Registry Run Key - veramine/Detections GitHub Wiki
Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. The program will be executed under the context of the user and will have the account's associated permissions level.
Adversaries can use these configuration locations to execute malware, such as remote access tools, to maintain persistence through system reboots. Adversaries may also use Masquerading to make the Registry entries look as if they are associated with legitimate programs.
Veramine's detection engine flags every new run key created and every modification to existing run keys. Here is an example of that detection type:
