title: Bypass UAC Using Event Viewer
id: 674202d0-b22a-4af4-ae5f-2eda1f3da1af
status: test
description: Bypasses User Account Control using Event Viewer and a relevant Windows Registry modification
references:
    - https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md#atomic-test-1---bypass-uac-using-event-viewer-cmd
author: frack113
date: 2022-01-05
modified: 2023-08-17
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.t1547.010
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|endswith: '_Classes\mscfile\shell\open\command\(Default)'
    filter:
        Details|startswith: '%SystemRoot%\system32\mmc.exe "%1" %'
    condition: selection and not filter
falsepositives:
    - Unknown
level: high
regression_tests_path: regression_data/rules/windows/registry/registry_set/registry_set_bypass_uac_using_eventviewer/info.yml
simulation:
    - type: atomic-red-team
      name: Bypass UAC using Event Viewer (cmd)
      technique: T1548.002
      atomic_guid: 5073adf8-9a50-4bd9-b298-a9bd2ead8af9

title: Creation Exe for Service with Unquoted Path
id: 8c3c76ca-8f8b-4b1d-aaf3-81aebcd367c9
status: test
description: |
    Adversaries may execute their own malicious payloads by hijacking vulnerable file path references.
    Adversaries can take advantage of paths that lack surrounding quotations by placing an executable in a higher level directory within the path, so that Windows will choose the adversary's executable to launch.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1574.009/T1574.009.md
author: frack113
date: 2021-12-30
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.t1547.009
logsource:
    product: windows
    category: file_event
detection:
    selection:
        # Feel free to add more
        TargetFilename: 'C:\program.exe'
    condition: selection
falsepositives:
    - Unknown
level: high

title: DLL Load via LSASS
id: b3503044-60ce-4bf4-bbcb-e3db98788823
status: test
description: Detects a method to load DLL via LSASS process using an undocumented Registry key
references:
    - https://blog.xpnsec.com/exploring-mimikatz-part-1/
    - https://twitter.com/SBousseaden/status/1183745981189427200
author: Florian Roth (Nextron Systems)
date: 2019-10-16
modified: 2022-04-21
tags:
    - attack.privilege-escalation
    - attack.execution
    - attack.persistence
    - attack.t1547.008
logsource:
    category: registry_event
    product: windows
detection:
    selection:
        TargetObject|contains:
            - '\CurrentControlSet\Services\NTDS\DirectoryServiceExtPt'
            - '\CurrentControlSet\Services\NTDS\LsaDbExtPt'
    filter_domain_controller:
        Image: 'C:\Windows\system32\lsass.exe'
        Details:
            - '%%systemroot%%\system32\ntdsa.dll'
            - '%%systemroot%%\system32\lsadb.dll'
    condition: selection and not 1 of filter_*
falsepositives:
    - Unknown
level: high

title: Default RDP Port Changed to Non Standard Port
id: 509e84b9-a71a-40e0-834f-05470369bd1e
status: test
description: |
    Detects changes to the default RDP port.
    Remote desktop is a common feature in operating systems. It allows a user to log into a remote system using an interactive session with a graphical user interface.
    Microsoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS).
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.001/T1021.001.md
author: frack113
date: 2022-01-01
modified: 2024-03-25
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.t1547.010
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|endswith: '\Control\Terminal Server\WinStations\RDP-Tcp\PortNumber'
    filter_main_port:
        Details: DWORD (0x00000d3d) # 3389
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unknown
level: high
regression_tests_path: regression_data/rules/windows/registry/registry_set/registry_set_change_rdp_port/info.yml
simulation:
    - type: atomic-red-team
      name: Changing RDP Port to Non Standard Port via Powershell
      technique: T1021.001
      atomic_guid: 2f840dd4-8a2e-4f44-beb3-6b2399ea3771
    - type: atomic-red-team
      name: Changing RDP Port to Non Standard Port via Command_Prompt
      technique: T1021.001
      atomic_guid: 74ace21e-a31c-4f7d-b540-53e4eb6d1f73

title: File Creation In Suspicious Directory By Msdt.EXE
id: 318557a5-150c-4c8d-b70e-a9910e199857
status: test
description: Detects msdt.exe creating files in suspicious directories which could be a sign of exploitation of either Follina or Dogwalk vulnerabilities
references:
    - https://irsl.medium.com/the-trouble-with-microsofts-troubleshooters-6e32fc80b8bd
    - https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/
author: Vadim Varganov, Florian Roth (Nextron Systems)
date: 2022-08-24
modified: 2023-02-23
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.t1547.001
    - cve.2022-30190
logsource:
    category: file_event
    product: windows
detection:
    selection:
        Image|endswith: '\msdt.exe'
        TargetFilename|contains:
            - '\Desktop\'
            - '\Start Menu\Programs\Startup\'
            - 'C:\PerfLogs\'
            - 'C:\ProgramData\'
            - 'C:\Users\Public\'
    condition: selection
falsepositives:
    - Unknown
level: high

title: Loading of Kernel Module via Insmod
id: 106d7cbd-80ff-4985-b682-a7043e5acb72
status: test
description: |
    Detects loading of kernel modules with insmod command.
    Loadable Kernel Modules (LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand.
    Adversaries may use LKMs to obtain persistence within the system or elevate the privileges.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.006/T1547.006.md
    - https://linux.die.net/man/8/insmod
    - https://man7.org/linux/man-pages/man8/kmod.8.html
author: 'Pawel Mazur'
date: 2021-11-02
modified: 2022-12-25
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.t1547.006
logsource:
    product: linux
    service: auditd
detection:
    selection:
        type: 'SYSCALL'
        comm: insmod
        exe: /usr/bin/kmod
    condition: selection
falsepositives:
    - Unknown
level: high

title: Modify User Shell Folders Startup Value
id: 9c226817-8dc9-46c2-a58d-66655aafd7dc
related:
    - id: 8f3ab69a-aa22-4943-aa58-e0a52fdf6818
      type: similar
status: test
description: |
    Detect modification of the User Shell Folders registry values for Startup or Common Startup which could indicate persistence attempts.
    Attackers may modify User Shell Folders registry keys to point to malicious executables or scripts that will be executed during startup.
    This technique is often used to maintain persistence on a compromised system by ensuring that the malicious payload is executed automatically.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/9e5b12c4912c07562aec7500447b11fa3e17e254/atomics/T1547.001/T1547.001.md
    - https://www.welivesecurity.com/en/eset-research/muddywater-snakes-riverbank/
author: frack113, Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2022-10-01
modified: 2026-01-05
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.t1547.001
logsource:
    product: windows
    category: registry_set
detection:
    selection:
        TargetObject|contains:
            - 'SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders'
            - 'SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders'
        TargetObject|endswith:
            - '\Common Startup'
            - '\Startup'
    filter_main_details_null:
        Details: null
    filter_main_programdata_startup:
        Details|contains:
            - 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup'
            - '%ProgramData%\Microsoft\Windows\Start Menu\Programs\Startup'
    filter_main_userprofile_startup_1:
        Details|contains:
            - '%USERPROFILE%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup'
            - '%%USERPROFILE%%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup'
    filter_main_userprofile_startup_2:
        Details|contains|all:
            - 'C:\Users\'
            - '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup'
    # Apply more filters if new legitimate paths are identified
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unknown
level: high
regression_tests_path: regression_data/rules/windows/registry/registry_set/registry_set_susp_user_shell_folders/info.yml
simulation:
    - type: atomic-red-team
      name: Change Startup Folder - HKLM Modify User Shell Folders Common Startup Value
      technique: T1547.001
      atomic_guid: acfef903-7662-447e-a391-9c91c2f00f7b

title: Narrator's Feedback-Hub Persistence
id: f663a6d9-9d1b-49b8-b2b1-0637914d199a
status: test
description: Detects abusing Windows 10 Narrator's Feedback-Hub
references:
    - https://giuliocomi.blogspot.com/2019/10/abusing-windows-10-narrators-feedback.html
author: Dmitriy Lifanov, oscd.community
date: 2019-10-25
modified: 2022-03-26
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.t1547.001
logsource:
    category: registry_event
    product: windows
detection:
    selection1:
        EventType: DeleteValue
        TargetObject|endswith: '\AppXypsaf9f1qserqevf0sws76dx4k9a5206\Shell\open\command\DelegateExecute'
    selection2:
        TargetObject|endswith: '\AppXypsaf9f1qserqevf0sws76dx4k9a5206\Shell\open\command\(Default)'
    # Add the payload in the (Default)
    condition: 1 of selection*
falsepositives:
    - Unknown
level: high

title: New RUN Key Pointing to Suspicious Folder
id: 02ee49e2-e294-4d0f-9278-f5b3212fc588
status: experimental
description: Detects suspicious new RUN key element pointing to an executable in a suspicious folder
references:
    - https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html
    - https://github.com/HackTricks-wiki/hacktricks/blob/e4c7b21b8f36c97c35b7c622732b38a189ce18f7/src/windows-hardening/windows-local-privilege-escalation/privilege-escalation-with-autorun-binaries.md
author: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing, Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2018-08-25
modified: 2025-10-06
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.t1547.001
logsource:
    category: registry_set
    product: windows
detection:
    selection_target:
        TargetObject|contains:
            - '\Software\Microsoft\Windows\CurrentVersion\Run'
            - '\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run'
            - '\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run'
    selection_suspicious_paths_1:
        Details|contains:
            - ':\Perflogs'
            - :\ProgramData'
            - ':\Windows\Temp'
            - ':\Temp'
            - '\AppData\Local\Temp'
            - '\AppData\Roaming'
            - ':\$Recycle.bin'
            - ':\Users\Default'
            - ':\Users\public'
            - '%temp%'
            - '%tmp%'
            - '%Public%'
            - '%AppData%'
    selection_suspicious_paths_user_1:
        Details|contains: ':\Users\'
    selection_suspicious_paths_user_2:
        Details|contains:
            - '\Favorites'
            - '\Favourites'
            - '\Contacts'
            - '\Music'
            - '\Pictures'
            - '\Documents'
            - '\Photos'
    filter_main_windows_update:
        TargetObject|contains: '\Microsoft\Windows\CurrentVersion\RunOnce\'
        Image|startswith: 'C:\Windows\SoftwareDistribution\Download\'
        Details|contains|all:
            - 'rundll32.exe '
            - 'C:\WINDOWS\system32\advpack.dll,DelNodeRunDLL32'
        Details|contains:
            - '\AppData\Local\Temp\'
            - 'C:\Windows\Temp\'
    filter_optional_spotify:
        Image|endswith:
            - 'C:\Program Files\Spotify\Spotify.exe'
            - 'C:\Program Files (x86)\Spotify\Spotify.exe'
            - '\AppData\Roaming\Spotify\Spotify.exe'
        TargetObject|endswith: 'SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Spotify'
        Details|endswith: 'Spotify.exe --autostart --minimized'
    condition: selection_target and (selection_suspicious_paths_1 or (all of selection_suspicious_paths_user_* )) and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - Software using weird folders for updates
level: high

