Classes Autorun Keys Modification

calendar Apr 27, 2026 · attack.privilege-escalation attack.persistence attack.t1547.001  ·
Share on: linkedin copy

Detects modification of Windows Registry Classes keys used for persistence. Adversaries modify these autostart extensibility points (ASEP) to execute malicious code when file types are opened or actions are performed. Various legitimate software also uses these keys. Currently, this rule only filters out known legitimate software paths, thus it is recommended to review and tune filters for your environment to reduce false positives before deploying to production.

Sigma rule (View on GitHub)

 1title: Classes Autorun Keys Modification
 2id: 9df5f547-c86a-433e-b533-f2794357e242
 3related:
 4    - id: 17f878b8-9968-4578-b814-c4217fc5768c
 5      type: obsolete
 6status: test
 7description: |
 8    Detects modification of Windows Registry Classes keys used for persistence.
 9    Adversaries modify these autostart extensibility points (ASEP) to execute malicious code when file types are opened or actions are performed.
10    Various legitimate software also uses these keys. Currently, this rule only filters out known legitimate software paths,
11    thus it is recommended to review and tune filters for your environment to reduce false positives before deploying to production.    
12references:
13    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md
14    - https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns
15    - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys
16author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)
17date: 2019-10-25
18modified: 2025-10-22
19tags:
20    - attack.privilege-escalation
21    - attack.persistence
22    - attack.t1547.001
23logsource:
24    category: registry_set
25    product: windows
26detection:
27    selection_classes_base:
28        TargetObject|contains: '\Software\Classes'
29    selection_classes_target:
30        TargetObject|contains:
31            - '\Folder\ShellEx\ExtShellFolderViews'
32            - '\Folder\ShellEx\DragDropHandlers'
33            - '\Folder\Shellex\ColumnHandlers'
34            - '\Filter'
35            - '\Exefile\Shell\Open\Command\(Default)'
36            - '\Directory\Shellex\DragDropHandlers'
37            - '\Directory\Shellex\CopyHookHandlers'
38            - '\CLSID\{AC757296-3522-4E11-9862-C17BE5A1767E}\Instance'
39            - '\CLSID\{ABE3B9A4-257D-4B97-BD1A-294AF496222E}\Instance'
40            - '\CLSID\{7ED96837-96F0-4812-B211-F13C24117ED3}\Instance'
41            - '\CLSID\{083863F1-70DE-11d0-BD40-00A0C911CE86}\Instance'
42            - '\Classes\AllFileSystemObjects\ShellEx\DragDropHandlers'
43            - '\.exe'
44            - '\.cmd'
45            - '\ShellEx\PropertySheetHandlers'
46            - '\ShellEx\ContextMenuHandlers'
47    filter_main_drivers:
48        Image: 'C:\Windows\System32\drvinst.exe'
49    filter_main_empty:
50        Details: '(Empty)'
51    filter_main_null:
52        Details: null
53    filter_main_svchost:
54        Image: 'C:\Windows\System32\svchost.exe'
55        # If more targets are found from "svchost". Please exclude the whole image
56        TargetObject|contains: '\lnkfile\shellex\ContextMenuHandlers\'
57    filter_optional_msoffice:
58        Details: '{807583E5-5146-11D5-A672-00B0D022E945}'
59    condition: all of selection_* and not 1 of filter_main_* and not 1 of filter_optional_*
60falsepositives:
61    - Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason
62    - Legitimate administrator sets up autorun keys for legitimate reason
63level: medium

References

Related rules

to-top