Run Once Task Execution as Configured in Registry
This rule detects the execution of Run Once task as configured in the registry
Sigma rule (View on GitHub)
1title: Run Once Task Execution as Configured in Registry
2id: 198effb6-6c98-4d0c-9ea3-451fa143c45c
3status: test
4description: This rule detects the execution of Run Once task as configured in the registry
5references:
6 - https://twitter.com/pabraeken/status/990717080805789697
7 - https://lolbas-project.github.io/lolbas/Binaries/Runonce/
8 - https://twitter.com/0gtweet/status/1602644163824156672?s=20&t=kuxbUnZPltpvFPZdCrqPXA
9author: 'Avneet Singh @v3t0_, oscd.community, Christopher Peacock @SecurePeacock (updated)'
10date: 2020-10-18
11modified: 2022-12-13
12tags:
13 - attack.persistence
14 - attack.defense-evasion
15 - attack.t1112
16logsource:
17 product: windows
18 category: process_creation
19detection:
20 selection_img:
21 - Image|endswith: '\runonce.exe'
22 - Description: 'Run Once Wrapper'
23 selection_cli:
24 - CommandLine|contains: '/AlternateShellStartup'
25 - CommandLine|endswith: '/r'
26 condition: all of selection_*
27falsepositives:
28 - Unknown
29level: low
References
-
Something went wrong, but don’t fret — let’s give it another shot. Some privacy related extensions may cause issues on x.com. Please disable them and try again.
Read More -
Runonce.exe is a living-of-the-land file containing unexpected functionality that can be abused by attackers; this page lists all its use cases.
Read More -
Something went wrong, but don’t fret — let’s give it another shot. Some privacy related extensions may cause issues on x.com. Please disable them and try again.
Read More
Related rules
- Activate Suppression of Windows Security Center Notifications
- Add DisallowRun Execution to Registry
- Allow RDP Remote Assistance Feature
- Blackbyte Ransomware Registry
- Blue Mockingbird