A Cobalt Strike BOF (Beacon Object File) for managing Windows registry persistence vectors.
This tool allows you to add, remove, and list registry-based persistence mechanisms.
- MinGW-w64 toolchain (
x86_64-w64-mingw32-gccandi686-w64-mingw32-gcc)
Compile the BOF objects for both architectures:
makeThis will:
- Create a
regpersist/directory - Compile
regpersist.x64.oandregpersist.x86.o - Move both object files into the
regpersist/directory
To clean build artifacts:
make cleanregpersist <OPERATION> <KEYCODE> [COMMAND] [COMMANDARG] [VALUE]
- ADD: Add a registry persistence entry
- REMOVE: Remove a registry persistence entry
- LIST: List all registry values in the specified key
- OPERATION (Required):
ADD,REMOVE, orLIST - KEYCODE (Required): One of the supported registry key codes (see below)
- COMMAND (Required for ADD): The command/executable to execute (e.g.,
"cmd.exe") - COMMANDARG (Optional for ADD): Arguments for the command (e.g.,
"/c calc.exe") - VALUE (Optional): The registry value name
- Not needed for pre-determined keys (they use fixed value names)
- For shell folder keys, defaults to "Common Startup" or "Startup"
- Required for standard run keys
| Keycode | Registry Path | Value Name | Notes |
|---|---|---|---|
| Standard Run Keys | |||
HKLM_RUNONCE |
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce |
User-defined | Requires VALUE parameter |
HKLM_RUNONCEEX |
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx |
User-defined | Requires VALUE parameter |
HKLM_RUN |
HKLM\Software\Microsoft\Windows\CurrentVersion\Run |
User-defined | Requires VALUE parameter |
HKCU_RUN |
HKCU\Software\Microsoft\Windows\CurrentVersion\Run |
User-defined | Requires VALUE parameter |
HKCU_RUNONCE |
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce |
User-defined | Requires VALUE parameter |
| Pre-determined Keys | |||
LOGONSCRIPT |
HKCU\Environment |
UserInitMprLogonScript |
Pre-determined, no VALUE needed |
STICKYNOTES |
HKCU\Software\Microsoft\Windows\CurrentVersion\Run |
RESTART_STICKY_NOTES |
Pre-determined, no VALUE needed |
USERINIT |
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon |
Userinit |
Pre-determined, appends to existing value |
HKLM_WINDOWS_LOAD |
HKLM\Software\Microsoft\Windows\CurrentVersion\Load |
load |
Pre-determined, no VALUE needed |
HKCU_WINDOWS_LOAD |
HKCU\Software\Microsoft\Windows\CurrentVersion\Load |
load |
Pre-determined, no VALUE needed |
HKLM_TERMINAL_SERVER_STARTUP |
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Startup |
Startup |
Pre-determined, no VALUE needed |
HKLM_TERMINAL_SERVER_INITIAL |
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Initial |
Initial |
Pre-determined, no VALUE needed |
HKLM_WINLOGON_TASKMAN |
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon |
Taskman |
Pre-determined, no VALUE needed |
HKLM_WINLOGON_SHELL |
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon |
Shell |
Pre-determined, no VALUE needed |
HKLM_WINLOGON_SYSTEM |
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon |
System |
Pre-determined, no VALUE needed |
HKLM_WINLOGON_NOTIFY |
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon |
Notify |
Pre-determined, no VALUE needed |
HKLM_WINLOGON_VMAPPLET |
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon |
VmApplet |
Pre-determined, no VALUE needed |
HKCU_WINLOGON_SHELL |
HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon |
Shell |
Pre-determined, no VALUE needed |
HKLM_SAFEBOOT_ALTERNATESHELL |
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot |
AlternateShell |
Pre-determined, no VALUE needed |
HKCU_POLICIES_SYSTEM_SHELL |
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System |
Shell |
Pre-determined, no VALUE needed |
HKLM_APPINIT_DLLS |
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows |
AppInit_DLLs |
Pre-determined, no VALUE needed |
| Policies Run Keys | |||
HKLM_POLICIES_RUN |
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run |
User-defined | Requires VALUE parameter, admin rights needed |
HKCU_POLICIES_RUN |
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run |
User-defined | Requires VALUE parameter, may need admin rights |
| Shell Folders | |||
HKLM_SHELL_FOLDERS |
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders |
Common Startup |
Default value, overwrites existing |
HKCU_SHELL_FOLDERS |
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders |
Startup |
