Detectionmediumtest
CurrentVersion Autorun Keys Modification
Detects modification of autostart extensibility point (ASEP) in registry.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, François HubautCreated Fri Oct 25Updated Wed Oct 2220f0ee37-5942-4e45-b7d5-c5b5db9df5cdwindows
Log Source
WindowsRegistry Set
ProductWindows← raw: windows
CategoryRegistry Set← raw: registry_set
Detection Logic
Detection Logic27 selectors
detection:
selection_current_version_base:
TargetObject|contains: '\SOFTWARE\Microsoft\Windows\CurrentVersion'
selection_current_version_keys:
TargetObject|contains:
- '\ShellServiceObjectDelayLoad'
- '\Run\'
- '\RunOnce\'
- '\RunOnceEx\'
- '\RunServices\'
- '\RunServicesOnce\'
- '\Policies\System\Shell'
- '\Policies\Explorer\Run'
- '\Group Policy\Scripts\Startup'
- '\Group Policy\Scripts\Shutdown'
- '\Group Policy\Scripts\Logon'
- '\Group Policy\Scripts\Logoff'
- '\Explorer\ShellServiceObjects'
- '\Explorer\ShellIconOverlayIdentifiers'
- '\Explorer\ShellExecuteHooks'
- '\Explorer\SharedTaskScheduler'
- '\Explorer\Browser Helper Objects'
- '\Authentication\PLAP Providers'
- '\Authentication\Credential Providers'
- '\Authentication\Credential Provider Filters'
filter_main_generic_all:
- Details: '(Empty)'
- TargetObject|endswith: '\NgcFirst\ConsecutiveSwitchCount'
- Image|endswith:
- '\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe' # C:\Users\*\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe
- '\AppData\Roaming\Spotify\Spotify.exe'
- '\AppData\Local\WebEx\WebexHost.exe'
- Image:
- 'C:\WINDOWS\system32\devicecensus.exe'
- 'C:\Windows\system32\winsat.exe'
- 'C:\Program Files\Microsoft OneDrive\StandaloneUpdater\OneDriveSetup.exe'
- 'C:\Program Files (x86)\Microsoft OneDrive\StandaloneUpdater\OneDriveSetup.exe'
- 'C:\Program Files\Microsoft OneDrive\Update\OneDriveSetup.exe'
- 'C:\Program Files (x86)\Microsoft OneDrive\Update\OneDriveSetup.exe'
- 'C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe'
- 'C:\Program Files (x86)\Microsoft Office\root\integration\Addons\OneDriveSetup.exe'
- 'C:\Program Files\KeePass Password Safe 2\ShInstUtil.exe'
- 'C:\Program Files\Everything\Everything.exe'
- 'C:\Program Files (x86)\Microsoft Office\root\integration\integrator.exe'
- 'C:\Program Files\Microsoft Office\root\integration\integrator.exe'
filter_main_null:
Details: null
filter_main_logonui:
Image: 'C:\Windows\system32\LogonUI.exe'
TargetObject|contains:
- '\Authentication\Credential Providers\{D6886603-9D2F-4EB2-B667-1971041FA96B}\' # PIN
- '\Authentication\Credential Providers\{BEC09223-B018-416D-A0AC-523971B639F5}\' # fingerprint
- '\Authentication\Credential Providers\{8AF662BF-65A0-4D0A-A540-A338A999D36F}\' # facial recognizion
- '\Authentication\Credential Providers\{27FBDB57-B613-4AF2-9D7E-4FA7A66C21AD}\' # Trusted Signal (Phone proximity, Network location)
filter_main_edge:
Image|startswith:
- 'C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\'
- 'C:\Program Files (x86)\Microsoft\EdgeWebView\'
- 'C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe'
filter_main_defender:
Image: 'C:\Program Files\Windows Defender\MsMpEng.exe'
filter_main_teams:
Image|endswith: '\Microsoft\Teams\current\Teams.exe'
Details|contains: '\Microsoft\Teams\Update.exe --processStart '
filter_main_ctfmon:
Image: 'C:\Windows\system32\userinit.exe'
Details: 'ctfmon.exe /n'
filter_optional_dropbox:
Image: 'C:\Windows\system32\regsvr32.exe'
TargetObject|contains: 'DropboxExt'
Details|endswith: 'A251-47B7-93E1-CDD82E34AF8B}'
filter_optional_opera_1:
TargetObject|endswith: '\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Opera Browser Assistant'
Details: 'C:\Program Files\Opera\assistant\browser_assistant.exe'
filter_optional_opera_2:
TargetObject|endswith: '\Software\Microsoft\Windows\CurrentVersion\Run\Opera Stable'
Details:
- 'C:\Program Files\Opera\launcher.exe'
- 'C:\Program Files (x86)\Opera\launcher.exe'
filter_optional_itunes:
