detection.wiki

Detection rules › Sigma

Wow6432Node CurrentVersion Autorun Keys Modification

Severity
medium
Author
Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)
Source
upstream

Detects modification of autostart extensibility point (ASEP) in registry.

MITRE ATT&CK coverage

TacticTechniques
PersistenceT1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
Privilege EscalationT1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Event coverage

ProviderEvent IDTitle
Sysmon13RegistryEvent (Value Set)

Stages and Predicates

Stage 1: all of selection_wow_current_version_base

TargetObject|contains: '\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion'

Stage 2: all of selection_wow_current_version_keys

or:
TargetObject|contains: '\Explorer\Browser Helper Objects'
TargetObject|contains: '\Explorer\SharedTaskScheduler'
TargetObject|contains: '\Explorer\ShellExecuteHooks'
TargetObject|contains: '\Explorer\ShellIconOverlayIdentifiers'
TargetObject|contains: '\Explorer\ShellServiceObjects'
TargetObject|contains: '\RunOnceEx\'
TargetObject|contains: '\RunOnce\'
TargetObject|contains: '\RunServicesOnce\'
TargetObject|contains: '\RunServices\'
TargetObject|contains: '\Run\'
TargetObject|contains: '\ShellServiceObjectDelayLoad'

Stage 3: not 1 of filter_main_*

or:
or:
Image|contains: '\AspNetCoreSharedFrameworkBundle-'
Image|contains: '\windowsdesktop-runtime-'
Image|contains: '\winsdksetup.exe'
or:
Image|startswith: 'C:\ProgramData\Package Cache'
Image|startswith: 'C:\Windows\Temp\'
Details|endswith: ' /burn.runonce'
Details|endswith: '}\VC_redist.x64.exe" /burn.runonce'
Image|endswith: '\VC_redist.x64.exe'
Image: 'C:\WINDOWS\system32\msiexec.exe'
TargetObject|contains: '\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\'
Image|contains: 'C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{'
Image|contains: '\setup.exe'
Image|startswith: 'C:\Windows\Installer\MSI'
TargetObject|contains: '\Explorer\Browser Helper Objects'
Details: '(Empty)'
Details: null
Details|startswith: '"C:\ProgramData\Package Cache\{d21a4f20-968a-4b0c-bf04-a38da5f06e41}\windowsdesktop-runtime-'

