Registry Persistence via Explorer Run Key

Aug 12, 2024 · attack.persistence attack.t1547.001 ·

Detects a possible persistence mechanism using RUN key for Windows Explorer and pointing to a suspicious folder

Sigma rule (View on GitHub)

 1title: Registry Persistence via Explorer Run Key
 2id: b7916c2a-fa2f-4795-9477-32b731f70f11
 3status: test
 4description: Detects a possible persistence mechanism using RUN key for Windows Explorer and pointing to a suspicious folder
 5references:
 6    - https://researchcenter.paloaltonetworks.com/2018/07/unit42-upatre-continues-evolve-new-anti-analysis-techniques/
 7author: Florian Roth (Nextron Systems), oscd.community
 8date: 2018-07-18
 9modified: 2023-12-11
10tags:
11    - attack.persistence
12    - attack.t1547.001
13logsource:
14    category: registry_set
15    product: windows
16detection:
17    selection:
18        TargetObject|endswith: '\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run'
19        Details|contains:
20            - ':\$Recycle.bin\'
21            - ':\ProgramData\'
22            - ':\Temp\'
23            - ':\Users\Default\'
24            - ':\Users\Public\'
25            - ':\Windows\Temp\'
26            - '\AppData\Local\Temp\'
27    condition: selection
28falsepositives:
29    - Unknown
30level: high

References

Upatre Continued to Evolve with new Anti-Analysis Techniques

Unit 42 monitors the continued evolution Upatre and its anti-analysis Techniques.

Read More

Registry Persistence via Explorer Run Key

Sigma rule (View on GitHub)

References

Upatre Continued to Evolve with new Anti-Analysis Techniques

Related rules