TargetObject|endswith: '\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\iTunesHelper'
Details: '"C:\Program Files\iTunes\iTunesHelper.exe"'
filter_optional_zoom:
TargetObject|endswith: '\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\zoommsirepair'
Details: '"C:\Program Files\Zoom\bin\installer.exe" /repair'
filter_optional_greenshot:
TargetObject|endswith: '\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Greenshot'
Details: 'C:\Program Files\Greenshot\Greenshot.exe'
filter_optional_googledrive1:
TargetObject|endswith: '\Software\Microsoft\Windows\CurrentVersion\Run\GoogleDriveFS'
Details|startswith: 'C:\Program Files\Google\Drive File Stream\'
Details|contains: '\GoogleDriveFS.exe'
filter_optional_googledrive2:
TargetObject|contains: 'GoogleDrive'
Details:
- '{CFE8B367-77A7-41D7-9C90-75D16D7DC6B6}'
- '{A8E52322-8734-481D-A7E2-27B309EF8D56}'
- '{C973DA94-CBDF-4E77-81D1-E5B794FBD146}'
- '{51EF1569-67EE-4AD6-9646-E726C3FFC8A2}'
filter_optional_onedrive:
Details|startswith:
- 'C:\Windows\system32\cmd.exe /q /c rmdir /s /q "C:\Users\'
- 'C:\Windows\system32\cmd.exe /q /c del /q "C:\Users\'
Details|contains: '\AppData\Local\Microsoft\OneDrive\'
filter_optional_python:
TargetObject|contains: '\Microsoft\Windows\CurrentVersion\RunOnce\{'
Details|contains|all:
- '\AppData\Local\Package Cache\{'
- '}\python-'
Details|endswith: '.exe" /burn.runonce'
filter_optional_officeclicktorun:
Image|startswith:
- 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\'
- 'C:\Program Files (x86)\Common Files\Microsoft Shared\ClickToRun\'
Image|endswith: '\OfficeClickToRun.exe'
filter_optional_teams:
Image|endswith: '\Microsoft\Teams\current\Teams.exe'
Details|contains: '\Microsoft\Teams\Update.exe --processStart'
filter_optional_AVG_setup:
Image|contains:
- 'C:\Program Files\AVG\Antivirus\Setup\'
- 'C:\Program Files (x86)\AVG\Antivirus\Setup\'
- '\instup.exe'
Details:
- '"C:\Program Files\AVG\Antivirus\AvLaunch.exe" /gui'
- '"C:\Program Files (x86)\AVG\Antivirus\AvLaunch.exe" /gui'
- '{472083B0-C522-11CF-8763-00608CC02F24}'
- '{472083B1-C522-11CF-8763-00608CC02F24}'
filter_optional_Avast:
Image|contains:
- 'C:\Program Files\Avast Software\Avast\Setup\'
- 'C:\Program Files (x86)\Avast Software\Avast\Setup\'
- '\instup.exe'
Details:
- '"C:\Program Files\Avast Software\Avast\AvLaunch.exe" /gui'
- '"C:\Program Files (x86)\Avast Software\Avast\AvLaunch.exe" /gui'
filter_optional_AVG_avgtoolsvc:
Image:
- 'C:\Program Files\AVG\Antivirus\avgToolsSvc.exe'
- 'C:\Program Files (x86)\AVG\Antivirus\avgToolsSvc.exe'
TargetObject|contains: '\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run\'
Details: 'Binary Data'
filter_optional_aurora_dashboard:
Image|endswith:
- '\aurora-agent-64.exe'
- '\aurora-agent.exe'
TargetObject|endswith: '\Microsoft\Windows\CurrentVersion\Run\aurora-dashboard'
Details: 'C:\Program Files\Aurora-Agent\tools\aurora-dashboard.exe'
filter_optional_everything:
TargetObject|endswith: '\Microsoft\Windows\CurrentVersion\Run\Everything'
Details|endswith: '\Everything\Everything.exe" -startup' # We remove the starting part as it could be installed in different locations
filter_optional_discord:
TargetObject|endswith: '\Software\Microsoft\Windows\CurrentVersion\Run\Discord'
Details|endswith: '\Discord\Update.exe --processStart Discord.exe'
condition: all of selection_* and not 1 of filter_main_* and not 1 of filter_optional_*False Positives
Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason
Legitimate administrator sets up autorun keys for legitimate reason
MITRE ATT&CK
Related Rules
Similar
Rule not found17f878b8-9968-4578-b814-c4217fc5768c
Rule Metadata
Rule ID
20f0ee37-5942-4e45-b7d5-c5b5db9df5cd
Status
test
Level
medium
Type
Detection
Created
Fri Oct 25
Modified
Wed Oct 22
Author
Path
rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion.yml
Raw Tags
attack.privilege-escalationattack.persistenceattack.t1547.001