title: New TimeProviders Registered With Uncommon DLL Name
id: e88a6ddc-74f7-463b-9b26-f69fc0d2ce85
status: test
description: |
    Detects processes setting a new DLL in DllName in under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProvider.
    Adversaries may abuse time providers to execute DLLs when the system boots.
    The Windows Time service (W32Time) enables time synchronization across and within domains.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.003/T1547.003.md
author: frack113
date: 2022-06-19
modified: 2024-03-26
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.t1547.003
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|contains: '\Services\W32Time\TimeProviders'
        TargetObject|endswith: '\DllName'
    filter_main_w32time:
        Details:
            - '%SystemRoot%\System32\vmictimeprovider.dll'
            - '%systemroot%\system32\w32time.dll'
            - 'C:\Windows\SYSTEM32\w32time.DLL'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unknown
level: high

title: Potential RipZip Attack on Startup Folder
id: a6976974-ea6f-4e97-818e-ea08625c52cb
status: test
description: |
    Detects a phishing attack which expands a ZIP file containing a malicious shortcut.
    If the victim expands the ZIP file via the explorer process, then the explorer process expands the malicious ZIP file and drops a malicious shortcut redirected to a backdoor into the Startup folder.
    Additionally, the file name of the malicious shortcut in Startup folder contains {0AFACED1-E828-11D1-9187-B532F1E9575D} meaning the folder shortcut operation.
references:
    - https://twitter.com/jonasLyk/status/1549338335243534336?t=CrmPocBGLbDyE4p6zTX1cg&s=19
author: Greg (rule)
date: 2022-07-21
modified: 2023-01-05
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.t1547
logsource:
    category: file_event
    product: windows
detection:
    selection: # %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\target.lnk.{0AFACED1-E828-11D1-9187-B532F1E9575D}\target.lnk
        TargetFilename|contains|all:
            - '\Microsoft\Windows\Start Menu\Programs\Startup'
            - '.lnk.{0AFACED1-E828-11D1-9187-B532F1E9575D}'
        Image|endswith: '\explorer.exe'
    condition: selection
falsepositives:
    - Unknown
level: high

title: Potential Startup Shortcut Persistence Via PowerShell.EXE
id: 92fa78e7-4d39-45f1-91a3-8b23f3f1088d
status: test
description: |
    Detects PowerShell writing startup shortcuts.
    This procedure was highlighted in Red Canary Intel Insights Oct. 2021, "We frequently observe adversaries using PowerShell to write malicious .lnk files into the startup directory to establish persistence.
    Accordingly, this detection opportunity is likely to identify persistence mechanisms in multiple threats.
    In the context of Yellow Cockatoo, this persistence mechanism eventually launches the command-line script that leads to the installation of a malicious DLL"
references:
    - https://redcanary.com/blog/intelligence-insights-october-2021/
    - https://github.com/redcanaryco/atomic-red-team/blob/36d49de4c8b00bf36054294b4a1fcbab3917d7c5/atomics/T1547.001/T1547.001.md#atomic-test-7---add-executable-shortcut-link-to-user-startup-folder
author: Christopher Peacock '@securepeacock', SCYTHE
date: 2021-10-24
modified: 2023-02-23
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.t1547.001
logsource:
    product: windows
    category: file_event
detection:
    selection:
        Image|endswith:
            - '\powershell.exe'
            - '\pwsh.exe'
        TargetFilename|contains: '\start menu\programs\startup\'
        TargetFilename|endswith: '.lnk'
    condition: selection
falsepositives:
    - Depending on your environment accepted applications may leverage this at times. It is recommended to search for anomalies inidicative of malware.
level: high

title: Registry Persistence Mechanisms in Recycle Bin
id: 277efb8f-60be-4f10-b4d3-037802f37167
status: test
description: Detects persistence registry keys for Recycle Bin
references:
    - https://github.com/vxunderground/VXUG-Papers/blob/751edb8d50f95bd7baa730adf2c6c3bb1b034276/The%20Persistence%20Series/Persistence%20via%20Recycle%20Bin/Persistence_via_Recycle_Bin.pdf
    - https://persistence-info.github.io/Data/recyclebin.html
    - https://www.hexacorn.com/blog/2018/05/28/beyond-good-ol-run-key-part-78-2/
author: frack113
date: 2021-11-18
modified: 2022-12-06
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.t1547
logsource:
    category: registry_event
    product: windows
detection:
    selection_create:
        EventType: RenameKey
        NewName|contains: '\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\open'
    selection_set:
        EventType: SetValue
        TargetObject|contains: '\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\open\command\(Default)'
    condition: 1 of selection_*
falsepositives:
    - Unknown
level: high

title: Registry Persistence via Explorer Run Key
id: b7916c2a-fa2f-4795-9477-32b731f70f11
status: test
description: Detects a possible persistence mechanism using RUN key for Windows Explorer and pointing to a suspicious folder
references:
    - https://researchcenter.paloaltonetworks.com/2018/07/unit42-upatre-continues-evolve-new-anti-analysis-techniques/
author: Florian Roth (Nextron Systems), oscd.community
date: 2018-07-18
modified: 2023-12-11
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.t1547.001
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|endswith: '\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run'
        Details|contains:
            - ':\$Recycle.bin\'
            - ':\ProgramData\'
            - ':\Temp\'
            - ':\Users\Default\'
            - ':\Users\Public\'
            - ':\Windows\Temp\'
            - '\AppData\Local\Temp\'
    condition: selection
falsepositives:
    - Unknown
level: high

title: Security Support Provider (SSP) Added to LSA Configuration
id: eeb30123-9fbd-4ee8-aaa0-2e545bbed6dc
status: test
description: |
    Detects the addition of a SSP to the registry. Upon a reboot or API call, SSP DLLs gain access to encrypted and plaintext passwords stored in Windows.
references:
    - https://powersploit.readthedocs.io/en/latest/Persistence/Install-SSP/
    - https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/data/module_source/persistence/Install-SSP.ps1#L157
author: iwillkeepwatch
date: 2019-01-18
modified: 2026-03-30
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.t1547.005
logsource:
    category: registry_event
    product: windows
detection:
    selection:
        TargetObject|endswith:
            - '\Control\Lsa\Security Packages'
            - '\Control\Lsa\OSConfig\Security Packages'
    filter_main_msiexec:
        Image:
            - 'C:\Windows\system32\msiexec.exe'
            - 'C:\Windows\syswow64\MsiExec.exe'
    filter_main_image_null:
        Image: null
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unknown
level: high

title: Suspicious Autorun Registry Modified via WMI
id: c80e66d8-1780-48a9-b412-46663fd21ac0
status: experimental
description: |
    Detects suspicious activity where the WMIC process is used to create an autorun registry entry via reg.exe, which is often indicative of persistence mechanisms employed by malware.
references:
    - Internal Research
    - https://github.com/HackTricks-wiki/hacktricks/blob/e4c7b21b8f36c97c35b7c622732b38a189ce18f7/src/windows-hardening/windows-local-privilege-escalation/privilege-escalation-with-autorun-binaries.md
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-02-17
tags:
    - attack.privilege-escalation
    - attack.execution
    - attack.persistence
    - attack.t1547.001
    - attack.t1047
logsource:
    category: process_creation
    product: windows
detection:
    selection_execution_img:
        - Image|endswith: '\wmic.exe'
        - OriginalFileName: 'wmic.exe' # wmic process call create 'reg.exe add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Desktops /t REG_SZ /d "\"C:\Users\user\AppData\Roaming\Microsoft\tre\Desktops.exe\" random" /f'
        - ParentImage|endswith: '\wmiprvse.exe'
    selection_execution_cmd:
        CommandLine|contains|all:
            - 'reg'
            - ' add '
        CommandLine|contains:
            - '\Software\Microsoft\Windows\CurrentVersion\Run'
            - '\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run'
            - '\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run'
    selection_suspicious_paths_1:
        CommandLine|contains:
            - ':\Perflogs'
            - :\ProgramData'
            - ':\Windows\Temp'
            - ':\Temp'
            - '\AppData\Local\Temp'
            - '\AppData\Roaming'
            - ':\$Recycle.bin'
            - ':\Users\Default'
            - ':\Users\public'
            - '%temp%'
            - '%tmp%'
            - '%Public%'
            - '%AppData%'
    selection_suspicious_paths_user_1:
        CommandLine|contains: ':\Users\'
    selection_suspicious_paths_user_2:
        CommandLine|contains:
            - '\Favorites'
            - '\Favourites'
            - '\Contacts'
            - '\Music'
            - '\Pictures'
            - '\Documents'
            - '\Photos'
    condition: all of selection_execution_* and (selection_suspicious_paths_1 or (all of selection_suspicious_paths_user_*))
falsepositives:
    - Legitimate administrative activity or software installations
level: high

title: Suspicious GrpConv Execution
id: f14e169e-9978-4c69-acb3-1cff8200bc36
status: test
description: Detects the suspicious execution of a utility to convert Windows 3.x .grp files or for persistence purposes by malicious software or actors
references:
    - https://twitter.com/0gtweet/status/1526833181831200770
author: Florian Roth (Nextron Systems)
date: 2022-05-19
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.t1547
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains:
            - 'grpconv.exe -o'
            - 'grpconv -o'
    condition: selection
falsepositives:
    - Unknown
level: high

