Registry Persistence via Explorer Run Key

Oct 23, 2025 · attack.privilege-escalation attack.persistence attack.t1547.001 ·

Detects a possible persistence mechanism using RUN key for Windows Explorer and pointing to a suspicious folder

Sigma rule (View on GitHub)

 1title: Registry Persistence via Explorer Run Key
 2id: b7916c2a-fa2f-4795-9477-32b731f70f11
 3status: test
 4description: Detects a possible persistence mechanism using RUN key for Windows Explorer and pointing to a suspicious folder
 5references:
 6    - https://researchcenter.paloaltonetworks.com/2018/07/unit42-upatre-continues-evolve-new-anti-analysis-techniques/
 7author: Florian Roth (Nextron Systems), oscd.community
 8date: 2018-07-18
 9modified: 2023-12-11
10tags:
11    - attack.privilege-escalation
12    - attack.persistence
13    - attack.t1547.001
14logsource:
15    category: registry_set
16    product: windows
17detection:
18    selection:
19        TargetObject|endswith: '\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run'
20        Details|contains:
21            - ':\$Recycle.bin\'
22            - ':\ProgramData\'
23            - ':\Temp\'
24            - ':\Users\Default\'
25            - ':\Users\Public\'
26            - ':\Windows\Temp\'
27            - '\AppData\Local\Temp\'
28    condition: selection
29falsepositives:
30    - Unknown
31level: high

References

Upatre Continued to Evolve with new Anti-Analysis Techniques

Unit 42 monitors the continued evolution Upatre and its anti-analysis Techniques.

Read More

Registry Persistence via Explorer Run Key

Sigma rule (View on GitHub)

References

Upatre Continued to Evolve with new Anti-Analysis Techniques

Related rules