CurrentVersion NT Autorun Keys Modification

calendar Nov 13, 2025 · attack.privilege-escalation attack.persistence attack.t1547.001  ·
Share on: linkedin copy

Detects modification of autostart extensibility point (ASEP) in registry.

Sigma rule (View on GitHub)

  1title: CurrentVersion NT Autorun Keys Modification
  2id: cbf93e5d-ca6c-4722-8bea-e9119007c248
  3related:
  4    - id: 17f878b8-9968-4578-b814-c4217fc5768c
  5      type: obsolete
  6status: test
  7description: Detects modification of autostart extensibility point (ASEP) in registry.
  8references:
  9    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md
 10    - https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns
 11    - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys
 12author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)
 13date: 2019-10-25
 14modified: 2025-10-22
 15tags:
 16    - attack.privilege-escalation
 17    - attack.persistence
 18    - attack.t1547.001
 19logsource:
 20    category: registry_set
 21    product: windows
 22detection:
 23    selection_nt_current_version_base:
 24        TargetObject|contains: '\SOFTWARE\Microsoft\Windows NT\CurrentVersion'
 25    selection_nt_current_version:
 26        TargetObject|contains:
 27            - '\Winlogon\VmApplet'
 28            - '\Winlogon\Userinit'
 29            - '\Winlogon\Taskman'
 30            - '\Winlogon\Shell'
 31            - '\Winlogon\GpExtensions'
 32            - '\Winlogon\AppSetup'
 33            - '\Winlogon\AlternateShells\AvailableShells'
 34            - '\Windows\IconServiceLib'
 35            - '\Windows\Appinit_Dlls'
 36            - '\Image File Execution Options' # Covered in better details in 36803969-5421-41ec-b92f-8500f79c23b0
 37            - '\Font Drivers'
 38            - '\Drivers32'
 39            - '\Windows\Run'
 40            - '\Windows\Load'
 41    filter_main_empty:
 42        Details: '(Empty)'
 43    filter_main_null:
 44        Details: null
 45    filter_main_poqexec:
 46        Image: 'C:\Windows\System32\poqexec.exe'
 47    filter_main_legitimate_subkey:  # Legitimately used subkeys of \Image File Execution Options, which are not used for persistence (see https://pentestlab.blog/2020/01/13/persistence-image-file-execution-options-injection/)
 48        TargetObject|contains: '\Image File Execution Options\'
 49        TargetObject|endswith:
 50            - '\DisableExceptionChainValidation'
 51            - '\MitigationOptions'
 52    filter_main_security_extension_dc:
 53        Image: 'C:\Windows\system32\svchost.exe'
 54        TargetObject|contains:
 55            - '\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}\PreviousPolicyAreas'
 56            - '\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}\MaxNoGPOListChangesInterval'
 57        Details:
 58            - 'DWORD (0x00000001)'
 59            - 'DWORD (0x00000009)'
 60            - 'DWORD (0x000003c0)'
 61    filter_main_runtimebroker:
 62        Image: 'C:\Windows\System32\RuntimeBroker.exe'
 63        TargetObject|contains: '\runtimebroker.exe\Microsoft.Windows.ShellExperienceHost'
 64    filter_optional_edge:
 65        Image|startswith: 'C:\Program Files (x86)\Microsoft\Temp\'
 66        Image|endswith: '\MicrosoftEdgeUpdate.exe'
 67    filter_optional_avguard:
 68        Image|startswith:
 69            - 'C:\Program Files (x86)\Avira\Antivirus\avguard.exe'
 70            - 'C:\Program Files\Avira\Antivirus\avguard.exe'
 71        TargetObject|contains: 'SOFTWARE\WOW6432Node\Avira\Antivirus\Overwrite_Keys\HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\'
 72        TargetObject|endswith:
 73            - '\userinit\UseAsDefault'
 74            - '\shell\UseAsDefault'
 75        Details:
 76            - 'explorer.exe'
 77            - 'C:\Windows\system32\userinit.exe,'
 78    filter_optional_msoffice:
 79        - TargetObject|contains:
 80              - '\ClickToRunStore\HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\'
 81              - '\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows NT\CurrentVersion\'
 82        - Image:
 83              - 'C:\Program Files\Microsoft Office\root\integration\integrator.exe'
 84              - 'C:\Program Files (x86)\Microsoft Office\root\integration\integrator.exe'
 85    filter_optional_officeclicktorun:
 86        Image|startswith:
 87            - 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\'
 88            - 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\'
 89        Image|endswith: '\OfficeClickToRun.exe'
 90    filter_optional_ngen:
 91        Image|startswith: 'C:\Windows\Microsoft.NET\Framework'
 92        Image|endswith: '\ngen.exe'
 93    filter_optional_onedrive:
 94        Image|endswith: '\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\OneDriveSetup.exe'
 95        TargetObject|endswith: '\Microsoft\Windows\CurrentVersion\RunOnce\Delete Cached Update Binary'
 96        Details|startswith: 'C:\Windows\system32\cmd.exe /q /c del /q "C:\Users\'
 97        Details|endswith: '\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe"'
 98    condition: all of selection_* and not 1 of filter_main_* and not 1 of filter_optional_*
 99falsepositives:
100    - Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason
101    - Legitimate administrator sets up autorun keys for legitimate reason
102level: medium

References

Related rules

to-top