title: Suspicious Run Key from Download
id: 9c5037d1-c568-49b3-88c7-9846a5bdc2be
status: test
description: Detects the suspicious RUN keys created by software located in Download or temporary Outlook/Internet Explorer directories
references:
    - https://app.any.run/tasks/c5bef5b7-f484-4c43-9cf3-d5c5c7839def/
    - https://github.com/HackTricks-wiki/hacktricks/blob/e4c7b21b8f36c97c35b7c622732b38a189ce18f7/src/windows-hardening/windows-local-privilege-escalation/privilege-escalation-with-autorun-binaries.md
author: Florian Roth (Nextron Systems), Swachchhanda Shrawan Poude (Nextron Systems)
date: 2019-10-01
modified: 2025-02-17
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.t1547.001
logsource:
    category: registry_event
    product: windows
detection:
    selection:
        Image|contains:
            - '\AppData\Local\Packages\Microsoft.Outlook_'
            - '\AppData\Local\Microsoft\Olk\Attachments\'
            - '\Downloads\'
            - '\Temporary Internet Files\Content.Outlook\'
            - '\Local Settings\Temporary Internet Files\'
        TargetObject|contains:
            - '\Software\Microsoft\Windows\CurrentVersion\Run'
            - '\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run'
            - '\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run'
    condition: selection
falsepositives:
    - Software installers downloaded and used by users
level: high

title: Suspicious Startup Folder Persistence
id: 28208707-fe31-437f-9a7f-4b1108b94d2e
related:
    - id: 2aa0a6b4-a865-495b-ab51-c28249537b75
      type: similar
status: test
description: |
    Detects the creation of potentially malicious script and executable files in Windows startup folders, which is a common persistence technique used by threat actors.
    These files (.ps1, .vbs, .js, .bat, etc.) are automatically executed when a user logs in, making the Startup folder an attractive target for attackers.
    This technique is frequently observed in malvertising campaigns and malware distribution where attackers attempt to maintain long-term access to compromised systems.
references:
    - https://github.com/last-byte/PersistenceSniper
    - https://www.microsoft.com/en-us/security/blog/2025/03/06/malvertising-campaign-leads-to-info-stealers-hosted-on-github/
    - https://github.com/redcanaryco/atomic-red-team/blob/5ede8f21e42ebe37e0a6eff757dba60bcfa85859/atomics/T1547.001/T1547.001.md
author: Nasreddine Bencherchali (Nextron Systems), Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2022-08-10
modified: 2025-10-12
tags:
    - attack.privilege-escalation
    - attack.execution
    - attack.t1204.002
    - attack.persistence
    - attack.t1547.001
logsource:
    product: windows
    category: file_event
detection:
    selection:
        TargetFilename|contains: '\Windows\Start Menu\Programs\Startup\'
        TargetFilename|endswith:
            # Add or remove suspicious extensions according to your env needs
            - '.bat'
            - '.cmd'
            - '.dll'
            - '.hta'
            - '.jar'
            - '.js'
            - '.jse'
            - '.msi'
            - '.ps1'
            - '.psd1'
            - '.psm1'
            - '.scr'
            - '.url'
            - '.vba'
            - '.vbe'
            - '.vbs'
            - '.wsf'
    condition: selection
falsepositives:
    - Rare legitimate usage of some of the extensions mentioned in the rule
level: high

title: User Shell Folders Registry Modification via CommandLine
id: 8f3ab69a-aa22-4943-aa58-e0a52fdf6818
related:
    - id: 9c226817-8dc9-46c2-a58d-66655aafd7dc
      type: similar
status: experimental
description: |
    Detects modifications to User Shell Folders registry values via reg.exe or PowerShell, which could indicate persistence attempts.
    Attackers may modify User Shell Folders registry values to point to malicious executables or scripts that will be executed during startup.
    This technique is often used to maintain persistence on a compromised system by ensuring that malicious payloads are executed automatically.
references:
    - https://www.welivesecurity.com/en/eset-research/muddywater-snakes-riverbank/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2026-01-05
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.defense-impairment
    - attack.t1547.001
    - attack.t1112
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith:
              - '\powershell.exe'
              - '\pwsh.exe'
              - '\reg.exe'
        - OriginalFileName:
              - 'powershell.exe'
              - 'pwsh.dll'
              - 'reg.exe'
    selection_cli_action:
        CommandLine|contains:
            - ' add ' # reg.exe modification
            - 'New-ItemProperty'
            - 'Set-ItemProperty'
            - 'si ' # short for Set-ItemProperty
    selection_cli_paths_root:
        CommandLine|contains:
            - '\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders'
            - '\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders'
    selection_cli_paths_suffix:
        CommandLine|contains: 'Startup' # covers both 'Startup' and 'Common Startup'
    condition: all of selection_*
falsepositives:
    - Usage of reg.exe or PowerShell to modify User Shell Folders for legitimate purposes; but rare.
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_user_shell_folders_registry_modification/info.yml
simulation:
    - type: atomic-red-team
      name: Change Startup Folder - HKLM Modify User Shell Folders Common Startup Value
      technique: T1547.001
      atomic_guid: acfef903-7662-447e-a391-9c91c2f00f7b

title: VBScript Payload Stored in Registry
id: 46490193-1b22-4c29-bdd6-5bf63907216f
status: test
description: Detects VBScript content stored into registry keys as seen being used by UNC2452 group
references:
    - https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/
author: Florian Roth (Nextron Systems)
date: 2021-03-05
modified: 2023-08-17
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.t1547.001
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|contains: 'Software\Microsoft\Windows\CurrentVersion'
        Details|contains:
            - 'vbscript:'
            - 'jscript:'
            - 'mshtml,'
            - 'RunHTMLApplication'
            - 'Execute('
            - 'CreateObject'
            - 'window.close'
    filter:
        TargetObject|contains: 'Software\Microsoft\Windows\CurrentVersion\Run'
    filter_dotnet:
        Image|endswith: '\msiexec.exe'
        TargetObject|contains: '\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\'
        Details|contains:
            - '\Microsoft.NET\Primary Interop Assemblies\Microsoft.mshtml.dll'
            - '<\Microsoft.mshtml,fileVersion='
            - '_mshtml_dll_'
            - '<\Microsoft.mshtml,culture='
    condition: selection and not 1 of filter*
falsepositives:
    - Unknown
level: high

title: WINEKEY Registry Modification
id: b98968aa-dbc0-4a9c-ac35-108363cbf8d5
status: test
description: Detects potential malicious modification of run keys by winekey or team9 backdoor
references:
    - https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html
author: omkar72
date: 2020-10-30
modified: 2021-11-27
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.t1547
logsource:
    category: registry_event
    product: windows
detection:
    selection:
        TargetObject|endswith: 'Software\Microsoft\Windows\CurrentVersion\Run\Backup Mgr'
    condition: selection
falsepositives:
    - Unknown
level: high

title: WinRAR Creating Files in Startup Locations
id: 74a2b37d-fea4-41e0-9ac7-c9fbcf1f60cc
status: experimental
description: |
    Detects WinRAR creating files in Windows startup locations, which may indicate an attempt to establish persistence by adding malicious files to the Startup folder.
    This kind of behaviour has been associated with exploitation of WinRAR path traversal vulnerability CVE-2025-6218 or CVE-2025-8088.
references:
    - https://github.com/mulwareX/CVE-2025-6218-POC
    - https://x.com/0x534c/status/1944694507787710685
    - https://www.welivesecurity.com/en/eset-research/update-winrar-tools-now-romcom-and-others-exploiting-zero-day-vulnerability/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-07-16
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.t1547.001
logsource:
    category: file_event
    product: windows
detection:
    selection:
        Image|endswith:
            - '\WinRAR.exe'
            - '\Rar.exe'
        TargetFilename|contains: '\Start Menu\Programs\Startup\'
    condition: selection
falsepositives:
    - Unknown
level: high

title: Windows Event Log Access Tampering Via Registry
id: ba226dcf-d390-4642-b9af-b534872f1156
status: experimental
description: |
    Detects changes to the Windows EventLog channel permission values. It focuses on changes to the Security Descriptor Definition Language (SDDL) string, as modifications to these values can restrict access to specific users or groups, potentially aiding in defense evasion by controlling who can view or modify a event log channel. Upon execution, the user shouldn't be able to access the event log channel via the event viewer or via utilities such as "Get-EventLog" or "wevtutil".
references:
    - https://www.atomicredteam.io/atomic-red-team/atomics/T1562.002#atomic-test-8---modify-event-log-channel-access-permissions-via-registry---powershell
    - https://www.youtube.com/watch?v=uSYvHUVU8xY
    - https://learn.microsoft.com/en-us/windows/win32/secauthz/security-descriptor-definition-language
author: X__Junior
date: 2025-01-16
modified: 2025-08-16
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.defense-impairment
    - attack.t1547.001
    - attack.t1112
logsource:
    category: registry_set
    product: windows
detection:
    # O:SYG:SYD:(D;;0x1;;;WD)
    # O:BAG:SYD:(A;;0x2;;;S-1-15-2-1)(D;;0x1;;;WD)
    selection_key_1:
        TargetObject|contains: '\SYSTEM\CurrentControlSet\Services\EventLog\'
        TargetObject|endswith: '\CustomSD'
    selection_key_2:
        TargetObject|contains:
            - '\Policies\Microsoft\Windows\EventLog\'
            - '\Microsoft\Windows\CurrentVersion\WINEVT\Channels'
        TargetObject|endswith: '\ChannelAccess'
    selection_details:
        - Details|contains: 'D:(D;'
        - Details|contains|all:
              - 'D:('
              - ')(D;'
    filter_main_trustedinstaller:
        Image: 'C:\Windows\servicing\TrustedInstaller.exe'
    filter_main_tiworker:
        Image|startswith: 'C:\Windows\WinSxS\'
        Image|endswith: '\TiWorker.exe'
    filter_optional_empty:
        Image: ''
    filter_optional_null:
        Image: null
    condition: 1 of selection_key_* and selection_details and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - Administrative activity, still unlikely
level: high

