Run Once Task Configuration in Registry

calendar Oct 23, 2025 · attack.persistence attack.defense-evasion attack.t1112  ·
Share on: linkedin copy

Rule to detect the configuration of Run Once registry key. Configured payload can be run by runonce.exe /AlternateShellStartup

Sigma rule (View on GitHub)

 1title: Run Once Task Configuration in Registry
 2id: c74d7efc-8826-45d9-b8bb-f04fac9e4eff
 3status: test
 4description: Rule to detect the configuration of Run Once registry key. Configured payload can be run by runonce.exe /AlternateShellStartup
 5references:
 6    - https://twitter.com/pabraeken/status/990717080805789697
 7    - https://lolbas-project.github.io/lolbas/Binaries/Runonce/
 8author: 'Avneet Singh @v3t0_, oscd.community'
 9date: 2020-11-15
10modified: 2024-03-25
11tags:
12    - attack.persistence
13    - attack.defense-evasion
14    - attack.t1112
15logsource:
16    product: windows
17    category: registry_event
18detection:
19    selection:
20        TargetObject|contains: '\Microsoft\Active Setup\Installed Components'
21        TargetObject|endswith: '\StubPath'
22    filter_optional_chrome:
23        Details|contains|all:
24            - 'C:\Program Files\Google\Chrome\Application\'
25            - '\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level' # In some cases the Details will contain an additional flag called "--channel=stable" at the end
26    filter_optional_edge:
27        Details|contains:
28            - 'C:\Program Files (x86)\Microsoft\Edge\Application\'
29            - 'C:\Program Files\Microsoft\Edge\Application\'
30        Details|endswith: '\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --channel=stable'
31    condition: selection and not 1 of filter_optional_*
32falsepositives:
33    - Legitimate modification of the registry key by legitimate program
34level: medium

References

  • Something went wrong, but don’t fret — let’s give it another shot. Some privacy related extensions may cause issues on x.com. Please disable them and try again.


    Read More

  • Runonce on LOLBAS

    Runonce.exe is a living-of-the-land file containing unexpected functionality that can be abused by attackers; this page lists all its use cases.


    Read More

Related rules

to-top