Detailed attack pattern

Stable

CAPEC-270: Modification of Registry Run Keys

An adversary adds a new entry to the "run keys" in the Windows registry so that an application of their choosing is executed when a user logs in. In this way, the adversary can get their executable to operate and run on the target system with the authorized user's level of permissions. This attack is a good way for an adversary to run persistent spyware on a user's machine, such as a keylogger.

Medium

Typical severity

Per MITRE

Medium

Likelihood of attack

Per MITRE

Related weaknesses

CWEs this targets

Detailed

Abstraction

MITRE classification

Overview

CAPEC-270 (Modification of Registry Run Keys) is a detailed-level attack pattern catalogued by MITRE in the Common Attack Pattern Enumeration and Classification (CAPEC). It describes a recurring method attackers use to exploit software weaknesses.

CAPEC-270: Modification of Registry Run Keys

Overview

How the attack works

What the attacker needs

Prerequisites

Consequences

How to mitigate it

Examples

Terminology & mappings

Mapped taxonomies

Frequently asked questions

What is CAPEC-270?

How does a Modification of Registry Run Keys attack work?

How do you prevent CAPEC-270?

What weaknesses does CAPEC-270 target?

How severe is CAPEC-270?

References

Defend against CAPEC-270

Overview

How the attack works

What the attacker needs

Prerequisites

Consequences

How to mitigate it

Examples

Related weaknesses

Related attack patterns

Parent

Can precede

Can follow

Terminology & mappings

Mapped taxonomies

Frequently asked questions

What is CAPEC-270?

How does a Modification of Registry Run Keys attack work?

How do you prevent CAPEC-270?

What weaknesses does CAPEC-270 target?

How severe is CAPEC-270?

References

Defend against CAPEC-270