detection.wiki

Detection rules › Sigma

Common Autorun Keys Modification

Severity
medium
Author
Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split), wagga (name)
Source
upstream

Detects modification of autostart extensibility point (ASEP) in registry.

MITRE ATT&CK coverage

TacticTechniques
PersistenceT1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
Privilege EscalationT1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Event coverage

ProviderEvent IDTitle
Sysmon13RegistryEvent (Value Set)

Stages and Predicates

Stage 1: selection

or:
TargetObject|contains: '\Control Panel\Desktop\Scrnsave.exe'
TargetObject|contains: '\Environment\UserInitMprLogonScript'
TargetObject|contains: '\SOFTWARE\Classes\Htmlfile\Shell\Open\Command\(Default)'
TargetObject|contains: '\SOFTWARE\Classes\Protocols\Filter'
TargetObject|contains: '\SOFTWARE\Classes\Protocols\Handler'
TargetObject|contains: '\SOFTWARE\Microsoft\Active Setup\Installed Components'
TargetObject|contains: '\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components'
TargetObject|contains: '\SOFTWARE\Microsoft\Windows CE Services\AutoStartOnConnect'
TargetObject|contains: '\SOFTWARE\Microsoft\Windows CE Services\AutoStartOnDisconnect'
TargetObject|contains: '\SOFTWARE\Policies\Microsoft\Windows\Control Panel\Desktop\Scrnsave.exe'
TargetObject|contains: '\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components'
TargetObject|contains: '\SOFTWARE\Wow6432Node\Microsoft\Windows CE Services\AutoStart'
TargetObject|contains: '\SYSTEM\Setup\CmdLine'
TargetObject|contains: '\Software\Classes\Clsid\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\Inprocserver32'
TargetObject|contains: '\Software\Microsoft\Command Processor\Autorun'
TargetObject|contains: '\Software\Microsoft\Ctf\LangBarAddin'
TargetObject|contains: '\Software\Microsoft\Internet Explorer\UrlSearchHooks'
TargetObject|contains: '\Software\Wow6432Node\Microsoft\Command Processor\Autorun'

Stage 2: not 1 of filter_main_*

or:
Details: '(Empty)'
Details: null
Image: 'C:\Windows\System32\poqexec.exe'

Stage 3: not 1 of filter_optional_*

or:
or:
Image|startswith: 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\'
Image|startswith: 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\'
Image|endswith: '\OfficeClickToRun.exe'
Details: '{314111c7-a502-11d2-bbca-00c04f8ec294}'
Details: '{3459B272-CC19-4448-86C9-DDC3B4B2FAD3}'
Details: '{42089D2D-912D-4018-9087-2B87803E93FB}'
Details: '{5504BE45-A83B-4808-900A-3A5C36E7F77A}'
Details: '{807583E5-5146-11D5-A672-00B0D022E945}'
Image: 'C:\Program Files (x86)\Microsoft Office\root\integration\integrator.exe'
Image: 'C:\Program Files\Microsoft Office\root\integration\integrator.exe'
TargetObject|contains: '\ClickToRunStore\HKMU\SOFTWARE\Classes\PROTOCOLS\Handler\'
TargetObject|contains: '\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\PROTOCOLS\Handler\'
TargetObject|contains: '\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}'
TargetObject|contains: '\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}'
TargetObject|contains: '\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
Detailseq
  • (Empty) corpus 24 (sigma 24)
  • {314111c7-a502-11d2-bbca-00c04f8ec294}
  • {3459B272-CC19-4448-86C9-DDC3B4B2FAD3}
  • {42089D2D-912D-4018-9087-2B87803E93FB}
  • {5504BE45-A83B-4808-900A-3A5C36E7F77A}
  • {807583E5-5146-11D5-A672-00B0D022E945} corpus 2 (sigma 2)
Imageends_with
  • \OfficeClickToRun.exe corpus 10 (sigma 10)
Imageeq
  • C:\Program Files (x86)\Microsoft Office\root\integration\integrator.exe corpus 6 (sigma 6)
  • C:\Program Files\Microsoft Office\root\integration\integrator.exe corpus 6 (sigma 6)
  • C:\Windows\System32\poqexec.exe corpus 7 (sigma 7)
Imagestarts_with
  • C:\Program Files\Common Files\Microsoft Shared\ClickToRun\ corpus 8 (sigma 8)
  • C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\ corpus 5 (sigma 5)
TargetObjectmatch
  • \ClickToRunStore\HKMU\SOFTWARE\Classes\PROTOCOLS\Handler\
  • \Control Panel\Desktop\Scrnsave.exe
  • \Environment\UserInitMprLogonScript
  • \Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\PROTOCOLS\Handler\
  • \SOFTWARE\Classes\Htmlfile\Shell\Open\Command\(Default)
  • \SOFTWARE\Classes\Protocols\Filter
  • \SOFTWARE\Classes\Protocols\Handler
  • \SOFTWARE\Microsoft\Active Setup\Installed Components
  • \SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}
  • \SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}
  • \SOFTWARE\Microsoft\Internet Explorer\Desktop\Components
  • \SOFTWARE\Microsoft\Windows CE Services\AutoStartOnConnect
  • \SOFTWARE\Microsoft\Windows CE Services\AutoStartOnDisconnect
  • \SOFTWARE\Policies\Microsoft\Windows\Control Panel\Desktop\Scrnsave.exe
  • \SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components
  • \SOFTWARE\Wow6432Node\Microsoft\Windows CE Services\AutoStart
  • \SYSTEM\Setup\CmdLine
  • \Software\Classes\Clsid\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\Inprocserver32
  • \Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}
  • \Software\Microsoft\Command Processor\Autorun
  • \Software\Microsoft\Ctf\LangBarAddin
  • \Software\Microsoft\Internet Explorer\UrlSearchHooks
  • \Software\Wow6432Node\Microsoft\Command Processor\Autorun