title: Winlogon Notify Key Logon Persistence
id: bbf59793-6efb-4fa1-95ca-a7d288e52c88
status: test
description: |
    Adversaries may abuse features of Winlogon to execute DLLs and/or executables when a user logs in.
    Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.004/T1547.004.md#atomic-test-3---winlogon-notify-key-logon-persistence---powershell
author: frack113
date: 2021-12-30
modified: 2023-08-17
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.t1547.004
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|endswith: '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\logon'
        Details|endswith: '.dll'
    condition: selection
falsepositives:
    - Unknown
level: high

title: Add Port Monitor Persistence in Registry
id: 944e8941-f6f6-4ee8-ac05-1c224e923c0e
status: test
description: |
    Adversaries may use port monitors to run an attacker supplied DLL during system boot for persistence or privilege escalation.
    A port monitor can be set through the AddMonitor API call to set a DLL to be loaded at startup.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.010/T1547.010.md
author: frack113
date: 2021-12-30
modified: 2024-03-25
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.t1547.010
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|contains: '\Control\Print\Monitors\'
        Details|endswith: '.dll'
    filter_optional_cutepdf:
        Image: 'C:\Windows\System32\spoolsv.exe'
        TargetObject|contains: '\Control\Print\Monitors\CutePDF Writer Monitor v4.0\Driver'
        Details: 'cpwmon64_v40.dll'
        User|contains: # covers many language settings
            - 'AUTHORI'
            - 'AUTORI'
    filter_optional_monvnc:
        TargetObject|contains: '\Control\Print\Monitors\MONVNC\Driver'
    filter_optional_vnc:
        TargetObject|contains|all:
            - 'Control\Print\Environments\'
            - '\Drivers\'
            - '\VNC Printer'
    condition: selection and not 1 of filter_optional_*
falsepositives:
    - Unknown
level: medium
regression_tests_path: regression_data/rules/windows/registry/registry_set/registry_set_add_port_monitor/info.yml
simulation:
    - type: atomic-red-team
      name: Add Port Monitor persistence in Registry
      technique: T1547.010
      atomic_guid: d34ef297-f178-4462-871e-9ce618d44e50

title: Atbroker Registry Change
id: 9577edbb-851f-4243-8c91-1d5b50c1a39b
status: test
description: Detects creation/modification of Assistive Technology applications and persistence with usage of 'at'
references:
    - http://www.hexacorn.com/blog/2016/07/22/beyond-good-ol-run-key-part-42/
    - https://lolbas-project.github.io/lolbas/Binaries/Atbroker/
author: Mateusz Wydra, oscd.community
date: 2020-10-13
modified: 2023-01-19
tags:
    - attack.privilege-escalation
    - attack.stealth
    - attack.t1218
    - attack.persistence
    - attack.t1547
logsource:
    category: registry_event
    product: windows
detection:
    selection:
        TargetObject|contains:
            - 'Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs'
            - 'Software\Microsoft\Windows NT\CurrentVersion\Accessibility\Configuration'
    filter_atbroker:
        Image: 'C:\Windows\system32\atbroker.exe'
        TargetObject|contains: '\Microsoft\Windows NT\CurrentVersion\Accessibility\Configuration'
        Details: '(Empty)'
    filter_uninstallers:
        Image|startswith: 'C:\Windows\Installer\MSI'
        TargetObject|contains: 'Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs'
    condition: selection and not 1 of filter_*
falsepositives:
    - Creation of non-default, legitimate at usage
level: medium

title: Classes Autorun Keys Modification
id: 9df5f547-c86a-433e-b533-f2794357e242
related:
    - id: 17f878b8-9968-4578-b814-c4217fc5768c
      type: obsolete
status: test
description: |
    Detects modification of Windows Registry Classes keys used for persistence.
    Adversaries modify these autostart extensibility points (ASEP) to execute malicious code when file types are opened or actions are performed.
    Various legitimate software also uses these keys. Currently, this rule only filters out known legitimate software paths,
    thus it is recommended to review and tune filters for your environment to reduce false positives before deploying to production.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md
    - https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns
    - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys
author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)
date: 2019-10-25
modified: 2025-10-22
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.t1547.001
logsource:
    category: registry_set
    product: windows
detection:
    selection_classes_base:
        TargetObject|contains: '\Software\Classes'
    selection_classes_target:
        TargetObject|contains:
            - '\Folder\ShellEx\ExtShellFolderViews'
            - '\Folder\ShellEx\DragDropHandlers'
            - '\Folder\Shellex\ColumnHandlers'
            - '\Filter'
            - '\Exefile\Shell\Open\Command\(Default)'
            - '\Directory\Shellex\DragDropHandlers'
            - '\Directory\Shellex\CopyHookHandlers'
            - '\CLSID\{AC757296-3522-4E11-9862-C17BE5A1767E}\Instance'
            - '\CLSID\{ABE3B9A4-257D-4B97-BD1A-294AF496222E}\Instance'
            - '\CLSID\{7ED96837-96F0-4812-B211-F13C24117ED3}\Instance'
            - '\CLSID\{083863F1-70DE-11d0-BD40-00A0C911CE86}\Instance'
            - '\Classes\AllFileSystemObjects\ShellEx\DragDropHandlers'
            - '\.exe'
            - '\.cmd'
            - '\ShellEx\PropertySheetHandlers'
            - '\ShellEx\ContextMenuHandlers'
    filter_main_drivers:
        Image: 'C:\Windows\System32\drvinst.exe'
    filter_main_empty:
        Details: '(Empty)'
    filter_main_null:
        Details: null
    filter_main_svchost:
        Image: 'C:\Windows\System32\svchost.exe'
        # If more targets are found from "svchost". Please exclude the whole image
        TargetObject|contains: '\lnkfile\shellex\ContextMenuHandlers\'
    filter_optional_msoffice:
        Details: '{807583E5-5146-11D5-A672-00B0D022E945}'
    condition: all of selection_* and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason
    - Legitimate administrator sets up autorun keys for legitimate reason
level: medium

title: Common Autorun Keys Modification
id: f59c3faf-50f3-464b-9f4c-1b67ab512d99
related:
    - id: 17f878b8-9968-4578-b814-c4217fc5768c
      type: obsolete
status: test
description: Detects modification of autostart extensibility point (ASEP) in registry.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md
    - https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns
    - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys
    - https://persistence-info.github.io/Data/userinitmprlogonscript.html # UserInitMprLogonScript
author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split), wagga (name)
date: 2019-10-25
modified: 2025-10-22
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.t1547.001
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|contains:
            - '\SOFTWARE\Wow6432Node\Microsoft\Windows CE Services\AutoStart'
            - '\Software\Wow6432Node\Microsoft\Command Processor\Autorun'
            - '\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components'
            - '\SOFTWARE\Microsoft\Windows CE Services\AutoStartOnDisconnect'
            - '\SOFTWARE\Microsoft\Windows CE Services\AutoStartOnConnect'
            - '\SYSTEM\Setup\CmdLine'
            - '\Software\Microsoft\Ctf\LangBarAddin'
            - '\Software\Microsoft\Command Processor\Autorun'
            - '\SOFTWARE\Microsoft\Active Setup\Installed Components'
            - '\SOFTWARE\Classes\Protocols\Handler'
            - '\SOFTWARE\Classes\Protocols\Filter'
            - '\SOFTWARE\Classes\Htmlfile\Shell\Open\Command\(Default)'
            - '\Environment\UserInitMprLogonScript'
            - '\SOFTWARE\Policies\Microsoft\Windows\Control Panel\Desktop\Scrnsave.exe'
            - '\Software\Microsoft\Internet Explorer\UrlSearchHooks'
            - '\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components'
            - '\Software\Classes\Clsid\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\Inprocserver32'
            - '\Control Panel\Desktop\Scrnsave.exe'
    filter_main_empty:
        Details: '(Empty)'
    filter_main_null:
        Details: null
    filter_main_poqexec:
        Image: 'C:\Windows\System32\poqexec.exe'
    filter_optional_msoffice:
        - TargetObject|contains:
              - '\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\PROTOCOLS\Handler\'
              - '\ClickToRunStore\HKMU\SOFTWARE\Classes\PROTOCOLS\Handler\'
        - Details:
              - '{314111c7-a502-11d2-bbca-00c04f8ec294}'
              - '{3459B272-CC19-4448-86C9-DDC3B4B2FAD3}'
              - '{42089D2D-912D-4018-9087-2B87803E93FB}'
              - '{5504BE45-A83B-4808-900A-3A5C36E7F77A}'
              - '{807583E5-5146-11D5-A672-00B0D022E945}'
    filter_optional_chrome:
        TargetObject|contains: '\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}'
    filter_optional_edge:
        TargetObject|contains: '\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}'
    filter_optional_IE:
        TargetObject|contains: '\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}'
    filter_optional_integrator:
        Image:
            - 'C:\Program Files (x86)\Microsoft Office\root\integration\integrator.exe'
            - 'C:\Program Files\Microsoft Office\root\integration\integrator.exe'
    filter_optional_office:
        Image|startswith:
            - 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\'
            - 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\'
        Image|endswith: '\OfficeClickToRun.exe'
    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason
    - Legitimate administrator sets up autorun keys for legitimate reason
level: medium

title: CurrentControlSet Autorun Keys Modification
id: f674e36a-4b91-431e-8aef-f8a96c2aca35
related:
    - id: 17f878b8-9968-4578-b814-c4217fc5768c
      type: obsolete
status: test
description: Detects modification of autostart extensibility point (ASEP) in registry.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md
    - https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns
    - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys
author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)
date: 2019-10-25
modified: 2023-08-17
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.t1547.001
logsource:
    category: registry_set
    product: windows
detection:
    system_control_base:
        TargetObject|contains: '\SYSTEM\CurrentControlSet\Control'
    system_control_keys:
        TargetObject|contains:
            - '\Terminal Server\WinStations\RDP-Tcp\InitialProgram'
            - '\Terminal Server\Wds\rdpwd\StartupPrograms'
            - '\SecurityProviders\SecurityProviders'
            - '\SafeBoot\AlternateShell'
            - '\Print\Providers'
            - '\Print\Monitors'
            - '\NetworkProvider\Order'
            - '\Lsa\Notification Packages'
            - '\Lsa\Authentication Packages'
            - '\BootVerificationProgram\ImagePath'
    filter_empty:
        Details: '(Empty)'
    filter_cutepdf:
        Image: 'C:\Windows\System32\spoolsv.exe'
        TargetObject|contains: '\Print\Monitors\CutePDF Writer Monitor'
        Details:
            - 'cpwmon64_v40.dll'
            - 'CutePDF Writer'
    filter_onenote:
        Image: C:\Windows\System32\spoolsv.exe
        TargetObject|contains: 'Print\Monitors\Appmon\Ports\Microsoft.Office.OneNote_'
        User|contains: # covers many language settings
            - 'AUTHORI'
            - 'AUTORI'
    filter_poqexec:
        Image: 'C:\Windows\System32\poqexec.exe'
        TargetObject|endswith: '\NetworkProvider\Order\ProviderOrder'
    filter_realvnc:
        Image: 'C:\Windows\System32\spoolsv.exe'
        TargetObject|endswith: '\Print\Monitors\MONVNC\Driver'
        Details: 'VNCpm.dll'
    condition: all of system_control_* and not 1 of filter_*
falsepositives:
    - Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason
    - Legitimate administrator sets up autorun keys for legitimate reason
level: medium

