CurrentVersion Autorun Keys Modification

Severity: medium
Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)
Source: upstream

Detects modification of autostart extensibility point (ASEP) in registry.

MITRE ATT&CK coverage

Tactic	Techniques
Persistence	`T1547.001` Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
Privilege Escalation	`T1547.001` Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Event coverage

Provider	Event ID	Title
Sysmon	13	RegistryEvent (Value Set)

Stages and Predicates

Stage 1: `all of selection_current_version_base`

TargetObject|contains: '\SOFTWARE\Microsoft\Windows\CurrentVersion'

Stage 2: `all of selection_current_version_keys`

or:
TargetObject|contains: '\Authentication\Credential Provider Filters'
TargetObject|contains: '\Authentication\Credential Providers'
TargetObject|contains: '\Authentication\PLAP Providers'
TargetObject|contains: '\Explorer\Browser Helper Objects'
TargetObject|contains: '\Explorer\SharedTaskScheduler'
TargetObject|contains: '\Explorer\ShellExecuteHooks'
TargetObject|contains: '\Explorer\ShellIconOverlayIdentifiers'
TargetObject|contains: '\Explorer\ShellServiceObjects'
TargetObject|contains: '\Group Policy\Scripts\Logoff'
TargetObject|contains: '\Group Policy\Scripts\Logon'
TargetObject|contains: '\Group Policy\Scripts\Shutdown'
TargetObject|contains: '\Group Policy\Scripts\Startup'
TargetObject|contains: '\Policies\Explorer\Run'
TargetObject|contains: '\Policies\System\Shell'
TargetObject|contains: '\RunOnceEx\'
TargetObject|contains: '\RunOnce\'
TargetObject|contains: '\RunServicesOnce\'
TargetObject|contains: '\RunServices\'
TargetObject|contains: '\Run\'
TargetObject|contains: '\ShellServiceObjectDelayLoad'

Stage 3: `not 1 of filter_main_*`

or:
or:
TargetObject|contains: '\Authentication\Credential Providers\{27FBDB57-B613-4AF2-9D7E-4FA7A66C21AD}\'
TargetObject|contains: '\Authentication\Credential Providers\{8AF662BF-65A0-4D0A-A540-A338A999D36F}\'
TargetObject|contains: '\Authentication\Credential Providers\{BEC09223-B018-416D-A0AC-523971B639F5}\'
TargetObject|contains: '\Authentication\Credential Providers\{D6886603-9D2F-4EB2-B667-1971041FA96B}\'
Image: 'C:\Windows\system32\LogonUI.exe'
Details: 'ctfmon.exe /n'
Image: 'C:\Windows\system32\userinit.exe'
Details|contains: '\Microsoft\Teams\Update.exe --processStart '
Image|endswith: '\Microsoft\Teams\current\Teams.exe'
Details: '(Empty)'
Details: null
Image|endswith: '\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe'
Image|endswith: '\AppData\Local\WebEx\WebexHost.exe'
Image|endswith: '\AppData\Roaming\Spotify\Spotify.exe'
Image: 'C:\Program Files (x86)\Microsoft Office\root\integration\Addons\OneDriveSetup.exe'
Image: 'C:\Program Files (x86)\Microsoft Office\root\integration\integrator.exe'
Image: 'C:\Program Files (x86)\Microsoft OneDrive\StandaloneUpdater\OneDriveSetup.exe'
Image: 'C:\Program Files (x86)\Microsoft OneDrive\Update\OneDriveSetup.exe'
Image: 'C:\Program Files\Everything\Everything.exe'
Image: 'C:\Program Files\KeePass Password Safe 2\ShInstUtil.exe'
Image: 'C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe'
Image: 'C:\Program Files\Microsoft Office\root\integration\integrator.exe'
Image: 'C:\Program Files\Microsoft OneDrive\StandaloneUpdater\OneDriveSetup.exe'
Image: 'C:\Program Files\Microsoft OneDrive\Update\OneDriveSetup.exe'
Image: 'C:\Program Files\Windows Defender\MsMpEng.exe'
Image: 'C:\WINDOWS\system32\devicecensus.exe'
Image: 'C:\Windows\system32\winsat.exe'
Image|startswith: 'C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\'
Image|startswith: 'C:\Program Files (x86)\Microsoft\EdgeWebView\'
Image|startswith: 'C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe'
TargetObject|endswith: '\NgcFirst\ConsecutiveSwitchCount'

