installing a persistence mechanism. There are many ways an adversary can maintain persistence, this series will cover:

  1. Registry Run Keys — where attackers will add registry keys to automatically start a program when the system boots.
  2. Scheduled Tasks — where attackers will schedule a task to automatically run a program at specific intervals.
  3. Services — where attackers will create or modify existing services to automatically start a program when the system boots.
  4. Startup Folder — where attackers will add a shortcut to a program in the startup folder to automatically run when the user logs in.

In this installment of the series, we will be focusing on Registry Run keys.

Registry Run Keys

Registry run keys are locations in the Windows registry where programs and scripts can be configured to automatically start when the system boots up or when a user logs in. The registry run keys are used by attackers as a persistence mechanism that allows their program (malicious code) to remain even after a…

Adam Goss

Cyber Security Professional | Red Teamer | Adversary Emulator | Malware Analysis | Threat Hunter | Threat Intelligence