Run Once Task Execution as Configured in Registry
This rule detects the execution of Run Once task as configured in the registry
Sigma rule (View on GitHub)
1title: Run Once Task Execution as Configured in Registry
2id: 198effb6-6c98-4d0c-9ea3-451fa143c45c
3status: test
4description: This rule detects the execution of Run Once task as configured in the registry
5references:
6 - https://twitter.com/pabraeken/status/990717080805789697
7 - https://lolbas-project.github.io/lolbas/Binaries/Runonce/
8 - https://twitter.com/0gtweet/status/1602644163824156672?s=20&t=kuxbUnZPltpvFPZdCrqPXA
9author: 'Avneet Singh @v3t0_, oscd.community, Christopher Peacock @SecurePeacock (updated)'
10date: 2020-10-18
11modified: 2022-12-13
12tags:
13 - attack.defense-evasion
14 - attack.t1112
15logsource:
16 product: windows
17 category: process_creation
18detection:
19 selection_img:
20 - Image|endswith: '\runonce.exe'
21 - Description: 'Run Once Wrapper'
22 selection_cli:
23 - CommandLine|contains: '/AlternateShellStartup'
24 - CommandLine|endswith: '/r'
25 condition: all of selection_*
26falsepositives:
27 - Unknown
28level: low
References
-
Runonce.exe is a living-of-the-land file containing unexpected functionality that can be abused by attackers; this page lists all its use cases.
Read More
Related rules
- Activate Suppression of Windows Security Center Notifications
- Add DisallowRun Execution to Registry
- Allow RDP Remote Assistance Feature
- Blackbyte Ransomware Registry
- CVE-2020-1048 Exploitation Attempt - Suspicious New Printer Ports - Registry