Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionmediumtest

CurrentControlSet Autorun Keys Modification

Detects modification of autostart extensibility point (ASEP) in registry.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, François HubautCreated Fri Oct 25Updated Thu Aug 17f674e36a-4b91-431e-8aef-f8a96c2aca35windows
Log Source
WindowsRegistry Set
ProductWindows← raw: windows
CategoryRegistry Set← raw: registry_set
Detection Logic
Detection Logic7 selectors
detection:
    system_control_base:
        TargetObject|contains: '\SYSTEM\CurrentControlSet\Control'
    system_control_keys:
        TargetObject|contains:
            - '\Terminal Server\WinStations\RDP-Tcp\InitialProgram'
            - '\Terminal Server\Wds\rdpwd\StartupPrograms'
            - '\SecurityProviders\SecurityProviders'
            - '\SafeBoot\AlternateShell'
            - '\Print\Providers'
            - '\Print\Monitors'
            - '\NetworkProvider\Order'
            - '\Lsa\Notification Packages'
            - '\Lsa\Authentication Packages'
            - '\BootVerificationProgram\ImagePath'
    filter_empty:
        Details: '(Empty)'
    filter_cutepdf:
        Image: 'C:\Windows\System32\spoolsv.exe'
        TargetObject|contains: '\Print\Monitors\CutePDF Writer Monitor'
        Details:
            - 'cpwmon64_v40.dll'
            - 'CutePDF Writer'
    filter_onenote:
        Image: C:\Windows\System32\spoolsv.exe
        TargetObject|contains: 'Print\Monitors\Appmon\Ports\Microsoft.Office.OneNote_'
        User|contains: # covers many language settings
            - 'AUTHORI'
            - 'AUTORI'
    filter_poqexec:
        Image: 'C:\Windows\System32\poqexec.exe'
        TargetObject|endswith: '\NetworkProvider\Order\ProviderOrder'
    filter_realvnc:
        Image: 'C:\Windows\System32\spoolsv.exe'
        TargetObject|endswith: '\Print\Monitors\MONVNC\Driver'
        Details: 'VNCpm.dll'
    condition: all of system_control_* and not 1 of filter_*
False Positives

Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason

Legitimate administrator sets up autorun keys for legitimate reason

References
1
Resolving title…
github.com
2
Resolving title…
learn.microsoft.com
3
Resolving title…
gist.github.com
MITRE ATT&CK
Related Rules
Similar

17f878b8-9968-4578-b814-c4217fc5768c

Rule not found
Rule Metadata
Rule ID
f674e36a-4b91-431e-8aef-f8a96c2aca35
Status
test
Level
medium
Type
Detection
Created
Fri Oct 25
Modified
Thu Aug 17
Author
Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, François Hubaut
Path
rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentcontrolset.yml
Raw Tags
attack.privilege-escalationattack.persistenceattack.t1547.001
View on GitHub