CurrentVersion NT Autorun Keys Modification

calendar Oct 23, 2025 · attack.privilege-escalation attack.persistence attack.t1547.001  ·
Share on: linkedin copy

Detects modification of autostart extensibility point (ASEP) in registry.

Sigma rule (View on GitHub)

  1title: CurrentVersion NT Autorun Keys Modification
  2id: cbf93e5d-ca6c-4722-8bea-e9119007c248
  3related:
  4    - id: 17f878b8-9968-4578-b814-c4217fc5768c
  5      type: obsolete
  6status: test
  7description: Detects modification of autostart extensibility point (ASEP) in registry.
  8references:
  9    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md
 10    - https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns
 11    - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys
 12author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)
 13date: 2019-10-25
 14modified: 2025-10-17
 15tags:
 16    - attack.privilege-escalation
 17    - attack.persistence
 18    - attack.t1547.001
 19logsource:
 20    category: registry_set
 21    product: windows
 22detection:
 23    selection_nt_current_version_base:
 24        TargetObject|contains: '\SOFTWARE\Microsoft\Windows NT\CurrentVersion'
 25    selection_nt_current_version:
 26        TargetObject|contains:
 27            - '\Winlogon\VmApplet'
 28            - '\Winlogon\Userinit'
 29            - '\Winlogon\Taskman'
 30            - '\Winlogon\Shell'
 31            - '\Winlogon\GpExtensions'
 32            - '\Winlogon\AppSetup'
 33            - '\Winlogon\AlternateShells\AvailableShells'
 34            - '\Windows\IconServiceLib'
 35            - '\Windows\Appinit_Dlls'
 36            - '\Image File Execution Options' # Covered in better details in 36803969-5421-41ec-b92f-8500f79c23b0
 37            - '\Font Drivers'
 38            - '\Drivers32'
 39            - '\Windows\Run'
 40            - '\Windows\Load'
 41    filter_main_empty:
 42        Details: '(Empty)'
 43    filter_main_legitimate_subkey:  # Legitimately used subkeys of \Image File Execution Options, which are not used for persistence (see https://pentestlab.blog/2020/01/13/persistence-image-file-execution-options-injection/)
 44        TargetObject|contains: '\Image File Execution Options\'
 45        TargetObject|endswith:
 46            - '\DisableExceptionChainValidation'
 47            - '\MitigationOptions'
 48    filter_main_security_extension_dc:
 49        Image: 'C:\Windows\system32\svchost.exe'
 50        TargetObject|contains:
 51            - '\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}\PreviousPolicyAreas'
 52            - '\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}\MaxNoGPOListChangesInterval'
 53        Details:
 54            - 'DWORD (0x00000001)'
 55            - 'DWORD (0x00000009)'
 56            - 'DWORD (0x000003c0)'
 57    filter_main_runtimebroker:
 58        Image: 'C:\Windows\System32\RuntimeBroker.exe'
 59        TargetObject|contains: '\runtimebroker.exe\Microsoft.Windows.ShellExperienceHost'
 60    filter_optional_avguard:
 61        Image|startswith:
 62            - 'C:\Program Files (x86)\Avira\Antivirus\avguard.exe'
 63            - 'C:\Program Files\Avira\Antivirus\avguard.exe'
 64        TargetObject|contains: 'SOFTWARE\WOW6432Node\Avira\Antivirus\Overwrite_Keys\HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\'
 65        TargetObject|endswith:
 66            - '\userinit\UseAsDefault'
 67            - '\shell\UseAsDefault'
 68        Details:
 69            - 'explorer.exe'
 70            - 'C:\Windows\system32\userinit.exe,'
 71    filter_optional_edge:
 72        Image|startswith: 'C:\Program Files (x86)\Microsoft\Temp\'
 73        Image|endswith: '\MicrosoftEdgeUpdate.exe'
 74    filter_optional_msoffice:
 75        - TargetObject|contains:
 76              - '\ClickToRunStore\HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\'
 77              - '\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows NT\CurrentVersion\'
 78        - Image:
 79              - 'C:\Program Files\Microsoft Office\root\integration\integrator.exe'
 80              - 'C:\Program Files (x86)\Microsoft Office\root\integration\integrator.exe'
 81    filter_optional_officeclicktorun:
 82        Image|startswith:
 83            - 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\'
 84            - 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\'
 85        Image|endswith: '\OfficeClickToRun.exe'
 86    filter_optional_ngen:
 87        Image|startswith: 'C:\Windows\Microsoft.NET\Framework'
 88        Image|endswith: '\ngen.exe'
 89    filter_optional_onedrive:
 90        Image|endswith: '\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\OneDriveSetup.exe'
 91        TargetObject|endswith: '\Microsoft\Windows\CurrentVersion\RunOnce\Delete Cached Update Binary'
 92        Details|startswith: 'C:\Windows\system32\cmd.exe /q /c del /q "C:\Users\'
 93        Details|endswith: '\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe"'
 94    condition: all of selection_* and not 1 of filter_main_* and not 1 of filter_optional_*
 95fields:
 96    - SecurityID
 97    - ObjectName
 98    - OldValueType
 99    - NewValueType
100falsepositives:
101    - Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason
102    - Legitimate administrator sets up autorun keys for legitimate reason
103level: medium

References

Related rules

to-top