Run Once Task Configuration in Registry

calendar Aug 12, 2024 · attack.defense-evasion attack.t1112  ·
Share on: linkedin copy

Rule to detect the configuration of Run Once registry key. Configured payload can be run by runonce.exe /AlternateShellStartup

Sigma rule (View on GitHub)

 1title: Run Once Task Configuration in Registry
 2id: c74d7efc-8826-45d9-b8bb-f04fac9e4eff
 3status: test
 4description: Rule to detect the configuration of Run Once registry key. Configured payload can be run by runonce.exe /AlternateShellStartup
 5references:
 6    - https://twitter.com/pabraeken/status/990717080805789697
 7    - https://lolbas-project.github.io/lolbas/Binaries/Runonce/
 8author: 'Avneet Singh @v3t0_, oscd.community'
 9date: 2020-11-15
10modified: 2024-03-25
11tags:
12    - attack.defense-evasion
13    - attack.t1112
14logsource:
15    product: windows
16    category: registry_event
17detection:
18    selection:
19        TargetObject|contains: '\Microsoft\Active Setup\Installed Components'
20        TargetObject|endswith: '\StubPath'
21    filter_optional_chrome:
22        Details|contains|all:
23            - 'C:\Program Files\Google\Chrome\Application\'
24            - '\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level' # In some cases the Details will contain an additional flag called "--channel=stable" at the end
25    filter_optional_edge:
26        Details|contains:
27            - 'C:\Program Files (x86)\Microsoft\Edge\Application\'
28            - 'C:\Program Files\Microsoft\Edge\Application\'
29        Details|endswith: '\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --channel=stable'
30    condition: selection and not 1 of filter_optional_*
31falsepositives:
32    - Legitimate modification of the registry key by legitimate program
33level: medium

References

Related rules

to-top