Default value, overwrites existing |
HKLM_USER_SHELL_FOLDERS |
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders |
Common Startup |
Default value, overwrites existing |
HKCU_USER_SHELL_FOLDERS |
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders |
Startup |
Default value, overwrites existing |
| RunServices Keys | |||
HKLM_RUNSERVICES |
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices |
User-defined | Requires VALUE parameter |
HKCU_RUNSERVICES |
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices |
User-defined | Requires VALUE parameter |
HKCU_RUNSERVICESONCE |
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce |
User-defined | Requires VALUE parameter |
| Windows NT Run Keys | |||
HKCU_WINDOWS_NT_RUN |
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Run |
User-defined | Requires VALUE parameter |
HKCU_WINDOWS_NT_WINDOWS_RUN |
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Run |
User-defined | Requires VALUE parameter |
| WOW6432 Keys | |||
HKLM_WOW6432_RUN |
HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run |
User-defined | Requires VALUE parameter |
HKLM_WOW6432_RUNONCE |
HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce |
User-defined | Requires VALUE parameter |
HKLM_WOW6432_POLICIES_RUN |
HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run |
User-defined | Requires VALUE parameter, admin rights needed |
HKCU_WOW6432_RUN |
HKCU\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run |
User-defined | Requires VALUE parameter |
HKCU_WOW6432_RUNONCE |
HKCU\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce |
User-defined | Requires VALUE parameter |
HKCU_WOW6432_POLICIES_RUN |
HKCU\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run |
User-defined | Requires VALUE parameter, may need admin rights |
| Terminal Server Keys | |||
HKLM_TERMINAL_SERVER_RUN |
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Run |
User-defined | Requires VALUE parameter |
HKLM_TERMINAL_SERVER_RUNONCE |
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\RunOnce |
User-defined | Requires VALUE parameter |
HKLM_TERMINAL_SERVER_RUNONCEEX |
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\RunOnceEx |
User-defined | Requires VALUE parameter |
HKCU_TERMINAL_SERVER_RUN |
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Run |
User-defined | Requires VALUE parameter |
HKCU_TERMINAL_SERVER_RUNONCE |
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\RunOnce |
User-defined | Requires VALUE parameter |
HKCU_TERMINAL_SERVER_RUNONCEEX |
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\RunOnceEx |
User-defined | Requires VALUE parameter |
| Policy Script Keys | |||
HKCU_POLICIES_SYSTEM_SCRIPT_LOGON |
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System |
User-defined | Requires VALUE parameter |
HKCU_POLICIES_SYSTEM_SCRIPT_LOGOFF |
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System |
User-defined | Requires VALUE parameter |
| Special Keys | |||
HKCR_CONTEXT_MENU |
HKCR\*\shell\<menu_name>\command |
(Default) | Requires VALUE as menu name (e.g., "MyContextMenu") |
HKLM_IFEO |
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\<target_exe> |
Debugger |
Requires VALUE as target executable name (e.g., "notepad.exe") |
# Standard run key with custom value name
regpersist ADD HKLM_RUN "cmd.exe" "/c calc.exe" "MyPersistence"
# Pre-determined key (no value name needed)
regpersist ADD LOGONSCRIPT "cmd.exe" "/c calc.exe"
# Shell folder (uses default value name)
regpersist ADD HKLM_SHELL_FOLDERS "C:\\temp\\1.exe"
# Context menu handler
regpersist ADD HKCR_CONTEXT_MENU "C:\\temp\\1.exe" "" "MyContextMenu"
# IFEO (Image File Execution Options)
regpersist ADD HKLM_IFEO "C:\\temp\\1.exe" "" "notepad.exe"# Remove by value name
regpersist REMOVE HKLM_RUN "MyPersistence"
# Remove pre-determined key
regpersist REMOVE LOGONSCRIPT
# Remove shell folder entry
regpersist REMOVE HKLM_SHELL_FOLDERS# List all values in a registry key
regpersist LIST HKLM_RUN
regpersist LIST HKCU_RUNMost rules can be found at:
- SigmaHQ - https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set
- Elastic - https://www.elastic.co/docs/reference/security/prebuilt-rules/rules/windows/persistence_registry_uncommon
The base.c and bofdefs.h files are direct copies from TrustedSec's CS-Situational-Awareness-BOF project: TrustedSec CS-Situational-Awareness-BOF.
Lefteris (Lefty) Panos @ 2025