Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionmediumtest

WinSock2 Autorun Keys Modification

Detects modification of autostart extensibility point (ASEP) in registry.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, François HubautCreated Fri Oct 25Updated Thu Aug 17d6c2ce7e-afb5-4337-9ca4-4b5254ed0565windows
Log Source
WindowsRegistry Set
ProductWindows← raw: windows
CategoryRegistry Set← raw: registry_set
Detection Logic
Detection Logic3 selectors
detection:
    winsock_parameters_base:
        TargetObject|contains: '\System\CurrentControlSet\Services\WinSock2\Parameters'
    winsock_parameters:
        TargetObject|contains:
            - '\Protocol_Catalog9\Catalog_Entries'
            - '\NameSpace_Catalog5\Catalog_Entries'
    filter:
        - Details: '(Empty)'
        - Image: 'C:\Windows\System32\MsiExec.exe'
        - Image: 'C:\Windows\syswow64\MsiExec.exe'
    condition: winsock_parameters_base and winsock_parameters and not filter
False Positives

Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason

Legitimate administrator sets up autorun keys for legitimate reason

References
1
Resolving title…
github.com
2
Resolving title…
learn.microsoft.com
3
Resolving title…
gist.github.com
MITRE ATT&CK
Related Rules
Derived

17f878b8-9968-4578-b814-c4217fc5768c

Rule not found
Rule Metadata
Rule ID
d6c2ce7e-afb5-4337-9ca4-4b5254ed0565
Status
test
Level
medium
Type
Detection
Created
Fri Oct 25
Modified
Thu Aug 17
Author
Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, François Hubaut
Path
rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_winsock2.yml
Raw Tags
attack.privilege-escalationattack.persistenceattack.t1547.001
View on GitHub