title: File Creation In Suspicious Directory By Msdt.EXE
id: 318557a5-150c-4c8d-b70e-a9910e199857
status: test
description: Detects msdt.exe creating files in suspicious directories which could be a sign of exploitation of either Follina or Dogwalk vulnerabilities
references:
    - https://irsl.medium.com/the-trouble-with-microsofts-troubleshooters-6e32fc80b8bd
    - https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/
author: Vadim Varganov, Florian Roth (Nextron Systems)
date: 2022-08-24
modified: 2023-02-23
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.t1547.001
    - cve.2022-30190
logsource:
    category: file_event
    product: windows
detection:
    selection:
        Image|endswith: '\msdt.exe'
        TargetFilename|contains:
            - '\Desktop\'
            - '\Start Menu\Programs\Startup\'
            - 'C:\PerfLogs\'
            - 'C:\ProgramData\'
            - 'C:\Users\Public\'
    condition: selection
falsepositives:
    - Unknown
level: high

title: Modify User Shell Folders Startup Value
id: 9c226817-8dc9-46c2-a58d-66655aafd7dc
related:
    - id: 8f3ab69a-aa22-4943-aa58-e0a52fdf6818
      type: similar
status: test
description: |
    Detect modification of the User Shell Folders registry values for Startup or Common Startup which could indicate persistence attempts.
    Attackers may modify User Shell Folders registry keys to point to malicious executables or scripts that will be executed during startup.
    This technique is often used to maintain persistence on a compromised system by ensuring that the malicious payload is executed automatically.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/9e5b12c4912c07562aec7500447b11fa3e17e254/atomics/T1547.001/T1547.001.md
    - https://www.welivesecurity.com/en/eset-research/muddywater-snakes-riverbank/
author: frack113, Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2022-10-01
modified: 2026-01-05
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.t1547.001
logsource:
    product: windows
    category: registry_set
detection:
    selection:
        TargetObject|contains:
            - 'SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders'
            - 'SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders'
        TargetObject|endswith:
            - '\Common Startup'
            - '\Startup'
    filter_main_details_null:
        Details: null
    filter_main_programdata_startup:
        Details|contains:
            - 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup'
            - '%ProgramData%\Microsoft\Windows\Start Menu\Programs\Startup'
    filter_main_userprofile_startup_1:
        Details|contains:
            - '%USERPROFILE%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup'
            - '%%USERPROFILE%%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup'
    filter_main_userprofile_startup_2:
        Details|contains|all:
            - 'C:\Users\'
            - '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup'
    # Apply more filters if new legitimate paths are identified
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unknown
level: high
regression_tests_path: regression_data/rules/windows/registry/registry_set/registry_set_susp_user_shell_folders/info.yml
simulation:
    - type: atomic-red-team
      name: Change Startup Folder - HKLM Modify User Shell Folders Common Startup Value
      technique: T1547.001
      atomic_guid: acfef903-7662-447e-a391-9c91c2f00f7b

title: Narrator's Feedback-Hub Persistence
id: f663a6d9-9d1b-49b8-b2b1-0637914d199a
status: test
description: Detects abusing Windows 10 Narrator's Feedback-Hub
references:
    - https://giuliocomi.blogspot.com/2019/10/abusing-windows-10-narrators-feedback.html
author: Dmitriy Lifanov, oscd.community
date: 2019-10-25
modified: 2022-03-26
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.t1547.001
logsource:
    category: registry_event
    product: windows
detection:
    selection1:
        EventType: DeleteValue
        TargetObject|endswith: '\AppXypsaf9f1qserqevf0sws76dx4k9a5206\Shell\open\command\DelegateExecute'
    selection2:
        TargetObject|endswith: '\AppXypsaf9f1qserqevf0sws76dx4k9a5206\Shell\open\command\(Default)'
    # Add the payload in the (Default)
    condition: 1 of selection*
falsepositives:
    - Unknown
level: high

