Session Manager Autorun Keys Modification

 1title: Session Manager Autorun Keys Modification
 2id: 046218bd-e0d8-4113-a3c3-895a12b2b298
 3related:
 4    - id: 17f878b8-9968-4578-b814-c4217fc5768c
 5      type: obsolete
 6status: test
 7description: Detects modification of autostart extensibility point (ASEP) in registry.
 8references:
 9    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md
10    - https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns
11    - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys
12author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)
13date: 2019-10-25
14modified: 2023-08-17
15tags:
16    - attack.persistence
17    - attack.t1547.001
18    - attack.t1546.009
19logsource:
20    category: registry_set
21    product: windows
22detection:
23    session_manager_base:
24        TargetObject|contains: '\System\CurrentControlSet\Control\Session Manager'
25    session_manager:
26        TargetObject|contains:
27            - '\SetupExecute'
28            - '\S0InitialCommand'
29            - '\KnownDlls'
30            - '\Execute'
31            - '\BootExecute'
32            - '\AppCertDlls'
33    filter:
34        Details: '(Empty)'
35    condition: session_manager_base and session_manager and not filter
36fields:
37    - SecurityID
38    - ObjectName
39    - OldValueType
40    - NewValueType
41falsepositives:
42    - Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason
43    - Legitimate administrator sets up autorun keys for legitimate reason
44level: medium

References

• atomic-red-team/atomics/T1547.001/T1547.001.md at f339e7da7d05f6057fdfcdd3742bfcf365fee2a9 · redcanaryco/atomic-red-team

  

  Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team

  
  Read More

• Autoruns - Sysinternals

  

  See what programs are configured to startup automatically when your system boots and you login.

  
  Read More

• Autorun Registry Keys

  

  Autorun Registry Keys. GitHub Gist: instantly share code, notes, and snippets.

  
  Read More

Related rules

• Classes Autorun Keys Modification
• Common Autorun Keys Modification
• CurrentControlSet Autorun Keys Modification
• CurrentVersion Autorun Keys Modification
• CurrentVersion NT Autorun Keys Modification