title: CurrentVersion Autorun Keys Modification
id: 20f0ee37-5942-4e45-b7d5-c5b5db9df5cd
related:
    - id: 17f878b8-9968-4578-b814-c4217fc5768c
      type: obsolete
status: test
description: Detects modification of autostart extensibility point (ASEP) in registry.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md
    - https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns
    - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys
    - https://oddvar.moe/2018/03/21/persistence-using-runonceex-hidden-from-autoruns-exe/
author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)
date: 2019-10-25
modified: 2025-10-22
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.t1547.001
logsource:
    category: registry_set
    product: windows
detection:
    selection_current_version_base:
        TargetObject|contains: '\SOFTWARE\Microsoft\Windows\CurrentVersion'
    selection_current_version_keys:
        TargetObject|contains:
            - '\ShellServiceObjectDelayLoad'
            - '\Run\'
            - '\RunOnce\'
            - '\RunOnceEx\'
            - '\RunServices\'
            - '\RunServicesOnce\'
            - '\Policies\System\Shell'
            - '\Policies\Explorer\Run'
            - '\Group Policy\Scripts\Startup'
            - '\Group Policy\Scripts\Shutdown'
            - '\Group Policy\Scripts\Logon'
            - '\Group Policy\Scripts\Logoff'
            - '\Explorer\ShellServiceObjects'
            - '\Explorer\ShellIconOverlayIdentifiers'
            - '\Explorer\ShellExecuteHooks'
            - '\Explorer\SharedTaskScheduler'
            - '\Explorer\Browser Helper Objects'
            - '\Authentication\PLAP Providers'
            - '\Authentication\Credential Providers'
            - '\Authentication\Credential Provider Filters'
    filter_main_generic_all:
        - Details: '(Empty)'
        - TargetObject|endswith: '\NgcFirst\ConsecutiveSwitchCount'
        - Image|endswith:
              - '\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe' # C:\Users\*\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe
              - '\AppData\Roaming\Spotify\Spotify.exe'
              - '\AppData\Local\WebEx\WebexHost.exe'
        - Image:
              - 'C:\WINDOWS\system32\devicecensus.exe'
              - 'C:\Windows\system32\winsat.exe'
              - 'C:\Program Files\Microsoft OneDrive\StandaloneUpdater\OneDriveSetup.exe'
              - 'C:\Program Files (x86)\Microsoft OneDrive\StandaloneUpdater\OneDriveSetup.exe'
              - 'C:\Program Files\Microsoft OneDrive\Update\OneDriveSetup.exe'
              - 'C:\Program Files (x86)\Microsoft OneDrive\Update\OneDriveSetup.exe'
              - 'C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe'
              - 'C:\Program Files (x86)\Microsoft Office\root\integration\Addons\OneDriveSetup.exe'
              - 'C:\Program Files\KeePass Password Safe 2\ShInstUtil.exe'
              - 'C:\Program Files\Everything\Everything.exe'
              - 'C:\Program Files (x86)\Microsoft Office\root\integration\integrator.exe'
              - 'C:\Program Files\Microsoft Office\root\integration\integrator.exe'
    filter_main_null:
        Details: null
    filter_main_logonui:
        Image: 'C:\Windows\system32\LogonUI.exe'
        TargetObject|contains:
            - '\Authentication\Credential Providers\{D6886603-9D2F-4EB2-B667-1971041FA96B}\'  # PIN
            - '\Authentication\Credential Providers\{BEC09223-B018-416D-A0AC-523971B639F5}\'  # fingerprint
            - '\Authentication\Credential Providers\{8AF662BF-65A0-4D0A-A540-A338A999D36F}\'  # facial recognizion
            - '\Authentication\Credential Providers\{27FBDB57-B613-4AF2-9D7E-4FA7A66C21AD}\'  # Trusted Signal (Phone proximity, Network location)
    filter_main_edge:
        Image|startswith:
            - 'C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\'
            - 'C:\Program Files (x86)\Microsoft\EdgeWebView\'
            - 'C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe'
    filter_main_defender:
        Image: 'C:\Program Files\Windows Defender\MsMpEng.exe'
    filter_main_teams:
        Image|endswith: '\Microsoft\Teams\current\Teams.exe'
        Details|contains: '\Microsoft\Teams\Update.exe --processStart '
    filter_main_ctfmon:
        Image: 'C:\Windows\system32\userinit.exe'
        Details: 'ctfmon.exe /n'
    filter_optional_dropbox:
        Image: 'C:\Windows\system32\regsvr32.exe'
        TargetObject|contains: 'DropboxExt'
        Details|endswith: 'A251-47B7-93E1-CDD82E34AF8B}'
    filter_optional_opera_1:
        TargetObject|endswith: '\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Opera Browser Assistant'
        Details: 'C:\Program Files\Opera\assistant\browser_assistant.exe'
    filter_optional_opera_2:
        TargetObject|endswith: '\Software\Microsoft\Windows\CurrentVersion\Run\Opera Stable'
        Details:
            - 'C:\Program Files\Opera\launcher.exe'
            - 'C:\Program Files (x86)\Opera\launcher.exe'
    filter_optional_itunes:
        TargetObject|endswith: '\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\iTunesHelper'
        Details: '"C:\Program Files\iTunes\iTunesHelper.exe"'
    filter_optional_zoom:
        TargetObject|endswith: '\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\zoommsirepair'
        Details: '"C:\Program Files\Zoom\bin\installer.exe" /repair'
    filter_optional_greenshot:
        TargetObject|endswith: '\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Greenshot'
        Details: 'C:\Program Files\Greenshot\Greenshot.exe'
    filter_optional_googledrive1:
        TargetObject|endswith: '\Software\Microsoft\Windows\CurrentVersion\Run\GoogleDriveFS'
        Details|startswith: 'C:\Program Files\Google\Drive File Stream\'
        Details|contains: '\GoogleDriveFS.exe'
    filter_optional_googledrive2:
        TargetObject|contains: 'GoogleDrive'
        Details:
            - '{CFE8B367-77A7-41D7-9C90-75D16D7DC6B6}'
            - '{A8E52322-8734-481D-A7E2-27B309EF8D56}'
            - '{C973DA94-CBDF-4E77-81D1-E5B794FBD146}'
            - '{51EF1569-67EE-4AD6-9646-E726C3FFC8A2}'
    filter_optional_onedrive:
        Details|startswith:
            - 'C:\Windows\system32\cmd.exe /q /c rmdir /s /q "C:\Users\'
            - 'C:\Windows\system32\cmd.exe /q /c del /q "C:\Users\'
        Details|contains: '\AppData\Local\Microsoft\OneDrive\'
    filter_optional_python:
        TargetObject|contains: '\Microsoft\Windows\CurrentVersion\RunOnce\{'
        Details|contains|all:
            - '\AppData\Local\Package Cache\{'
            - '}\python-'
        Details|endswith: '.exe" /burn.runonce'
    filter_optional_officeclicktorun:
        Image|startswith:
            - 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\'
            - 'C:\Program Files (x86)\Common Files\Microsoft Shared\ClickToRun\'
        Image|endswith: '\OfficeClickToRun.exe'
    filter_optional_teams:
        Image|endswith: '\Microsoft\Teams\current\Teams.exe'
        Details|contains: '\Microsoft\Teams\Update.exe --processStart'
    filter_optional_AVG_setup:
        Image|contains:
            - 'C:\Program Files\AVG\Antivirus\Setup\'
            - 'C:\Program Files (x86)\AVG\Antivirus\Setup\'
            - '\instup.exe'
        Details:
            - '"C:\Program Files\AVG\Antivirus\AvLaunch.exe" /gui'
            - '"C:\Program Files (x86)\AVG\Antivirus\AvLaunch.exe" /gui'
            - '{472083B0-C522-11CF-8763-00608CC02F24}'
            - '{472083B1-C522-11CF-8763-00608CC02F24}'
    filter_optional_Avast:
        Image|contains:
            - 'C:\Program Files\Avast Software\Avast\Setup\'
            - 'C:\Program Files (x86)\Avast Software\Avast\Setup\'
            - '\instup.exe'
        Details:
            - '"C:\Program Files\Avast Software\Avast\AvLaunch.exe" /gui'
            - '"C:\Program Files (x86)\Avast Software\Avast\AvLaunch.exe" /gui'
    filter_optional_AVG_avgtoolsvc:
        Image:
            - 'C:\Program Files\AVG\Antivirus\avgToolsSvc.exe'
            - 'C:\Program Files (x86)\AVG\Antivirus\avgToolsSvc.exe'
        TargetObject|contains: '\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run\'
        Details: 'Binary Data'
    filter_optional_aurora_dashboard:
        Image|endswith:
            - '\aurora-agent-64.exe'
            - '\aurora-agent.exe'
        TargetObject|endswith: '\Microsoft\Windows\CurrentVersion\Run\aurora-dashboard'
        Details: 'C:\Program Files\Aurora-Agent\tools\aurora-dashboard.exe'
    filter_optional_everything:
        TargetObject|endswith: '\Microsoft\Windows\CurrentVersion\Run\Everything'
        Details|endswith: '\Everything\Everything.exe" -startup' # We remove the starting part as it could be installed in different locations
    filter_optional_discord:
        TargetObject|endswith: '\Software\Microsoft\Windows\CurrentVersion\Run\Discord'
        Details|endswith: '\Discord\Update.exe --processStart Discord.exe'
    condition: all of selection_* and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason
    - Legitimate administrator sets up autorun keys for legitimate reason
level: medium