Stage 4: `not 1 of filter_optional_*`

or:
Details: ['C:\Program Files (x86)\Opera\launcher.exe', 'C:\Program Files\Opera\launcher.exe']
TargetObject|endswith: '\Software\Microsoft\Windows\CurrentVersion\Run\Opera Stable'
Details: ['"C:\Program Files (x86)\AVG\Antivirus\AvLaunch.exe" /gui', '"C:\Program Files\AVG\Antivirus\AvLaunch.exe" /gui', '{472083B0-C522-11CF-8763-00608CC02F24}', '{472083B1-C522-11CF-8763-00608CC02F24}']
or:
Image|contains: 'C:\Program Files (x86)\AVG\Antivirus\Setup\'
Image|contains: 'C:\Program Files\AVG\Antivirus\Setup\'
Image|contains: '\instup.exe'
Details: ['"C:\Program Files (x86)\Avast Software\Avast\AvLaunch.exe" /gui', '"C:\Program Files\Avast Software\Avast\AvLaunch.exe" /gui']
or:
Image|contains: 'C:\Program Files (x86)\Avast Software\Avast\Setup\'
Image|contains: 'C:\Program Files\Avast Software\Avast\Setup\'
Image|contains: '\instup.exe'
Details: ['{51EF1569-67EE-4AD6-9646-E726C3FFC8A2}', '{A8E52322-8734-481D-A7E2-27B309EF8D56}', '{C973DA94-CBDF-4E77-81D1-E5B794FBD146}', '{CFE8B367-77A7-41D7-9C90-75D16D7DC6B6}']
TargetObject|contains: GoogleDrive
or:
Details|startswith: 'C:\Windows\system32\cmd.exe /q /c del /q "C:\Users\'
Details|startswith: 'C:\Windows\system32\cmd.exe /q /c rmdir /s /q "C:\Users\'
Details|contains: '\AppData\Local\Microsoft\OneDrive\'
or:
Image|endswith: '\aurora-agent-64.exe'
Image|endswith: '\aurora-agent.exe'
Details: 'C:\Program Files\Aurora-Agent\tools\aurora-dashboard.exe'
TargetObject|endswith: '\Microsoft\Windows\CurrentVersion\Run\aurora-dashboard'
Image: ['C:\Program Files (x86)\AVG\Antivirus\avgToolsSvc.exe', 'C:\Program Files\AVG\Antivirus\avgToolsSvc.exe']
Details: 'Binary Data'
TargetObject|contains: '\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run\'
or:
Image|startswith: 'C:\Program Files (x86)\Common Files\Microsoft Shared\ClickToRun\'
Image|startswith: 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\'
Image|endswith: '\OfficeClickToRun.exe'
Details|endswith: '.exe" /burn.runonce'
Details|contains: '\AppData\Local\Package Cache\{'
Details|contains: '}\python-'
TargetObject|contains: '\Microsoft\Windows\CurrentVersion\RunOnce\{'
Details|endswith: 'A251-47B7-93E1-CDD82E34AF8B}'
Image: 'C:\Windows\system32\regsvr32.exe'
TargetObject|contains: DropboxExt
Details|endswith: '\Discord\Update.exe --processStart Discord.exe'
TargetObject|endswith: '\Software\Microsoft\Windows\CurrentVersion\Run\Discord'
Details|endswith: '\Everything\Everything.exe" -startup'
TargetObject|endswith: '\Microsoft\Windows\CurrentVersion\Run\Everything'
Details: 'C:\Program Files\Greenshot\Greenshot.exe'
TargetObject|endswith: '\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Greenshot'
Details: 'C:\Program Files\Opera\assistant\browser_assistant.exe'
TargetObject|endswith: '\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Opera Browser Assistant'
Details: '"C:\Program Files\Zoom\bin\installer.exe" /repair'
TargetObject|endswith: '\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\zoommsirepair'
Details: "C:\Program Files\iTunes\iTunesHelper.exe"
TargetObject|endswith: '\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\iTunesHelper'