Stage 4: not 1 of filter_optional_*

or:
Details: ['{472083B0-C522-11CF-8763-00608CC02F24}', '{472083B1-C522-11CF-8763-00608CC02F24}']
or:
TargetObject|endswith: '\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\00asw\(Default)'
TargetObject|endswith: '\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\00avg\(Default)'
Image|endswith: '\instup.exe'
Image: ['C:\Program Files (x86)\Microsoft Office\root\integration\integrator.exe', 'C:\Program Files\Microsoft Office\root\integration\integrator.exe']
TargetObject|contains: '\Explorer\Browser Helper Objects\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}\'
or:
Image|startswith: 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\'
Image|startswith: 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\'
Image|endswith: '\OfficeClickToRun.exe'
or:
TargetObject|endswith: '\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{7037b699-7382-448c-89a7-4765961d2537}'
TargetObject|endswith: '\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{e2d1ae32-dd1d-4ad7-a298-10e42e7840fc}'
Details|endswith: '.exe" /burn.runonce'
Details|startswith: '"C:\ProgramData\Package Cache\'
Image|contains: '\windowsdesktop-runtime-'
Details|endswith: 'Discord.exe --checkInstall'
TargetObject|endswith: '\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Discord'
Details|endswith: '\Avira.OE.Setup.Bundle.exe" /burn.runonce'
Image|endswith: '\Avira.OE.Setup.Bundle.exe'
Details|endswith: 'instup.exe" /instop:repair /wait'
Image|endswith: '\instup.exe'
TargetObject|endswith: '\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\AvRepair'
Details|contains: ' /systemstartup'
Details|contains: 'C:\Program Files'
Details|contains: '\Dropbox\Client\Dropbox.exe'
Image: 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe'
TargetObject|contains: '\Office\ClickToRun\REGISTRY\MACHINE\Software\Wow6432Node\'
Details|endswith: '-A251-47B7-93E1-CDD82E34AF8B}'
Details: 'grpconv -o'
TargetObject|endswith: '\Explorer\Browser Helper Objects\{92EF2EAD-A7CE-4424-B0DB-499CF856608E}\NoExplorer'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
Detailsends_with
  • /burn.runonce
  • -A251-47B7-93E1-CDD82E34AF8B}
  • .exe" /burn.runonce corpus 2 (sigma 2)
  • Discord.exe --checkInstall
  • \Avira.OE.Setup.Bundle.exe" /burn.runonce
  • instup.exe" /instop:repair /wait
  • }\VC_redist.x64.exe" /burn.runonce
Detailseq
  • (Empty) corpus 24 (sigma 24)
  • grpconv -o
  • {472083B0-C522-11CF-8763-00608CC02F24} corpus 2 (sigma 2)
  • {472083B1-C522-11CF-8763-00608CC02F24} corpus 2 (sigma 2)
Detailsmatch
  • /systemstartup
  • C:\Program Files
  • \Dropbox\Client\Dropbox.exe
Detailsstarts_with
  • "C:\ProgramData\Package Cache\
  • "C:\ProgramData\Package Cache\{d21a4f20-968a-4b0c-bf04-a38da5f06e41}\windowsdesktop-runtime-
Imageends_with
  • \Avira.OE.Setup.Bundle.exe
  • \OfficeClickToRun.exe corpus 10 (sigma 10)
  • \VC_redist.x64.exe
  • \instup.exe
Imageeq
  • C:\Program Files (x86)\Microsoft Office\root\integration\integrator.exe corpus 6 (sigma 6)
  • C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
  • C:\Program Files\Microsoft Office\root\integration\integrator.exe corpus 6 (sigma 6)
  • C:\WINDOWS\system32\msiexec.exe corpus 2 (sigma 2)
Imagematch
  • C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{
  • \AspNetCoreSharedFrameworkBundle-
  • \setup.exe corpus 2 (sigma 2)
  • \windowsdesktop-runtime-
  • \winsdksetup.exe
Imagestarts_with
  • C:\Program Files\Common Files\Microsoft Shared\ClickToRun\ corpus 8 (sigma 8)
  • C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\ corpus 5 (sigma 5)
  • C:\ProgramData\Package Cache
  • C:\Windows\Installer\MSI corpus 3 (sigma 3)
  • C:\Windows\Temp\ corpus 2 (sigma 2)
TargetObjectends_with
  • \Explorer\Browser Helper Objects\{92EF2EAD-A7CE-4424-B0DB-499CF856608E}\NoExplorer
  • \SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\00asw\(Default)
  • \SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\00avg\(Default)
  • \SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\AvRepair
  • \SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Discord
  • \WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{7037b699-7382-448c-89a7-4765961d2537}
  • \WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{e2d1ae32-dd1d-4ad7-a298-10e42e7840fc}
TargetObjectmatch
  • \Explorer\Browser Helper Objects corpus 2 (sigma 2)
  • \Explorer\Browser Helper Objects\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}\
  • \Explorer\SharedTaskScheduler corpus 2 (sigma 2)
  • \Explorer\ShellExecuteHooks corpus 2 (sigma 2)
  • \Explorer\ShellIconOverlayIdentifiers corpus 2 (sigma 2)
  • \Explorer\ShellServiceObjects corpus 2 (sigma 2)
  • \Office\ClickToRun\REGISTRY\MACHINE\Software\Wow6432Node\
  • \RunOnceEx\ corpus 2 (sigma 2)
  • \RunOnce\ corpus 2 (sigma 2)
  • \RunServicesOnce\ corpus 2 (sigma 2)
  • \RunServices\ corpus 2 (sigma 2)
  • \Run\ corpus 2 (sigma 2)
  • \SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion
  • \SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\
  • \ShellServiceObjectDelayLoad corpus 2 (sigma 2)