CurrentVersion NT Autorun Keys Modification

Severity: medium
Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)
Source: upstream

Detects modification of autostart extensibility point (ASEP) in registry.

MITRE ATT&CK coverage

Tactic	Techniques
Persistence	`T1547.001` Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
Privilege Escalation	`T1547.001` Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Event coverage

Provider	Event ID	Title
Sysmon	13	RegistryEvent (Value Set)

Stages and Predicates

Stage 1: `all of selection_nt_current_version_base`

TargetObject|contains: '\SOFTWARE\Microsoft\Windows NT\CurrentVersion'

Stage 2: `all of selection_nt_current_version`

or:
TargetObject|contains: '\Drivers32'
TargetObject|contains: '\Font Drivers'
TargetObject|contains: '\Image File Execution Options'
TargetObject|contains: '\Windows\Appinit_Dlls'
TargetObject|contains: '\Windows\IconServiceLib'
TargetObject|contains: '\Windows\Load'
TargetObject|contains: '\Windows\Run'
TargetObject|contains: '\Winlogon\AlternateShells\AvailableShells'
TargetObject|contains: '\Winlogon\AppSetup'
TargetObject|contains: '\Winlogon\GpExtensions'
TargetObject|contains: '\Winlogon\Shell'
TargetObject|contains: '\Winlogon\Taskman'
TargetObject|contains: '\Winlogon\Userinit'
TargetObject|contains: '\Winlogon\VmApplet'

Stage 3: `not 1 of filter_main_*`

or:
Details: ['DWORD (0x00000001)', 'DWORD (0x00000009)', 'DWORD (0x000003c0)']
or:
TargetObject|contains: '\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}\MaxNoGPOListChangesInterval'
TargetObject|contains: '\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}\PreviousPolicyAreas'
Image: 'C:\Windows\system32\svchost.exe'
or:
TargetObject|endswith: '\DisableExceptionChainValidation'
TargetObject|endswith: '\MitigationOptions'
TargetObject|contains: '\Image File Execution Options\'
Image: 'C:\Windows\System32\RuntimeBroker.exe'
TargetObject|contains: '\runtimebroker.exe\Microsoft.Windows.ShellExperienceHost'
Details: '(Empty)'
Details: null
Image: 'C:\Windows\System32\poqexec.exe'

Stage 4: `not 1 of filter_optional_*`

or:
Details: ['C:\Windows\system32\userinit.exe,', explorer.exe]
or:
Image|startswith: 'C:\Program Files (x86)\Avira\Antivirus\avguard.exe'
Image|startswith: 'C:\Program Files\Avira\Antivirus\avguard.exe'
or:
TargetObject|endswith: '\shell\UseAsDefault'
TargetObject|endswith: '\userinit\UseAsDefault'
TargetObject|contains: 'SOFTWARE\WOW6432Node\Avira\Antivirus\Overwrite_Keys\HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\'
or:
Image|startswith: 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\'
Image|startswith: 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\'
Image|endswith: '\OfficeClickToRun.exe'
Details|endswith: '\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe"'
Details|startswith: 'C:\Windows\system32\cmd.exe /q /c del /q "C:\Users\'
Image|endswith: '\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\OneDriveSetup.exe'
TargetObject|endswith: '\Microsoft\Windows\CurrentVersion\RunOnce\Delete Cached Update Binary'
Image|endswith: '\MicrosoftEdgeUpdate.exe'
Image|startswith: 'C:\Program Files (x86)\Microsoft\Temp\'
Image|endswith: '\ngen.exe'
Image|startswith: 'C:\Windows\Microsoft.NET\Framework'
Image: 'C:\Program Files (x86)\Microsoft Office\root\integration\integrator.exe'
Image: 'C:\Program Files\Microsoft Office\root\integration\integrator.exe'
TargetObject|contains: '\ClickToRunStore\HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\'
TargetObject|contains: '\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows NT\CurrentVersion\'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`Details`	ends_with	`\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe"`
`Details`	eq	`(Empty)` corpus 24 (sigma 24) `C:\Windows\system32\userinit.exe,` `DWORD (0x00000001)` corpus 37 (sigma 37) `DWORD (0x00000009)` corpus 2 (sigma 2) `DWORD (0x000003c0)` `explorer.exe`
`Details`	starts_with	`C:\Windows\system32\cmd.exe /q /c del /q "C:\Users\` corpus 2 (sigma 2)
`Image`	ends_with	`\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\OneDriveSetup.exe` `\MicrosoftEdgeUpdate.exe` `\OfficeClickToRun.exe` corpus 10 (sigma 10) `\ngen.exe` corpus 3 (sigma 3)
`Image`	eq	`C:\Program Files (x86)\Microsoft Office\root\integration\integrator.exe` corpus 6 (sigma 6) `C:\Program Files\Microsoft Office\root\integration\integrator.exe` corpus 6 (sigma 6) `C:\Windows\System32\RuntimeBroker.exe` corpus 2 (sigma 2) `C:\Windows\System32\poqexec.exe` corpus 7 (sigma 7) `C:\Windows\system32\svchost.exe` corpus 5 (sigma 5)
`Image`	starts_with	`C:\Program Files (x86)\Avira\Antivirus\avguard.exe` `C:\Program Files (x86)\Microsoft\Temp\` `C:\Program Files\Avira\Antivirus\avguard.exe` `C:\Program Files\Common Files\Microsoft Shared\ClickToRun\` corpus 8 (sigma 8) `C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\` corpus 5 (sigma 5) `C:\Windows\Microsoft.NET\Framework` corpus 2 (sigma 2)
`TargetObject`	ends_with	`\DisableExceptionChainValidation` `\Microsoft\Windows\CurrentVersion\RunOnce\Delete Cached Update Binary` `\MitigationOptions` `\shell\UseAsDefault` `\userinit\UseAsDefault`
`TargetObject`	match	`SOFTWARE\WOW6432Node\Avira\Antivirus\Overwrite_Keys\HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\` `\ClickToRunStore\HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\` `\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows NT\CurrentVersion\` `\Drivers32` corpus 2 (sigma 2) `\Font Drivers` `\Image File Execution Options` corpus 2 (sigma 2) `\Image File Execution Options\` corpus 2 (sigma 2) `\SOFTWARE\Microsoft\Windows NT\CurrentVersion` `\Windows\Appinit_Dlls` corpus 2 (sigma 2) `\Windows\IconServiceLib` `\Windows\Load` `\Windows\Run` `\Winlogon\AlternateShells\AvailableShells` `\Winlogon\AppSetup` `\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}\MaxNoGPOListChangesInterval` `\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}\PreviousPolicyAreas` `\Winlogon\GpExtensions` `\Winlogon\Shell` `\Winlogon\Taskman` `\Winlogon\Userinit` `\Winlogon\VmApplet` `\runtimebroker.exe\Microsoft.Windows.ShellExperienceHost`

CurrentVersion NT Autorun Keys Modification

MITRE ATT&CK coverage

Event coverage

Stages and Predicates

Stage 1: all of selection_nt_current_version_base

Stage 2: all of selection_nt_current_version

Stage 3: not 1 of filter_main_*

Stage 4: not 1 of filter_optional_*

Indicators

Stage 1: `all of selection_nt_current_version_base`

Stage 2: `all of selection_nt_current_version`

Stage 3: `not 1 of filter_main_*`

Stage 4: `not 1 of filter_optional_*`