title: CurrentVersion NT Autorun Keys Modification
id: cbf93e5d-ca6c-4722-8bea-e9119007c248
related:
    - id: 17f878b8-9968-4578-b814-c4217fc5768c
      type: obsolete
status: test
description: Detects modification of autostart extensibility point (ASEP) in registry.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md
    - https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns
    - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys
author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)
date: 2019-10-25
modified: 2025-10-22
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.t1547.001
logsource:
    category: registry_set
    product: windows
detection:
    selection_nt_current_version_base:
        TargetObject|contains: '\SOFTWARE\Microsoft\Windows NT\CurrentVersion'
    selection_nt_current_version:
        TargetObject|contains:
            - '\Winlogon\VmApplet'
            - '\Winlogon\Userinit'
            - '\Winlogon\Taskman'
            - '\Winlogon\Shell'
            - '\Winlogon\GpExtensions'
            - '\Winlogon\AppSetup'
            - '\Winlogon\AlternateShells\AvailableShells'
            - '\Windows\IconServiceLib'
            - '\Windows\Appinit_Dlls'
            - '\Image File Execution Options' # Covered in better details in 36803969-5421-41ec-b92f-8500f79c23b0
            - '\Font Drivers'
            - '\Drivers32'
            - '\Windows\Run'
            - '\Windows\Load'
    filter_main_empty:
        Details: '(Empty)'
    filter_main_null:
        Details: null
    filter_main_poqexec:
        Image: 'C:\Windows\System32\poqexec.exe'
    filter_main_legitimate_subkey:  # Legitimately used subkeys of \Image File Execution Options, which are not used for persistence (see https://pentestlab.blog/2020/01/13/persistence-image-file-execution-options-injection/)
        TargetObject|contains: '\Image File Execution Options\'
        TargetObject|endswith:
            - '\DisableExceptionChainValidation'
            - '\MitigationOptions'
    filter_main_security_extension_dc:
        Image: 'C:\Windows\system32\svchost.exe'
        TargetObject|contains:
            - '\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}\PreviousPolicyAreas'
            - '\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}\MaxNoGPOListChangesInterval'
        Details:
            - 'DWORD (0x00000001)'
            - 'DWORD (0x00000009)'
            - 'DWORD (0x000003c0)'
    filter_main_runtimebroker:
        Image: 'C:\Windows\System32\RuntimeBroker.exe'
        TargetObject|contains: '\runtimebroker.exe\Microsoft.Windows.ShellExperienceHost'
    filter_optional_edge:
        Image|startswith: 'C:\Program Files (x86)\Microsoft\Temp\'
        Image|endswith: '\MicrosoftEdgeUpdate.exe'
    filter_optional_avguard:
        Image|startswith:
            - 'C:\Program Files (x86)\Avira\Antivirus\avguard.exe'
            - 'C:\Program Files\Avira\Antivirus\avguard.exe'
        TargetObject|contains: 'SOFTWARE\WOW6432Node\Avira\Antivirus\Overwrite_Keys\HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\'
        TargetObject|endswith:
            - '\userinit\UseAsDefault'
            - '\shell\UseAsDefault'
        Details:
            - 'explorer.exe'
            - 'C:\Windows\system32\userinit.exe,'
    filter_optional_msoffice:
        - TargetObject|contains:
              - '\ClickToRunStore\HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\'
              - '\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows NT\CurrentVersion\'
        - Image:
              - 'C:\Program Files\Microsoft Office\root\integration\integrator.exe'
              - 'C:\Program Files (x86)\Microsoft Office\root\integration\integrator.exe'
    filter_optional_officeclicktorun:
        Image|startswith:
            - 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\'
            - 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\'
        Image|endswith: '\OfficeClickToRun.exe'
    filter_optional_ngen:
        Image|startswith: 'C:\Windows\Microsoft.NET\Framework'
        Image|endswith: '\ngen.exe'
    filter_optional_onedrive:
        Image|endswith: '\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\OneDriveSetup.exe'
        TargetObject|endswith: '\Microsoft\Windows\CurrentVersion\RunOnce\Delete Cached Update Binary'
        Details|startswith: 'C:\Windows\system32\cmd.exe /q /c del /q "C:\Users\'
        Details|endswith: '\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe"'
    condition: all of selection_* and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason
    - Legitimate administrator sets up autorun keys for legitimate reason
level: medium

title: Desktop.INI Created by Uncommon Process
id: 81315b50-6b60-4d8f-9928-3466e1022515
status: test
description: Detects unusual processes accessing desktop.ini, which can be leveraged to alter how Explorer displays a folder's content (i.e. renaming files) without changing them on disk.
references:
    - https://isc.sans.edu/forums/diary/Desktopini+as+a+postexploitation+tool/25912/
author: Maxime Thiebaut (@0xThiebaut), Tim Shelton (HAWK.IO)
date: 2020-03-19
modified: 2025-12-09
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.t1547.009
logsource:
    product: windows
    category: file_event
detection:
    selection:
        TargetFilename|endswith: '\desktop.ini'
    filter_main_generic:
        Image|startswith:
            - 'C:\Windows\'
            - 'C:\Program Files\'
            - 'C:\Program Files (x86)\'
    filter_main_upgrade:
        TargetFilename|startswith: 'C:\$WINDOWS.~BT\NewOS\'
    filter_optional_jetbrains:
        Image|startswith: 'C:\Users\'
        Image|endswith: '\AppData\Local\JetBrains\Toolbox\bin\7z.exe'
        TargetFilename|contains: '\JetBrains\apps\'
    filter_optional_onedrive:
        Image|startswith: 'C:\Users\'
        Image|contains: '\AppData\Local\Microsoft\OneDrive\'
    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - Operations performed through Windows SCCM or equivalent
    - Read only access list authority
level: medium

title: Direct Autorun Keys Modification
id: 24357373-078f-44ed-9ac4-6d334a668a11
status: test
description: Detects direct modification of autostart extensibility point (ASEP) in registry using reg.exe.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md
    - https://github.com/HackTricks-wiki/hacktricks/blob/e4c7b21b8f36c97c35b7c622732b38a189ce18f7/src/windows-hardening/windows-local-privilege-escalation/privilege-escalation-with-autorun-binaries.md
author: Victor Sergeev, Daniil Yugoslavskiy, oscd.community, Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2019-10-25
modified: 2026-01-05
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.t1547.001
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\reg.exe'
        - OriginalFileName: 'reg.exe'
    selection_cli_add:
        CommandLine|contains: 'add'     # to avoid intersection with discovery tactic rules
    selection_cli_keys:
        CommandLine|contains:           # need to improve this list, there are plenty of ASEP reg keys
            - '\software\Microsoft\Windows\CurrentVersion\Run' # Also covers the strings "RunOnce", "RunOnceEx", "RunServices", "RunServicesOnce"
            - '\software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run'
            - '\software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run'
            - '\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit'
            - '\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell'
            - '\software\Microsoft\Windows NT\CurrentVersion\Windows'
            - '\system\CurrentControlSet\Control\SafeBoot\AlternateShell'
    condition: all of selection_*
falsepositives:
    - Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reasons.
    - Legitimate administrator sets up autorun keys for legitimate reasons.
    - Discord
level: medium

title: Internet Explorer Autorun Keys Modification
id: a80f662f-022f-4429-9b8c-b1a41aaa6688
related:
    - id: 17f878b8-9968-4578-b814-c4217fc5768c
      type: obsolete
status: test
description: Detects modification of autostart extensibility point (ASEP) in registry.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md
    - https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns
    - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys
author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)
date: 2019-10-25
modified: 2023-08-17
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.t1547.001
logsource:
    category: registry_set
    product: windows
detection:
    ie:
        TargetObject|contains:
            - '\Software\Wow6432Node\Microsoft\Internet Explorer'
            - '\Software\Microsoft\Internet Explorer'
    ie_details:
        TargetObject|contains:
            - '\Toolbar'
            - '\Extensions'
            - '\Explorer Bars'
    filter_empty:
        Details: '(Empty)'
    filter_extensions:
        TargetObject|contains:
            - '\Extensions\{2670000A-7350-4f3c-8081-5663EE0C6C49}'
            - '\Extensions\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}'
            - '\Extensions\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}'
            - '\Extensions\{A95fe080-8f5d-11d2-a20b-00aa003c157a}'
    filter_toolbar:
        TargetObject|endswith:
            - '\Toolbar\ShellBrowser\ITBar7Layout'
            - '\Toolbar\ShowDiscussionButton'
            - '\Toolbar\Locked'
    condition: ie and ie_details and not 1 of filter_*
falsepositives:
    - Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason
    - Legitimate administrator sets up autorun keys for legitimate reason
level: medium

title: MITRE BZAR Indicators for Persistence
id: 53389db6-ba46-48e3-a94c-e0f2cefe1583
status: test
description: 'Windows DCE-RPC functions which indicate a persistence techniques on the remote system. All credit for the Zeek mapping of the suspicious endpoint/operation field goes to MITRE.'
references:
    - https://github.com/mitre-attack/bzar#indicators-for-attck-persistence
author: '@neu5ron, SOC Prime'
date: 2020-03-19
modified: 2021-11-27
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.t1547.004
logsource:
    product: zeek
    service: dce_rpc
detection:
    op1:
        endpoint: 'spoolss'
        operation: 'RpcAddMonitor'
    op2:
        endpoint: 'spoolss'
        operation: 'RpcAddPrintProcessor'
    op3:
        endpoint: 'IRemoteWinspool'
        operation: 'RpcAsyncAddMonitor'
    op4:
        endpoint: 'IRemoteWinspool'
        operation: 'RpcAsyncAddPrintProcessor'
    op5:
        endpoint: 'ISecLogon'
        operation: 'SeclCreateProcessWithLogonW'
    op6:
        endpoint: 'ISecLogon'
        operation: 'SeclCreateProcessWithLogonExW'
    condition: 1 of op*
falsepositives:
    - Windows administrator tasks or troubleshooting
    - Windows management scripts or software
level: medium

