runkeys#
$ target-query <path/to/target> -f runkeys
Module |
|
Output |
|
Module documentation
Plugin that iterates various Runkey locations.
Function documentation
Iterate various run key locations. See source for all locations.
Run keys (Run and RunOnce) are registry keys that make a program run when a user logs on. a Run key runs every time the user logs on and the RunOnce key makes the program run once and deletes the key after. Often leveraged as a persistence mechanism.
- References:
- Yields RunKeyRecords with fields:
hostname (string): The target hostname. domain (string): The target domain. ts (datetime): The registry key last modified timestamp. name (string): The run key name. path (string): The run key path. key (string): The source key for this run key.