CurrentVersion NT Autorun Keys Modification

calendar Aug 12, 2024 · attack.persistence attack.t1547.001  ·
Share on: linkedin copy

Detects modification of autostart extensibility point (ASEP) in registry.

Sigma rule (View on GitHub)

 1title: CurrentVersion NT Autorun Keys Modification
 2id: cbf93e5d-ca6c-4722-8bea-e9119007c248
 3related:
 4    - id: 17f878b8-9968-4578-b814-c4217fc5768c
 5      type: obsolete
 6status: test
 7description: Detects modification of autostart extensibility point (ASEP) in registry.
 8references:
 9    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md
10    - https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns
11    - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys
12author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)
13date: 2019-10-25
14modified: 2023-08-17
15tags:
16    - attack.persistence
17    - attack.t1547.001
18logsource:
19    category: registry_set
20    product: windows
21detection:
22    nt_current_version_base:
23        TargetObject|contains: '\SOFTWARE\Microsoft\Windows NT\CurrentVersion'
24    nt_current_version:
25        TargetObject|contains:
26            - '\Winlogon\VmApplet'
27            - '\Winlogon\Userinit'
28            - '\Winlogon\Taskman'
29            - '\Winlogon\Shell'
30            - '\Winlogon\GpExtensions'
31            - '\Winlogon\AppSetup'
32            - '\Winlogon\AlternateShells\AvailableShells'
33            - '\Windows\IconServiceLib'
34            - '\Windows\Appinit_Dlls'
35            - '\Image File Execution Options' # Covered in better details in 36803969-5421-41ec-b92f-8500f79c23b0
36            - '\Font Drivers'
37            - '\Drivers32'
38            - '\Windows\Run'
39            - '\Windows\Load'
40    filter_empty:
41        Details: '(Empty)'
42    filter_legitimate_subkey:  # Legitimately used subkeys of \Image File Execution Options, which are not used for persistence (see https://pentestlab.blog/2020/01/13/persistence-image-file-execution-options-injection/)
43        TargetObject|contains: '\Image File Execution Options\'
44        TargetObject|endswith:
45            - '\DisableExceptionChainValidation'
46            - '\MitigationOptions'
47    filter_edge:
48        Image|startswith: 'C:\Program Files (x86)\Microsoft\Temp\'
49        Image|endswith: '\MicrosoftEdgeUpdate.exe'
50    filter_msoffice:
51        - TargetObject|contains:
52              - '\ClickToRunStore\HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\'
53              - '\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows NT\CurrentVersion\'
54        - Image:
55              - 'C:\Program Files\Microsoft Office\root\integration\integrator.exe'
56              - 'C:\Program Files (x86)\Microsoft Office\root\integration\integrator.exe'
57    filter_officeclicktorun:
58        Image|startswith:
59            - 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\'
60            - 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\'
61        Image|endswith: '\OfficeClickToRun.exe'
62    filter_security_extension_dc:
63        Image: 'C:\Windows\system32\svchost.exe'
64        TargetObject|contains:
65            - '\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}\PreviousPolicyAreas'
66            - '\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}\MaxNoGPOListChangesInterval'
67        Details:
68            - 'DWORD (0x00000009)'
69            - 'DWORD (0x000003c0)'
70    filter_ngen:
71        Image|startswith: 'C:\Windows\Microsoft.NET\Framework'
72        Image|endswith: '\ngen.exe'
73    filter_onedrive:
74        Image|endswith: '\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\OneDriveSetup.exe'
75        TargetObject|endswith: '\Microsoft\Windows\CurrentVersion\RunOnce\Delete Cached Update Binary'
76        Details|startswith: 'C:\Windows\system32\cmd.exe /q /c del /q "C:\Users\'
77        Details|endswith: '\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe"'
78    condition: nt_current_version_base and nt_current_version and not 1 of filter_*
79fields:
80    - SecurityID
81    - ObjectName
82    - OldValueType
83    - NewValueType
84falsepositives:
85    - Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason
86    - Legitimate administrator sets up autorun keys for legitimate reason
87level: medium

References

Related rules

to-top