Details|contains: '\GoogleDriveFS.exe'
Details|startswith: 'C:\Program Files\Google\Drive File Stream\'
TargetObject|endswith: '\Software\Microsoft\Windows\CurrentVersion\Run\GoogleDriveFS'
Details|contains: '\Microsoft\Teams\Update.exe --processStart'
Image|endswith: '\Microsoft\Teams\current\Teams.exe'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`Details`	ends_with	`.exe" /burn.runonce` corpus 2 (sigma 2) `A251-47B7-93E1-CDD82E34AF8B}` `\Discord\Update.exe --processStart Discord.exe` `\Everything\Everything.exe" -startup`
`Details`	eq	`"C:\Program Files (x86)\AVG\Antivirus\AvLaunch.exe" /gui` `"C:\Program Files (x86)\Avast Software\Avast\AvLaunch.exe" /gui` `"C:\Program Files\AVG\Antivirus\AvLaunch.exe" /gui` `"C:\Program Files\Avast Software\Avast\AvLaunch.exe" /gui` `"C:\Program Files\Zoom\bin\installer.exe" /repair` `"C:\Program Files\iTunes\iTunesHelper.exe"` `(Empty)` corpus 24 (sigma 24) `Binary Data` corpus 4 (sigma 4) `C:\Program Files (x86)\Opera\launcher.exe` `C:\Program Files\Aurora-Agent\tools\aurora-dashboard.exe` `C:\Program Files\Greenshot\Greenshot.exe` `C:\Program Files\Opera\assistant\browser_assistant.exe` `C:\Program Files\Opera\launcher.exe` `ctfmon.exe /n` `{472083B0-C522-11CF-8763-00608CC02F24}` corpus 2 (sigma 2) `{472083B1-C522-11CF-8763-00608CC02F24}` corpus 2 (sigma 2) `{51EF1569-67EE-4AD6-9646-E726C3FFC8A2}` `{A8E52322-8734-481D-A7E2-27B309EF8D56}` `{C973DA94-CBDF-4E77-81D1-E5B794FBD146}` `{CFE8B367-77A7-41D7-9C90-75D16D7DC6B6}`
`Details`	match	`\AppData\Local\Microsoft\OneDrive\` `\AppData\Local\Package Cache\{` `\GoogleDriveFS.exe` `\Microsoft\Teams\Update.exe --processStart` `\Microsoft\Teams\Update.exe --processStart` `}\python-`
`Details`	starts_with	`C:\Program Files\Google\Drive File Stream\` `C:\Windows\system32\cmd.exe /q /c del /q "C:\Users\` corpus 2 (sigma 2) `C:\Windows\system32\cmd.exe /q /c rmdir /s /q "C:\Users\`
`Image`	ends_with	`\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe` `\AppData\Local\WebEx\WebexHost.exe` corpus 2 (sigma 2) `\AppData\Roaming\Spotify\Spotify.exe` corpus 2 (sigma 2) `\Microsoft\Teams\current\Teams.exe` corpus 2 (sigma 2) `\OfficeClickToRun.exe` corpus 10 (sigma 10) `\aurora-agent-64.exe` corpus 2 (sigma 2) `\aurora-agent.exe` corpus 2 (sigma 2)
`Image`	eq	`C:\Program Files (x86)\AVG\Antivirus\avgToolsSvc.exe` `C:\Program Files (x86)\Microsoft Office\root\integration\Addons\OneDriveSetup.exe` `C:\Program Files (x86)\Microsoft Office\root\integration\integrator.exe` corpus 6 (sigma 6) `C:\Program Files (x86)\Microsoft OneDrive\StandaloneUpdater\OneDriveSetup.exe` `C:\Program Files (x86)\Microsoft OneDrive\Update\OneDriveSetup.exe` `C:\Program Files\AVG\Antivirus\avgToolsSvc.exe` `C:\Program Files\Everything\Everything.exe` `C:\Program Files\KeePass Password Safe 2\ShInstUtil.exe` `C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe` `C:\Program Files\Microsoft Office\root\integration\integrator.exe` corpus 6 (sigma 6) `C:\Program Files\Microsoft OneDrive\StandaloneUpdater\OneDriveSetup.exe` `C:\Program Files\Microsoft OneDrive\Update\OneDriveSetup.exe` `C:\Program Files\Windows Defender\MsMpEng.exe` corpus 2 (sigma 2) `C:\WINDOWS\system32\devicecensus.exe` `C:\Windows\system32\LogonUI.exe` `C:\Windows\system32\regsvr32.exe` `C:\Windows\system32\userinit.exe` `C:\Windows\system32\winsat.exe`
