CurrentVersion NT Autorun Keys Modification

calendar Jul 8, 2025 · attack.persistence attack.t1547.001  ·
Share on: linkedin copy

Detects modification of autostart extensibility point (ASEP) in registry.

Sigma rule (View on GitHub)

 1title: CurrentVersion NT Autorun Keys Modification
 2id: cbf93e5d-ca6c-4722-8bea-e9119007c248
 3related:
 4    - id: 17f878b8-9968-4578-b814-c4217fc5768c
 5      type: obsolete
 6status: test
 7description: Detects modification of autostart extensibility point (ASEP) in registry.
 8references:
 9    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md
10    - https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns
11    - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys
12author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)
13date: 2019-10-25
14modified: 2025-07-04
15tags:
16    - attack.persistence
17    - attack.t1547.001
18logsource:
19    category: registry_set
20    product: windows
21detection:
22    selection_nt_current_version_base:
23        TargetObject|contains: '\SOFTWARE\Microsoft\Windows NT\CurrentVersion'
24    selection_nt_current_version:
25        TargetObject|contains:
26            - '\Winlogon\VmApplet'
27            - '\Winlogon\Userinit'
28            - '\Winlogon\Taskman'
29            - '\Winlogon\Shell'
30            - '\Winlogon\GpExtensions'
31            - '\Winlogon\AppSetup'
32            - '\Winlogon\AlternateShells\AvailableShells'
33            - '\Windows\IconServiceLib'
34            - '\Windows\Appinit_Dlls'
35            - '\Image File Execution Options' # Covered in better details in 36803969-5421-41ec-b92f-8500f79c23b0
36            - '\Font Drivers'
37            - '\Drivers32'
38            - '\Windows\Run'
39            - '\Windows\Load'
40    filter_main_empty:
41        Details: '(Empty)'
42    filter_main_legitimate_subkey:  # Legitimately used subkeys of \Image File Execution Options, which are not used for persistence (see https://pentestlab.blog/2020/01/13/persistence-image-file-execution-options-injection/)
43        TargetObject|contains: '\Image File Execution Options\'
44        TargetObject|endswith:
45            - '\DisableExceptionChainValidation'
46            - '\MitigationOptions'
47    filter_main_security_extension_dc:
48        Image: 'C:\Windows\system32\svchost.exe'
49        TargetObject|contains:
50            - '\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}\PreviousPolicyAreas'
51            - '\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}\MaxNoGPOListChangesInterval'
52        Details:
53            - 'DWORD (0x00000009)'
54            - 'DWORD (0x000003c0)'
55    filter_main_runtimebroker:
56        Image: 'C:\Windows\System32\RuntimeBroker.exe'
57        TargetObject|contains: '\runtimebroker.exe\Microsoft.Windows.ShellExperienceHost'
58    filter_optional_edge:
59        Image|startswith: 'C:\Program Files (x86)\Microsoft\Temp\'
60        Image|endswith: '\MicrosoftEdgeUpdate.exe'
61    filter_optional_msoffice:
62        - TargetObject|contains:
63              - '\ClickToRunStore\HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\'
64              - '\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows NT\CurrentVersion\'
65        - Image:
66              - 'C:\Program Files\Microsoft Office\root\integration\integrator.exe'
67              - 'C:\Program Files (x86)\Microsoft Office\root\integration\integrator.exe'
68    filter_optional_officeclicktorun:
69        Image|startswith:
70            - 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\'
71            - 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\'
72        Image|endswith: '\OfficeClickToRun.exe'
73    filter_optional_ngen:
74        Image|startswith: 'C:\Windows\Microsoft.NET\Framework'
75        Image|endswith: '\ngen.exe'
76    filter_optional_onedrive:
77        Image|endswith: '\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\OneDriveSetup.exe'
78        TargetObject|endswith: '\Microsoft\Windows\CurrentVersion\RunOnce\Delete Cached Update Binary'
79        Details|startswith: 'C:\Windows\system32\cmd.exe /q /c del /q "C:\Users\'
80        Details|endswith: '\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe"'
81    condition: all of selection_* and not 1 of filter_main_* and not 1 of filter_optional_*
82fields:
83    - SecurityID
84    - ObjectName
85    - OldValueType
86    - NewValueType
87falsepositives:
88    - Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason
89    - Legitimate administrator sets up autorun keys for legitimate reason
90level: medium

References

Related rules

to-top