title: New Custom Shim Database Created
id: ee63c85c-6d51-4d12-ad09-04e25877a947
status: test
description: |
    Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims.
    The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.011/T1546.011.md#atomic-test-2---new-shim-database-files-created-in-the-default-shim-database-directory
    - https://www.mandiant.com/resources/blog/fin7-shim-databases-persistence
    - https://liberty-shell.com/sec/2020/02/25/shim-persistence/
    - https://andreafortuna.org/2018/11/12/process-injection-and-persistence-using-application-shimming/
author: frack113, Nasreddine Bencherchali (Nextron Systems)
date: 2021-12-29
modified: 2023-12-06
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.t1547.009
logsource:
    product: windows
    category: file_event
detection:
    selection:
        TargetFilename|contains:
            - ':\Windows\apppatch\Custom\'
            - ':\Windows\apppatch\CustomSDB\'
    condition: selection
falsepositives:
    - Legitimate custom SHIM installations will also trigger this rule
level: medium
regression_tests_path: regression_data/rules/windows/file/file_event/file_event_win_creation_new_shim_database/info.yml

title: Office Autorun Keys Modification
id: baecf8fb-edbf-429f-9ade-31fc3f22b970
related:
    - id: 17f878b8-9968-4578-b814-c4217fc5768c
      type: obsolete
status: test
description: |
    Detects modification of autostart extensibility point (ASEP) in registry. Adversaries may modify these keys to execute malicious code when Office files are opened.
    There are various legitimate add-ins that also use these keys and this filter list might not be exhaustive.
    Thus, it is recommended to review and tune filters for your environment to reduce false positives before deploying to production.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md
    - https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns
    - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys
author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)
date: 2019-10-25
modified: 2026-01-09
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.t1547.001
logsource:
    category: registry_set
    product: windows
detection:
    selection_office_root:
        TargetObject|contains:
            - '\Software\Wow6432Node\Microsoft\Office'
            - '\Software\Microsoft\Office'
    selection_office_details:
        TargetObject|contains:
            - '\Word\Addins'
            - '\PowerPoint\Addins'
            - '\Outlook\Addins'
            - '\Onenote\Addins'
            - '\Excel\Addins'
            - '\Access\Addins'
            - 'test\Special\Perf'
    filter_main_empty:
        Details: '(Empty)'
    filter_main_null:
        Details: null
    filter_main_known_addins:
        Image|startswith:
            - 'C:\Program Files\Microsoft Office\'
            - 'C:\Program Files (x86)\Microsoft Office\'
            - 'C:\PROGRA~2\MICROS~2\Office'
            - 'C:\Windows\System32\msiexec.exe'
            - 'C:\Windows\SysWOW64\msiexec.exe'
            - 'C:\Windows\System32\regsvr32.exe'
            - 'C:\Windows\SysWOW64\regsvr32.exe '
        TargetObject|contains:
            # Remove any unused addins in your environment from the filter
            # Known addins for excel
            - '\Excel\Addins\AdHocReportingExcelClientLib.AdHocReportingExcelClientAddIn.1\'
            - '\Excel\Addins\ExcelPlugInShell.PowerMapConnect\'
            - '\Excel\Addins\NativeShim\'
            - '\Excel\Addins\NativeShim.InquireConnector.1\'
            - '\Excel\Addins\PowerPivotExcelClientAddIn.NativeEntry.1\'
            # Known addins for outlook
            - '\Outlook\AddIns\AccessAddin.DC\'
            - '\Outlook\AddIns\ColleagueImport.ColleagueImportAddin\'
            - '\Outlook\AddIns\EvernoteCC.EvernoteContactConnector\'
            - '\Outlook\AddIns\EvernoteOLRD.Connect\'
            # - '\Outlook\Addins\GrammarlyAddIn.Connect' # Uncomment if you use Grammarly
            - '\Outlook\Addins\\OneNote.OutlookAddin'
            - '\Outlook\Addins\DriveFSExtensionLib.Connect\' # An Outlook Add-in to talk with Google Drive
            - '\Outlook\Addins\GoogleAppsSync.Connect\' # Google Apps Sync for Microsoft Outlook
            - '\Outlook\Addins\Microsoft.VbaAddinForOutlook.1\'
            - '\Outlook\Addins\OcOffice.OcForms\'
            - '\Outlook\Addins\OscAddin.Connect\'
            - '\Outlook\Addins\OutlookChangeNotifier.Connect\'
            - '\Outlook\Addins\UCAddin.LyncAddin.1'
            - '\Outlook\Addins\UCAddin.UCAddin.1'
            - '\Outlook\Addins\UmOutlookAddin.FormRegionAddin\'
            - 'AddinTakeNotesService\FriendlyName'
    filter_main_officeclicktorun:
        Image|startswith:
            - 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\'
            - 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\'
        Image|endswith: '\OfficeClickToRun.exe'
    filter_main_vsto:
        Image|startswith:
            - 'C:\Program Files\Common Files\Microsoft Shared\VSTO\'
            - 'C:\Program Files (x86)\Microsoft Shared\VSTO\'
        Image|endswith: '\VSTOInstaller.exe'
    filter_optional_avg:
        Image:
            - 'C:\Program Files\AVG\Antivirus\RegSvr.exe'
            - 'C:\Program Files\AVG\Antivirus\x86\RegSvr.exe'
        TargetObject|contains: '\Microsoft\Office\Outlook\Addins\Antivirus.AsOutExt\'
    filter_optional_avast:
        Image:
            - 'C:\Program Files\Avast Software\Avast\RegSvr.exe'
            - 'C:\Program Files\Avast Software\Avast\x86\RegSvr.exe'
        TargetObject|contains: '\Microsoft\Office\Outlook\Addins\Avast.AsOutExt\'
    # These filters are not exhaustive, filter can be expanded based on environment
    condition: all of selection_office_* and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - Legitimate software or add-in installations and administrative configurations
    - Automatic registry modifications during legitimate software installations
level: medium

title: Potential Persistence Attempt Via Run Keys Using Reg.EXE
id: de587dce-915e-4218-aac4-835ca6af6f70
status: test
description: Detects suspicious command line reg.exe tool adding key to RUN key in Registry
references:
    - https://app.any.run/tasks/9c0f37bc-867a-4314-b685-e101566766d7/
    - https://learn.microsoft.com/en-us/windows/win32/setupapi/run-and-runonce-registry-keys
    - https://github.com/HackTricks-wiki/hacktricks/blob/e4c7b21b8f36c97c35b7c622732b38a189ce18f7/src/windows-hardening/windows-local-privilege-escalation/privilege-escalation-with-autorun-binaries.md
author: Florian Roth (Nextron Systems), Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2021-06-28
modified: 2025-02-17
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.t1547.001
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\reg.exe'
        CommandLine|contains|all:
            - 'reg'
            - ' add '
        CommandLine|contains:
            - 'Software\Microsoft\Windows\CurrentVersion\Run'
            - '\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run'
            - '\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run'
    condition: selection
falsepositives:
    - Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reasons.
    - Legitimate administrator sets up autorun keys for legitimate reasons.
    - Discord
level: medium
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_reg_add_run_key/info.yml

title: Potential Suspicious Activity Using SeCEdit
id: c2c76b77-32be-4d1f-82c9-7e544bdfe0eb
status: test
description: Detects potential suspicious behaviour using secedit.exe. Such as exporting or modifying the security policy
references:
    - https://blueteamops.medium.com/secedit-and-i-know-it-595056dee53d
    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/secedit
author: Janantha Marasinghe
date: 2022-11-18
modified: 2022-12-30
tags:
    - attack.collection
    - attack.discovery
    - attack.persistence
    - attack.credential-access
    - attack.privilege-escalation
    - attack.execution
    - attack.stealth
    - attack.defense-impairment
    - attack.t1685.001
    - attack.t1547.001
    - attack.t1505.005
    - attack.t1556.002
    - attack.t1685
    - attack.t1574.007
    - attack.t1564.002
    - attack.t1546.008
    - attack.t1546.007
    - attack.t1547.014
    - attack.t1547.010
    - attack.t1547.002
    - attack.t1557
    - attack.t1082
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\secedit.exe'
        - OriginalFileName: 'SeCEdit'
    selection_flags_discovery:
        CommandLine|contains|all:
            - '/export'
            - '/cfg'
    selection_flags_configure:
        CommandLine|contains|all:
            - '/configure'
            - '/db'
    # filter:
    #     SubjectUserName|endswith: '$'  SubjectUserName is from event ID 4719 in the Windows Security log
    condition: selection_img and (1 of selection_flags_*)
falsepositives:
    - Legitimate administrative use
level: medium

title: Session Manager Autorun Keys Modification
id: 046218bd-e0d8-4113-a3c3-895a12b2b298
related:
    - id: 17f878b8-9968-4578-b814-c4217fc5768c
      type: obsolete
status: test
description: Detects modification of autostart extensibility point (ASEP) in registry.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md
    - https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns
    - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys
author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)
date: 2019-10-25
modified: 2023-08-17
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.t1547.001
    - attack.t1546.009
logsource:
    category: registry_set
    product: windows
detection:
    session_manager_base:
        TargetObject|contains: '\System\CurrentControlSet\Control\Session Manager'
    session_manager:
        TargetObject|contains:
            - '\SetupExecute'
            - '\S0InitialCommand'
            - '\KnownDlls'
            - '\Execute'
            - '\BootExecute'
            - '\AppCertDlls'
    filter:
        Details: '(Empty)'
    condition: session_manager_base and session_manager and not filter
falsepositives:
    - Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason
    - Legitimate administrator sets up autorun keys for legitimate reason
level: medium