`Image`	match	`C:\Program Files (x86)\AVG\Antivirus\Setup\` `C:\Program Files (x86)\Avast Software\Avast\Setup\` `C:\Program Files\AVG\Antivirus\Setup\` `C:\Program Files\Avast Software\Avast\Setup\` `\instup.exe`
`Image`	starts_with	`C:\Program Files (x86)\Common Files\Microsoft Shared\ClickToRun\` `C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\` `C:\Program Files (x86)\Microsoft\EdgeWebView\` corpus 2 (sigma 2) `C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe` `C:\Program Files\Common Files\Microsoft Shared\ClickToRun\` corpus 8 (sigma 8)
`TargetObject`	ends_with	`\Microsoft\Windows\CurrentVersion\Run\Everything` `\Microsoft\Windows\CurrentVersion\Run\aurora-dashboard` `\NgcFirst\ConsecutiveSwitchCount` `\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\zoommsirepair` `\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Greenshot` `\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Opera Browser Assistant` `\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\iTunesHelper` `\Software\Microsoft\Windows\CurrentVersion\Run\Discord` `\Software\Microsoft\Windows\CurrentVersion\Run\GoogleDriveFS` `\Software\Microsoft\Windows\CurrentVersion\Run\Opera Stable`
`TargetObject`	match	`DropboxExt` `GoogleDrive` `\Authentication\Credential Provider Filters` `\Authentication\Credential Providers` `\Authentication\Credential Providers\{27FBDB57-B613-4AF2-9D7E-4FA7A66C21AD}\` `\Authentication\Credential Providers\{8AF662BF-65A0-4D0A-A540-A338A999D36F}\` `\Authentication\Credential Providers\{BEC09223-B018-416D-A0AC-523971B639F5}\` `\Authentication\Credential Providers\{D6886603-9D2F-4EB2-B667-1971041FA96B}\` `\Authentication\PLAP Providers` `\Explorer\Browser Helper Objects` corpus 2 (sigma 2) `\Explorer\SharedTaskScheduler` corpus 2 (sigma 2) `\Explorer\ShellExecuteHooks` corpus 2 (sigma 2) `\Explorer\ShellIconOverlayIdentifiers` corpus 2 (sigma 2) `\Explorer\ShellServiceObjects` corpus 2 (sigma 2) `\Group Policy\Scripts\Logoff` `\Group Policy\Scripts\Logon` `\Group Policy\Scripts\Shutdown` `\Group Policy\Scripts\Startup` `\Microsoft\Windows\CurrentVersion\RunOnce\{` `\Policies\Explorer\Run` `\Policies\System\Shell` `\RunOnceEx\` corpus 2 (sigma 2) `\RunOnce\` corpus 2 (sigma 2) `\RunServicesOnce\` corpus 2 (sigma 2) `\RunServices\` corpus 2 (sigma 2) `\Run\` corpus 2 (sigma 2) `\SOFTWARE\Microsoft\Windows\CurrentVersion` `\ShellServiceObjectDelayLoad` corpus 2 (sigma 2) `\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run\`

CurrentVersion Autorun Keys Modification

MITRE ATT&CK coverage

Event coverage

Stages and Predicates

Stage 1: all of selection_current_version_base

Stage 2: all of selection_current_version_keys

Stage 3: not 1 of filter_main_*

Stage 4: not 1 of filter_optional_*

Indicators

Stage 1: `all of selection_current_version_base`

Stage 2: `all of selection_current_version_keys`

Stage 3: `not 1 of filter_main_*`

Stage 4: `not 1 of filter_optional_*`