CurrentVersion NT Autorun Keys Modification

detection:
    selection_nt_current_version_base:
        TargetObject|contains: '\SOFTWARE\Microsoft\Windows NT\CurrentVersion'
    selection_nt_current_version:
        TargetObject|contains:
            - '\Winlogon\VmApplet'
            - '\Winlogon\Userinit'
            - '\Winlogon\Taskman'
            - '\Winlogon\Shell'
            - '\Winlogon\GpExtensions'
            - '\Winlogon\AppSetup'
            - '\Winlogon\AlternateShells\AvailableShells'
            - '\Windows\IconServiceLib'
            - '\Windows\Appinit_Dlls'
            - '\Image File Execution Options' # Covered in better details in 36803969-5421-41ec-b92f-8500f79c23b0
            - '\Font Drivers'
            - '\Drivers32'
            - '\Windows\Run'
            - '\Windows\Load'
    filter_main_empty:
        Details: '(Empty)'
    filter_main_null:
        Details: null
    filter_main_poqexec:
        Image: 'C:\Windows\System32\poqexec.exe'
    filter_main_legitimate_subkey:  # Legitimately used subkeys of \Image File Execution Options, which are not used for persistence (see https://pentestlab.blog/2020/01/13/persistence-image-file-execution-options-injection/)
        TargetObject|contains: '\Image File Execution Options\'
        TargetObject|endswith:
            - '\DisableExceptionChainValidation'
            - '\MitigationOptions'
    filter_main_security_extension_dc:
        Image: 'C:\Windows\system32\svchost.exe'
        TargetObject|contains:
            - '\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}\PreviousPolicyAreas'
            - '\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}\MaxNoGPOListChangesInterval'
        Details:
            - 'DWORD (0x00000001)'
            - 'DWORD (0x00000009)'
            - 'DWORD (0x000003c0)'
    filter_main_runtimebroker:
        Image: 'C:\Windows\System32\RuntimeBroker.exe'
        TargetObject|contains: '\runtimebroker.exe\Microsoft.Windows.ShellExperienceHost'
    filter_optional_edge:
        Image|startswith: 'C:\Program Files (x86)\Microsoft\Temp\'
        Image|endswith: '\MicrosoftEdgeUpdate.exe'
    filter_optional_avguard:
        Image|startswith:
            - 'C:\Program Files (x86)\Avira\Antivirus\avguard.exe'
            - 'C:\Program Files\Avira\Antivirus\avguard.exe'
        TargetObject|contains: 'SOFTWARE\WOW6432Node\Avira\Antivirus\Overwrite_Keys\HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\'
        TargetObject|endswith:
            - '\userinit\UseAsDefault'
            - '\shell\UseAsDefault'
        Details:
            - 'explorer.exe'
            - 'C:\Windows\system32\userinit.exe,'
    filter_optional_msoffice:
        - TargetObject|contains:
              - '\ClickToRunStore\HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\'
              - '\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows NT\CurrentVersion\'
        - Image:
              - 'C:\Program Files\Microsoft Office\root\integration\integrator.exe'
              - 'C:\Program Files (x86)\Microsoft Office\root\integration\integrator.exe'
    filter_optional_officeclicktorun:
        Image|startswith:
            - 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\'
            - 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\'
        Image|endswith: '\OfficeClickToRun.exe'
    filter_optional_ngen:
        Image|startswith: 'C:\Windows\Microsoft.NET\Framework'
        Image|endswith: '\ngen.exe'
    filter_optional_onedrive:
        Image|endswith: '\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\OneDriveSetup.exe'
        TargetObject|endswith: '\Microsoft\Windows\CurrentVersion\RunOnce\Delete Cached Update Binary'
        Details|startswith: 'C:\Windows\system32\cmd.exe /q /c del /q "C:\Users\'
        Details|endswith: '\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe"'
    condition: all of selection_* and not 1 of filter_main_* and not 1 of filter_optional_*