Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionmediumtest

System Scripts Autorun Keys Modification

Detects modification of autostart extensibility point (ASEP) in registry.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, François HubautCreated Fri Oct 25Updated Thu Aug 17e7a2fd40-3ae1-4a85-bf80-15cf624fb1b1windows
Log Source
WindowsRegistry Set
ProductWindows← raw: windows
CategoryRegistry Set← raw: registry_set
Detection Logic
Detection Logic3 selectors
detection:
    scripts_base:
        TargetObject|contains: '\Software\Policies\Microsoft\Windows\System\Scripts'
    scripts:
        TargetObject|contains:
            - '\Startup'
            - '\Shutdown'
            - '\Logon'
            - '\Logoff'
    filter:
        Details: '(Empty)'
    condition: scripts_base and scripts and not filter
False Positives

Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason

Legitimate administrator sets up autorun keys for legitimate reason

References
1
Resolving title…
github.com
2
Resolving title…
learn.microsoft.com
3
Resolving title…
gist.github.com
MITRE ATT&CK
Related Rules
Similar

17f878b8-9968-4578-b814-c4217fc5768c

Rule not found
Rule Metadata
Rule ID
e7a2fd40-3ae1-4a85-bf80-15cf624fb1b1
Status
test
Level
medium
Type
Detection
Created
Fri Oct 25
Modified
Thu Aug 17
Author
Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, François Hubaut
Path
rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_system_scripts.yml
Raw Tags
attack.privilege-escalationattack.persistenceattack.t1547.001
View on GitHub