Direct Autorun Keys Modification
Detects direct modification of autostart extensibility point (ASEP) in registry using reg.exe.
Sigma rule (View on GitHub)
1title: Direct Autorun Keys Modification
2id: 24357373-078f-44ed-9ac4-6d334a668a11
3status: test
4description: Detects direct modification of autostart extensibility point (ASEP) in registry using reg.exe.
5references:
6 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md
7 - https://github.com/HackTricks-wiki/hacktricks/blob/e4c7b21b8f36c97c35b7c622732b38a189ce18f7/src/windows-hardening/windows-local-privilege-escalation/privilege-escalation-with-autorun-binaries.md
8author: Victor Sergeev, Daniil Yugoslavskiy, oscd.community, Swachchhanda Shrawan Poudel (Nextron Systems)
9date: 2019-10-25
10modified: 2025-02-17
11tags:
12 - attack.privilege-escalation
13 - attack.persistence
14 - attack.t1547.001
15logsource:
16 category: process_creation
17 product: windows
18detection:
19 selection_img:
20 - Image|endswith: '\reg.exe'
21 - OriginalFileName: 'reg.exe'
22 selection_cli_add:
23 CommandLine|contains: 'add' # to avoid intersection with discovery tactic rules
24 selection_cli_keys:
25 CommandLine|contains: # need to improve this list, there are plenty of ASEP reg keys
26 - '\software\Microsoft\Windows\CurrentVersion\Run' # Also covers the strings "RunOnce", "RunOnceEx", "RunServices", "RunServicesOnce"
27 - '\software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run'
28 - '\software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run'
29 - '\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit'
30 - '\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell'
31 - '\software\Microsoft\Windows NT\CurrentVersion\Windows'
32 - '\software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders'
33 - '\system\CurrentControlSet\Control\SafeBoot\AlternateShell'
34 condition: all of selection_*
35fields:
36 - CommandLine
37 - ParentCommandLine
38falsepositives:
39 - Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reasons.
40 - Legitimate administrator sets up autorun keys for legitimate reasons.
41 - Discord
42level: medium
References
-
Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team
Read More -
Welcome to the page where you will find each trick/technique/whatever I have learnt in CTFs, real life apps, and reading researches and news. - HackTricks-wiki/hacktricks
Read More
Related rules
- Classes Autorun Keys Modification
- Common Autorun Keys Modification
- CurrentControlSet Autorun Keys Modification
- CurrentVersion Autorun Keys Modification
- CurrentVersion NT Autorun Keys Modification