Detectionmediumtest
Wow6432Node Windows NT CurrentVersion Autorun Keys Modification
Detects modification of autostart extensibility point (ASEP) in registry.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, François HubautCreated Fri Oct 25Updated Wed Oct 22480421f9-417f-4d3b-9552-fd2728443ec8windows
Log Source
WindowsRegistry Set
ProductWindows← raw: windows
CategoryRegistry Set← raw: registry_set
Detection Logic
Detection Logic5 selectors
detection:
selection_wow_nt_current_version_base:
TargetObject|contains: '\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion'
selection_wow_nt_current_version:
TargetObject|contains:
- '\Windows\Appinit_Dlls'
- '\Image File Execution Options'
- '\Drivers32'
filter_main_empty:
Details: '(Empty)'
filter_main_null:
Details: null
filter_main_file_exec_options:
Details|endswith: '\Microsoft\Windows NT\CurrentVersion\Image File Execution Options'
condition: all of selection_* and not 1 of filter_main_*False Positives
Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason
Legitimate administrator sets up autorun keys for legitimate reason
MITRE ATT&CK
Related Rules
Similar
Rule not found17f878b8-9968-4578-b814-c4217fc5768c
Rule Metadata
Rule ID
480421f9-417f-4d3b-9552-fd2728443ec8
Status
test
Level
medium
Type
Detection
Created
Fri Oct 25
Modified
Wed Oct 22
Author
Path
rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node_currentversion.yml
Raw Tags
attack.privilege-escalationattack.persistenceattack.t1547.001