Detectionmediumtest
Run Once Task Configuration in Registry
Rule to detect the configuration of Run Once registry key. Configured payload can be run by runonce.exe /AlternateShellStartup
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Avneet Singh, oscd.communityCreated Sun Nov 15Updated Mon Mar 25c74d7efc-8826-45d9-b8bb-f04fac9e4effwindows
Log Source
WindowsRegistry Event
ProductWindows← raw: windows
CategoryRegistry Event← raw: registry_event
Events for Windows Registry modifications including key creation, modification, and deletion.
Detection Logic
Detection Logic3 selectors
detection:
selection:
TargetObject|contains: '\Microsoft\Active Setup\Installed Components'
TargetObject|endswith: '\StubPath'
filter_optional_chrome:
Details|contains|all:
- 'C:\Program Files\Google\Chrome\Application\'
- '\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level' # In some cases the Details will contain an additional flag called "--channel=stable" at the end
filter_optional_edge:
Details|contains:
- 'C:\Program Files (x86)\Microsoft\Edge\Application\'
- 'C:\Program Files\Microsoft\Edge\Application\'
Details|endswith: '\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --channel=stable'
condition: selection and not 1 of filter_optional_*False Positives
Legitimate modification of the registry key by legitimate program
MITRE ATT&CK
Techniques
Rule Metadata
Rule ID
c74d7efc-8826-45d9-b8bb-f04fac9e4eff
Status
test
Level
medium
Type
Detection
Created
Sun Nov 15
Modified
Mon Mar 25
Author
Path
rules/windows/registry/registry_event/registry_event_runonce_persistence.yml
Raw Tags
attack.persistenceattack.defense-evasionattack.t1112