Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionmediumtest

Classes Autorun Keys Modification

Detects modification of Windows Registry Classes keys used for persistence. Adversaries modify these autostart extensibility points (ASEP) to execute malicious code when file types are opened or actions are performed. Various legitimate software also uses these keys. Currently, this rule only filters out known legitimate software paths, thus it is recommended to review and tune filters for your environment to reduce false positives before deploying to production.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, François HubautCreated Fri Oct 25Updated Wed Oct 229df5f547-c86a-433e-b533-f2794357e242windows
Log Source
WindowsRegistry Set
ProductWindows← raw: windows
CategoryRegistry Set← raw: registry_set
Detection Logic
Detection Logic7 selectors
detection:
    selection_classes_base:
        TargetObject|contains: '\Software\Classes'
    selection_classes_target:
        TargetObject|contains:
            - '\Folder\ShellEx\ExtShellFolderViews'
            - '\Folder\ShellEx\DragDropHandlers'
            - '\Folder\Shellex\ColumnHandlers'
            - '\Filter'
            - '\Exefile\Shell\Open\Command\(Default)'
            - '\Directory\Shellex\DragDropHandlers'
            - '\Directory\Shellex\CopyHookHandlers'
            - '\CLSID\{AC757296-3522-4E11-9862-C17BE5A1767E}\Instance'
            - '\CLSID\{ABE3B9A4-257D-4B97-BD1A-294AF496222E}\Instance'
            - '\CLSID\{7ED96837-96F0-4812-B211-F13C24117ED3}\Instance'
            - '\CLSID\{083863F1-70DE-11d0-BD40-00A0C911CE86}\Instance'
            - '\Classes\AllFileSystemObjects\ShellEx\DragDropHandlers'
            - '\.exe'
            - '\.cmd'
            - '\ShellEx\PropertySheetHandlers'
            - '\ShellEx\ContextMenuHandlers'
    filter_main_drivers:
        Image: 'C:\Windows\System32\drvinst.exe'
    filter_main_empty:
        Details: '(Empty)'
    filter_main_null:
        Details: null
    filter_main_svchost:
        Image: 'C:\Windows\System32\svchost.exe'
        # If more targets are found from "svchost". Please exclude the whole image
        TargetObject|contains: '\lnkfile\shellex\ContextMenuHandlers\'
    filter_optional_msoffice:
        Details: '{807583E5-5146-11D5-A672-00B0D022E945}'
    condition: all of selection_* and not 1 of filter_main_* and not 1 of filter_optional_*
False Positives

Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason

Legitimate administrator sets up autorun keys for legitimate reason

References
1
Resolving title…
github.com
2
Resolving title…
learn.microsoft.com
3
Resolving title…
gist.github.com
MITRE ATT&CK
Related Rules
Similar

17f878b8-9968-4578-b814-c4217fc5768c

Rule not found
Rule Metadata
Rule ID
9df5f547-c86a-433e-b533-f2794357e242
Status
test
Level
medium
Type
Detection
Created
Fri Oct 25
Modified
Wed Oct 22
Author
Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, François Hubaut
Path
rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_classes.yml
Raw Tags
attack.privilege-escalationattack.persistenceattack.t1547.001
View on GitHub