Direct Autorun Keys Modification

 1title: Direct Autorun Keys Modification
 2id: 24357373-078f-44ed-9ac4-6d334a668a11
 3status: test
 4description: Detects direct modification of autostart extensibility point (ASEP) in registry using reg.exe.
 5references:
 6    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md
 7author: Victor Sergeev, Daniil Yugoslavskiy, oscd.community
 8date: 2019-10-25
 9modified: 2022-08-04
10tags:
11    - attack.persistence
12    - attack.t1547.001
13logsource:
14    category: process_creation
15    product: windows
16detection:
17    selection_1:
18        Image|endswith: '\reg.exe'
19        CommandLine|contains: 'add'     # to avoid intersection with discovery tactic rules
20    selection_2:
21        CommandLine|contains:           # need to improve this list, there are plenty of ASEP reg keys
22            - '\software\Microsoft\Windows\CurrentVersion\Run' # Also covers the strings "RunOnce", "RunOnceEx", "RunServices", "RunServicesOnce"
23            - '\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit'
24            - '\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell'
25            - '\software\Microsoft\Windows NT\CurrentVersion\Windows'
26            - '\software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders'
27            - '\system\CurrentControlSet\Control\SafeBoot\AlternateShell'
28    condition: all of selection_*
29fields:
30    - CommandLine
31    - ParentCommandLine
32falsepositives:
33    - Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reasons.
34    - Legitimate administrator sets up autorun keys for legitimate reasons.
35    - Discord
36level: medium