AdSearch Reg Runkey Persistence Execution (RedCanary Threat Detection Report)
Detects registry modifications to CurrentVersion\Run key, associated with AdSearch. Part of the RedCanary 2023 Threat Detection Report.
Sigma rule (View on GitHub)
1title: AdSearch Reg Runkey Persistence Execution (RedCanary Threat Detection Report)
2id: b50624c2-7867-4685-817e-88c72da264c7
3status: experimental
4description: Detects registry modifications to CurrentVersion\Run key, associated with AdSearch. Part of the RedCanary 2023 Threat Detection Report.
5references:
6 - https://redcanary.com/threat-detection-report/threats/adsearch/
7author: RedCanary, Sigma formatting by Micah Babinski
8date: 2023/05/10
9tags:
10 - attack.persistence
11 - attack.t1547.001
12logsource:
13 category: process_creation
14 product: windows
15detection:
16 selection:
17 CommandLine|contains|all:
18 - 'reg'
19 - 'add'
20 - 'currentversion\run'
21 condition: selection
22falsepositives:
23 - Rule is likely to require tuning to exclude normal, authorized activity
24level: low```
References
Related rules
- AdSearch Startup Folder Persistence File Creation (RedCanary Threat Detection Report)
- Direct Autorun Keys Modification
- Startup Folder File Write
- Potential Persistence Attempt Via Run Keys Using Reg.EXE
- Suspicious Run Key from Download