Skip to content
Threat Feed
high advisory

Persistence via Hidden Run Key Detected

This rule detects a persistence mechanism that utilizes the NtSetValueKey native API to create a hidden (null terminated) registry key, evading detection from system utilities.

This detection rule identifies a persistence mechanism on Windows systems where attackers use the NtSetValueKey native API to create hidden registry keys, specifically within the Run key paths. This technique allows the execution of malicious code upon system startup or user logon while remaining concealed from typical system utilities like Registry Editor (regedit). The rule focuses on detecting changes to specific registry keys under the Run key path, including CurrentVersion\\Run, WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Run, and Policies\\Explorer\\Run. This technique is used to establish persistence and evade detection, allowing malicious code to execute without the user’s knowledge or consent.

Attack Chain

  1. Attacker gains initial access to the system.
  2. Attacker uses a tool like SharpHide or custom code to interact with the NtSetValueKey API.
  3. The attacker creates a new registry value under one of the Run key paths.
  4. The registry value name is crafted with a null terminator, hiding it from standard registry enumeration tools.
  5. The registry value data contains a command to execute a malicious payload.
  6. The system restarts or the user logs on.
  7. The operating system reads the Run keys and executes the hidden command.
  8. The malicious payload is executed, establishing persistence and potentially leading to further compromise.

Impact

Successful exploitation allows attackers to maintain persistent access to compromised systems, enabling them to execute malicious code, steal sensitive information, or perform other unauthorized actions. This technique bypasses standard defenses, making it difficult for administrators to detect and remove the malicious persistence mechanism. The impact includes potential data breaches, system compromise, and long-term unauthorized access.

Recommendation

  • Enable Sysmon registry event logging to detect the use of NtSetValueKey for hidden registry key creation.
  • Deploy the Sigma rule “Detect Hidden Run Key Value Name via NtSetValueKey” to detect the creation of hidden registry values under the Run key path in the Windows registry.
  • Investigate any registry events that modify the Run keys and involve null-terminated value names, as these may indicate malicious activity.
  • Use the investigation steps from the original rule to triage and analyze possible malicious findings.
  • Monitor process executions originating from the Run keys, looking for suspicious command lines or unexpected processes.

Detection coverage 2

Detect Hidden Run Key Value Name via NtSetValueKey

high

Detects the creation of hidden (null terminated) registry values under the Run key path, indicating a persistence mechanism.

sigma tactics: persistence techniques: T1547.001 sources: registry_set, windows

Detect Process Creation from Hidden Run Key Payload

medium

Detects process creation events where the command line matches a known payload from a hidden Run key value, indicating the execution of malicious persistence.

sigma tactics: execution, persistence techniques: T1059.003, T1547.001 sources: process_creation, windows

Detection queries are available on the platform. Get full rules →