CurrentVersion NT Autorun Keys Modification

Detects modification of autostart extensibility point (ASEP) in registry.

Sigma rule (View on GitHub)

  1title: CurrentVersion NT Autorun Keys Modification
  2id: cbf93e5d-ca6c-4722-8bea-e9119007c248
  3related:
  4    - id: 17f878b8-9968-4578-b814-c4217fc5768c
  5      type: obsolete
  6status: test
  7description: Detects modification of autostart extensibility point (ASEP) in registry.
  8references:
  9    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md
 10    - https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns
 11    - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys
 12author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)
 13date: 2019-10-25
 14modified: 2025-10-07
 15tags:
 16    - attack.persistence
 17    - attack.t1547.001
 18logsource:
 19    category: registry_set
 20    product: windows
 21detection:
 22    selection_nt_current_version_base:
 23        TargetObject|contains: '\SOFTWARE\Microsoft\Windows NT\CurrentVersion'
 24    selection_nt_current_version:
 25        TargetObject|contains:
 26            - '\Winlogon\VmApplet'
 27            - '\Winlogon\Userinit'
 28            - '\Winlogon\Taskman'
 29            - '\Winlogon\Shell'
 30            - '\Winlogon\GpExtensions'
 31            - '\Winlogon\AppSetup'
 32            - '\Winlogon\AlternateShells\AvailableShells'
 33            - '\Windows\IconServiceLib'
 34            - '\Windows\Appinit_Dlls'
 35            - '\Image File Execution Options' # Covered in better details in 36803969-5421-41ec-b92f-8500f79c23b0
 36            - '\Font Drivers'
 37            - '\Drivers32'
 38            - '\Windows\Run'
 39            - '\Windows\Load'
 40    filter_main_empty:
 41        Details: '(Empty)'
 42    filter_main_legitimate_subkey:  # Legitimately used subkeys of \Image File Execution Options, which are not used for persistence (see https://pentestlab.blog/2020/01/13/persistence-image-file-execution-options-injection/)
 43        TargetObject|contains: '\Image File Execution Options\'
 44        TargetObject|endswith:
 45            - '\DisableExceptionChainValidation'
 46            - '\MitigationOptions'
 47    filter_main_security_extension_dc:
 48        Image: 'C:\Windows\system32\svchost.exe'
 49        TargetObject|contains:
 50            - '\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}\PreviousPolicyAreas'
 51            - '\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}\MaxNoGPOListChangesInterval'
 52        Details:
 53            - 'DWORD (0x00000009)'
 54            - 'DWORD (0x000003c0)'
 55    filter_main_runtimebroker:
 56        Image: 'C:\Windows\System32\RuntimeBroker.exe'
 57        TargetObject|contains: '\runtimebroker.exe\Microsoft.Windows.ShellExperienceHost'
 58    filter_optional_avguard:
 59        Image|startswith:
 60            - 'C:\Program Files (x86)\Avira\Antivirus\avguard.exe'
 61            - 'C:\Program Files\Avira\Antivirus\avguard.exe'
 62        TargetObject|contains: 'SOFTWARE\WOW6432Node\Avira\Antivirus\Overwrite_Keys\HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\'
 63        TargetObject|endswith:
 64            - '\userinit\UseAsDefault'
 65            - '\shell\UseAsDefault'
 66        Details:
 67            - 'explorer.exe'
 68            - 'C:\Windows\system32\userinit.exe,'
 69    filter_optional_edge:
 70        Image|startswith: 'C:\Program Files (x86)\Microsoft\Temp\'
 71        Image|endswith: '\MicrosoftEdgeUpdate.exe'
 72    filter_optional_msoffice:
 73        - TargetObject|contains:
 74              - '\ClickToRunStore\HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\'
 75              - '\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows NT\CurrentVersion\'
 76        - Image:
 77              - 'C:\Program Files\Microsoft Office\root\integration\integrator.exe'
 78              - 'C:\Program Files (x86)\Microsoft Office\root\integration\integrator.exe'
 79    filter_optional_officeclicktorun:
 80        Image|startswith:
 81            - 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\'
 82            - 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\'
 83        Image|endswith: '\OfficeClickToRun.exe'
 84    filter_optional_ngen:
 85        Image|startswith: 'C:\Windows\Microsoft.NET\Framework'
 86        Image|endswith: '\ngen.exe'
 87    filter_optional_onedrive:
 88        Image|endswith: '\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\OneDriveSetup.exe'
 89        TargetObject|endswith: '\Microsoft\Windows\CurrentVersion\RunOnce\Delete Cached Update Binary'
 90        Details|startswith: 'C:\Windows\system32\cmd.exe /q /c del /q "C:\Users\'
 91        Details|endswith: '\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe"'
 92    condition: all of selection_* and not 1 of filter_main_* and not 1 of filter_optional_*
 93fields:
 94    - SecurityID
 95    - ObjectName
 96    - OldValueType
 97    - NewValueType
 98falsepositives:
 99    - Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason
100    - Legitimate administrator sets up autorun keys for legitimate reason
101level: medium

References

Related rules

to-top