Session Manager Autorun Keys Modification

Severity: medium
Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)
Source: upstream

Detects modification of autostart extensibility point (ASEP) in registry.

MITRE ATT&CK coverage

Tactic	Techniques
Persistence	`T1546.009` Event Triggered Execution: AppCert DLLs, `T1547.001` Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
Privilege Escalation	`T1546.009` Event Triggered Execution: AppCert DLLs, `T1547.001` Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Event coverage

Provider	Event ID	Title
Sysmon	13	RegistryEvent (Value Set)

Stages and Predicates

Stage 1: `session_manager_base`

TargetObject|contains: '\System\CurrentControlSet\Control\Session Manager'

Stage 2: `session_manager`

or:
TargetObject|contains: '\AppCertDlls'
TargetObject|contains: '\BootExecute'
TargetObject|contains: '\Execute'
TargetObject|contains: '\KnownDlls'
TargetObject|contains: '\S0InitialCommand'
TargetObject|contains: '\SetupExecute'

Stage 3: `not filter`

Details: '(Empty)'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`Details`	eq	`(Empty)` corpus 24 (sigma 24)
`TargetObject`	match	`\AppCertDlls` `\BootExecute` `\Execute` `\KnownDlls` `\S0InitialCommand` `\SetupExecute` `\System\CurrentControlSet\Control\Session Manager`