Session Manager Autorun Keys Modification

 1title: Session Manager Autorun Keys Modification
 2id: 046218bd-e0d8-4113-a3c3-895a12b2b298
 3related:
 4    - id: 17f878b8-9968-4578-b814-c4217fc5768c
 5      type: obsolete
 6status: test
 7description: Detects modification of autostart extensibility point (ASEP) in registry.
 8references:
 9    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md
10    - https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns
11    - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys
12author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)
13date: 2019-10-25
14modified: 2023-08-17
15tags:
16    - attack.privilege-escalation
17    - attack.persistence
18    - attack.t1547.001
19    - attack.t1546.009
20logsource:
21    category: registry_set
22    product: windows
23detection:
24    session_manager_base:
25        TargetObject|contains: '\System\CurrentControlSet\Control\Session Manager'
26    session_manager:
27        TargetObject|contains:
28            - '\SetupExecute'
29            - '\S0InitialCommand'
30            - '\KnownDlls'
31            - '\Execute'
32            - '\BootExecute'
33            - '\AppCertDlls'
34    filter:
35        Details: '(Empty)'
36    condition: session_manager_base and session_manager and not filter
37falsepositives:
38    - Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason
39    - Legitimate administrator sets up autorun keys for legitimate reason
40level: medium

References

• atomic-red-team/atomics/T1547.001/T1547.001.md at f339e7da7d05f6057fdfcdd3742bfcf365fee2a9 · redcanaryco/atomic-red-team

  

  Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team

  
  Read More

• Autoruns - Sysinternals

  

  See what programs are configured to startup automatically when your system boots and you login.

  
  Read More

• Autorun Registry Keys

  

  Autorun Registry Keys. GitHub Gist: instantly share code, notes, and snippets.

  
  Read More

Related rules

• CurrentControlSet Autorun Keys Modification
• Direct Autorun Keys Modification
• Internet Explorer Autorun Keys Modification
• New DLL Added to AppCertDlls Registry Key
• Office Autorun Keys Modification