detection.wiki

Detection rules › Sigma

Internet Explorer Autorun Keys Modification

Severity
medium
Author
Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)
Source
upstream

Detects modification of autostart extensibility point (ASEP) in registry.

MITRE ATT&CK coverage

TacticTechniques
PersistenceT1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
Privilege EscalationT1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Event coverage

ProviderEvent IDTitle
Sysmon13RegistryEvent (Value Set)

Stages and Predicates

Stage 1: ie

or:
TargetObject|contains: '\Software\Microsoft\Internet Explorer'
TargetObject|contains: '\Software\Wow6432Node\Microsoft\Internet Explorer'

Stage 2: ie_details

or:
TargetObject|contains: '\Explorer Bars'
TargetObject|contains: '\Extensions'
TargetObject|contains: '\Toolbar'

Stage 3: not 1 of filter_*

or:
Details: '(Empty)'
TargetObject|endswith: '\Toolbar\Locked'
TargetObject|endswith: '\Toolbar\ShellBrowser\ITBar7Layout'
TargetObject|endswith: '\Toolbar\ShowDiscussionButton'
TargetObject|contains: '\Extensions\{2670000A-7350-4f3c-8081-5663EE0C6C49}'
TargetObject|contains: '\Extensions\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}'
TargetObject|contains: '\Extensions\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}'
TargetObject|contains: '\Extensions\{A95fe080-8f5d-11d2-a20b-00aa003c157a}'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
Detailseq
  • (Empty) corpus 24 (sigma 24)
TargetObjectends_with
  • \Toolbar\Locked
  • \Toolbar\ShellBrowser\ITBar7Layout
  • \Toolbar\ShowDiscussionButton
TargetObjectmatch
  • \Explorer Bars
  • \Extensions
  • \Extensions\{2670000A-7350-4f3c-8081-5663EE0C6C49}
  • \Extensions\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}
  • \Extensions\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}
  • \Extensions\{A95fe080-8f5d-11d2-a20b-00aa003c157a}
  • \Software\Microsoft\Internet Explorer
  • \Software\Wow6432Node\Microsoft\Internet Explorer
  • \Toolbar