title: Startup Folder File Write
id: 2aa0a6b4-a865-495b-ab51-c28249537b75
related:
    - id: 28208707-fe31-437f-9a7f-4b1108b94d2e
      type: similar
status: test
description: A General detection for files being created in the Windows startup directory. This could be an indicator of persistence.
references:
    - https://github.com/OTRF/detection-hackathon-apt29/issues/12
    - https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/5.B.1_611FCA99-97D0-4873-9E51-1C1BA2DBB40D.md
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2020-05-02
modified: 2025-12-03
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.t1547.001
logsource:
    product: windows
    category: file_event
detection:
    selection:
        TargetFilename|contains: '\Microsoft\Windows\Start Menu\Programs\StartUp'
    filter_main_update:
        - Image:
              - 'C:\Windows\System32\wuauclt.exe'
              - 'C:\Windows\uus\ARM64\wuaucltcore.exe'
        - TargetFilename|startswith:
              - 'C:\$WINDOWS.~BT\NewOS\'
              - 'C:\$WinREAgent\Scratch\Mount\'
    filter_optional_onenote:
        Image|endswith: '\ONENOTE.EXE'
        TargetFilename|endswith: '\Send to OneNote.lnk'
    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - FP could be caused by legitimate application writing shortcuts for example. This folder should always be inspected to make sure that all the files in there are legitimate
level: medium

title: Startup/Logon Script Added to Group Policy Object
id: 123e4e6d-b123-48f8-b261-7214938acaf0
status: test
description: |
    Detects the modification of Group Policy Objects (GPO) to add a startup/logon script to users or computer objects.
references:
    - https://www.elastic.co/guide/en/security/current/startup-logon-script-added-to-group-policy-object.html
author: Elastic, Josh Nickels, Marius Rothenbücher
date: 2024-09-06
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.defense-impairment
    - attack.t1484.001
    - attack.t1547
logsource:
    product: windows
    service: security
    definition: 'The advanced audit policy setting "Object Access > Audit Detailed File Share" must be configured for Success/Failure'
detection:
    selection_eventid:
        EventID:
            - 5136
            - 5145
    selection_attributes_main:
        AttributeLDAPDisplayName:
            - 'gPCMachineExtensionNames'
            - 'gPCUserExtensionNames'
        AttributeValue|contains: '42B5FAAE-6536-11D2-AE5A-0000F87571E3'
    selection_attributes_optional:
        AttributeValue|contains:
            - '40B6664F-4972-11D1-A7CA-0000F87571E3'
            - '40B66650-4972-11D1-A7CA-0000F87571E3'
    selection_share:
        ShareName|endswith: '\SYSVOL'
        RelativeTargetName|endswith:
            - '\scripts.ini'
            - '\psscripts.ini'
        AccessList|contains: '%%4417'
    condition: selection_eventid and (all of selection_attributes_* or selection_share)
falsepositives:
    - Legitimate execution by system administrators.
level: medium

title: Suspicious Driver Install by pnputil.exe
id: a2ea3ae7-d3d0-40a0-a55c-25a45c87cac1
status: test
description: Detects when a possible suspicious driver is being installed via pnputil.exe lolbin
references:
    - https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/pnputil-command-syntax
    - https://strontic.github.io/xcyclopedia/library/pnputil.exe-60EDC5E6BDBAEE441F2E3AEACD0340D2.html
author: Hai Vaknin @LuxNoBulIshit, Avihay eldad  @aloneliassaf, Austin Songer @austinsonger
date: 2021-09-30
modified: 2022-10-09
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.t1547
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains:
            - '-i'
            - '/install'
            - '-a'
            - '/add-driver'
            - '.inf'
        Image|endswith: '\pnputil.exe'
    condition: selection
falsepositives:
    - Pnputil.exe being used may be performed by a system administrator.
    - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
    - Pnputil.exe being executed from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
level: medium

title: Suspicious PowerShell In Registry Run Keys
id: 8d85cf08-bf97-4260-ba49-986a2a65129c
status: test
description: Detects potential PowerShell commands or code within registry run keys
references:
    - https://github.com/frack113/atomic-red-team/blob/a9051c38de8a5320b31c7039efcbd3b56cf2d65a/atomics/T1547.001/T1547.001.md#atomic-test-9---systembc-malware-as-a-service-registry
    - https://www.trendmicro.com/en_us/research/22/j/lv-ransomware-exploits-proxyshell-in-attack.html
    - https://github.com/HackTricks-wiki/hacktricks/blob/e4c7b21b8f36c97c35b7c622732b38a189ce18f7/src/windows-hardening/windows-local-privilege-escalation/privilege-escalation-with-autorun-binaries.md
author: frack113, Florian Roth (Nextron Systems)
date: 2022-03-17
modified: 2025-07-18
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.t1547.001
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|contains:
            - '\Software\Microsoft\Windows\CurrentVersion\Run' # Also covers "RunOnce" and "RunOnceEx"
            - '\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run'
            - '\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run'
        Details|contains:
            - 'powershell'
            - 'pwsh '
            - 'FromBase64String'
            - '.DownloadFile('
            - '.DownloadString('
            - ' -w hidden '
            - ' -w 1 '
            - '-windowstyle hidden'
            - '-window hidden'
            - ' -nop '
            - ' -encodedcommand '
            - '-ExecutionPolicy Bypass'
            - 'Invoke-Expression'
            - 'IEX ('
            - 'Invoke-Command'
            - 'ICM -'
            - 'Invoke-WebRequest'
            - 'IWR '
            - 'Invoke-RestMethod'
            - 'IRM '
            - ' -noni '
            - ' -noninteractive '
    condition: selection
falsepositives:
    - Legitimate admin or third party scripts. Baseline according to your environment
level: medium

title: System Scripts Autorun Keys Modification
id: e7a2fd40-3ae1-4a85-bf80-15cf624fb1b1
related:
    - id: 17f878b8-9968-4578-b814-c4217fc5768c
      type: obsolete
status: test
description: Detects modification of autostart extensibility point (ASEP) in registry.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md
    - https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns
    - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys
author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)
date: 2019-10-25
modified: 2023-08-17
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.t1547.001
logsource:
    category: registry_set
    product: windows
detection:
    scripts_base:
        TargetObject|contains: '\Software\Policies\Microsoft\Windows\System\Scripts'
    scripts:
        TargetObject|contains:
            - '\Startup'
            - '\Shutdown'
            - '\Logon'
            - '\Logoff'
    filter:
        Details: '(Empty)'
    condition: scripts_base and scripts and not filter
falsepositives:
    - Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason
    - Legitimate administrator sets up autorun keys for legitimate reason
level: medium

title: WinSock2 Autorun Keys Modification
id: d6c2ce7e-afb5-4337-9ca4-4b5254ed0565
related:
    - id: 17f878b8-9968-4578-b814-c4217fc5768c
      type: derived
status: test
description: Detects modification of autostart extensibility point (ASEP) in registry.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md
    - https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns
    - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys
author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)
date: 2019-10-25
modified: 2023-08-17
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.t1547.001
logsource:
    category: registry_set
    product: windows
detection:
    winsock_parameters_base:
        TargetObject|contains: '\System\CurrentControlSet\Services\WinSock2\Parameters'
    winsock_parameters:
        TargetObject|contains:
            - '\Protocol_Catalog9\Catalog_Entries'
            - '\NameSpace_Catalog5\Catalog_Entries'
    filter:
        - Details: '(Empty)'
        - Image: 'C:\Windows\System32\MsiExec.exe'
        - Image: 'C:\Windows\syswow64\MsiExec.exe'
    condition: winsock_parameters_base and winsock_parameters and not filter
falsepositives:
    - Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason
    - Legitimate administrator sets up autorun keys for legitimate reason
level: medium

title: Windows Network Access Suspicious desktop.ini Action
id: 35bc7e28-ee6b-492f-ab04-da58fcf6402e
status: test
description: Detects unusual processes accessing desktop.ini remotely over network share, which can be leveraged to alter how Explorer displays a folder's content (i.e. renaming files) without changing them on disk.
references:
    - https://isc.sans.edu/forums/diary/Desktopini+as+a+postexploitation+tool/25912/
author: Tim Shelton (HAWK.IO)
date: 2021-12-06
modified: 2022-01-16
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.t1547.009
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID: 5145
        ObjectType: File
        RelativeTargetName|endswith: '\desktop.ini'
        AccessList|contains:
            - 'WriteData'
            - 'DELETE'
            - 'WriteDAC'
            - 'AppendData'
            - 'AddSubdirectory'
    condition: selection
falsepositives:
    - Read only access list authority
level: medium

title: Windows Terminal Profile Settings Modification By Uncommon Process
id: 9b64de98-9db3-4033-bd7a-f51430105f00
status: test
description: Detects the creation or modification of the Windows Terminal Profile settings file "settings.json" by an uncommon process.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/74438b0237d141ee9c99747976447dc884cb1a39/atomics/T1547.015/T1547.015.md#atomic-test-1---persistence-by-modifying-windows-terminal-profile
    - https://twitter.com/nas_bench/status/1550836225652686848
author: frack113, Nasreddine Bencherchali (Nextron Systems)
date: 2023-07-22
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.t1547.015
logsource:
    product: windows
    category: file_event
detection:
    selection:
        Image|endswith:
            # Note: Add other potential common applications
            - '\cmd.exe'
            - '\cscript.exe'
            - '\mshta.exe'
            - '\powershell.exe'
            - '\pwsh.exe'
            - '\wscript.exe'
        TargetFilename|endswith: '\AppData\Local\Packages\Microsoft.WindowsTerminal_8wekyb3d8bbwe\LocalState\settings.json'
    condition: selection
falsepositives:
    - Some false positives may occur with admin scripts that set WT settings.
level: medium

title: Winlogon Helper DLL
id: 851c506b-6b7c-4ce2-8802-c703009d03c0
status: test
description: |
    Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete.
    Registry entries in HKLM\Software[Wow6432Node]Microsoft\Windows NT\CurrentVersion\Winlogon\ and HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ are
    used to manage additional helper programs and functionalities that support Winlogon. Malicious modifications to these Registry keys may cause Winlogon to
    load and execute malicious DLLs and/or executables.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.004/T1547.004.md
author: Timur Zinniatullin, oscd.community
date: 2019-10-21
modified: 2022-07-07
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.t1547.004
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection:
        ScriptBlockText|contains: 'CurrentVersion\Winlogon'
    selection2:
        ScriptBlockText|contains:
            - 'Set-ItemProperty'
            - 'New-Item'
    condition: all of selection*
falsepositives:
    - Unknown
level: medium