title: New RUN Key Pointing to Suspicious Folder
id: 02ee49e2-e294-4d0f-9278-f5b3212fc588
status: experimental
description: Detects suspicious new RUN key element pointing to an executable in a suspicious folder
references:
    - https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html
    - https://github.com/HackTricks-wiki/hacktricks/blob/e4c7b21b8f36c97c35b7c622732b38a189ce18f7/src/windows-hardening/windows-local-privilege-escalation/privilege-escalation-with-autorun-binaries.md
author: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing, Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2018-08-25
modified: 2025-10-06
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.t1547.001
logsource:
    category: registry_set
    product: windows
detection:
    selection_target:
        TargetObject|contains:
            - '\Software\Microsoft\Windows\CurrentVersion\Run'
            - '\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run'
            - '\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run'
    selection_suspicious_paths_1:
        Details|contains:
            - ':\Perflogs'
            - :\ProgramData'
            - ':\Windows\Temp'
            - ':\Temp'
            - '\AppData\Local\Temp'
            - '\AppData\Roaming'
            - ':\$Recycle.bin'
            - ':\Users\Default'
            - ':\Users\public'
            - '%temp%'
            - '%tmp%'
            - '%Public%'
            - '%AppData%'
    selection_suspicious_paths_user_1:
        Details|contains: ':\Users\'
    selection_suspicious_paths_user_2:
        Details|contains:
            - '\Favorites'
            - '\Favourites'
            - '\Contacts'
            - '\Music'
            - '\Pictures'
            - '\Documents'
            - '\Photos'
    filter_main_windows_update:
        TargetObject|contains: '\Microsoft\Windows\CurrentVersion\RunOnce\'
        Image|startswith: 'C:\Windows\SoftwareDistribution\Download\'
        Details|contains|all:
            - 'rundll32.exe '
            - 'C:\WINDOWS\system32\advpack.dll,DelNodeRunDLL32'
        Details|contains:
            - '\AppData\Local\Temp\'
            - 'C:\Windows\Temp\'
    filter_optional_spotify:
        Image|endswith:
            - 'C:\Program Files\Spotify\Spotify.exe'
            - 'C:\Program Files (x86)\Spotify\Spotify.exe'
            - '\AppData\Roaming\Spotify\Spotify.exe'
        TargetObject|endswith: 'SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Spotify'
        Details|endswith: 'Spotify.exe --autostart --minimized'
    condition: selection_target and (selection_suspicious_paths_1 or (all of selection_suspicious_paths_user_* )) and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - Software using weird folders for updates
level: high

title: Potential Startup Shortcut Persistence Via PowerShell.EXE
id: 92fa78e7-4d39-45f1-91a3-8b23f3f1088d
status: test
description: |
    Detects PowerShell writing startup shortcuts.
    This procedure was highlighted in Red Canary Intel Insights Oct. 2021, "We frequently observe adversaries using PowerShell to write malicious .lnk files into the startup directory to establish persistence.
    Accordingly, this detection opportunity is likely to identify persistence mechanisms in multiple threats.
    In the context of Yellow Cockatoo, this persistence mechanism eventually launches the command-line script that leads to the installation of a malicious DLL"
references:
    - https://redcanary.com/blog/intelligence-insights-october-2021/
    - https://github.com/redcanaryco/atomic-red-team/blob/36d49de4c8b00bf36054294b4a1fcbab3917d7c5/atomics/T1547.001/T1547.001.md#atomic-test-7---add-executable-shortcut-link-to-user-startup-folder
author: Christopher Peacock '@securepeacock', SCYTHE
date: 2021-10-24
modified: 2023-02-23
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.t1547.001
logsource:
    product: windows
    category: file_event
detection:
    selection:
        Image|endswith:
            - '\powershell.exe'
            - '\pwsh.exe'
        TargetFilename|contains: '\start menu\programs\startup\'
        TargetFilename|endswith: '.lnk'
    condition: selection
falsepositives:
    - Depending on your environment accepted applications may leverage this at times. It is recommended to search for anomalies inidicative of malware.
level: high

title: Registry Persistence via Explorer Run Key
id: b7916c2a-fa2f-4795-9477-32b731f70f11
status: test
description: Detects a possible persistence mechanism using RUN key for Windows Explorer and pointing to a suspicious folder
references:
    - https://researchcenter.paloaltonetworks.com/2018/07/unit42-upatre-continues-evolve-new-anti-analysis-techniques/
author: Florian Roth (Nextron Systems), oscd.community
date: 2018-07-18
modified: 2023-12-11
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.t1547.001
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|endswith: '\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run'
        Details|contains:
            - ':\$Recycle.bin\'
            - ':\ProgramData\'
            - ':\Temp\'
            - ':\Users\Default\'
            - ':\Users\Public\'
            - ':\Windows\Temp\'
            - '\AppData\Local\Temp\'
    condition: selection
falsepositives:
    - Unknown
level: high

title: Suspicious Autorun Registry Modified via WMI
id: c80e66d8-1780-48a9-b412-46663fd21ac0
status: experimental
description: |
    Detects suspicious activity where the WMIC process is used to create an autorun registry entry via reg.exe, which is often indicative of persistence mechanisms employed by malware.
references:
    - Internal Research
    - https://github.com/HackTricks-wiki/hacktricks/blob/e4c7b21b8f36c97c35b7c622732b38a189ce18f7/src/windows-hardening/windows-local-privilege-escalation/privilege-escalation-with-autorun-binaries.md
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-02-17
tags:
    - attack.privilege-escalation
    - attack.execution
    - attack.persistence
    - attack.t1547.001
    - attack.t1047
logsource:
    category: process_creation
    product: windows
detection:
    selection_execution_img:
        - Image|endswith: '\wmic.exe'
        - OriginalFileName: 'wmic.exe' # wmic process call create 'reg.exe add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Desktops /t REG_SZ /d "\"C:\Users\user\AppData\Roaming\Microsoft\tre\Desktops.exe\" random" /f'
        - ParentImage|endswith: '\wmiprvse.exe'
    selection_execution_cmd:
        CommandLine|contains|all:
            - 'reg'
            - ' add '
        CommandLine|contains:
            - '\Software\Microsoft\Windows\CurrentVersion\Run'
            - '\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run'
            - '\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run'
    selection_suspicious_paths_1:
        CommandLine|contains:
            - ':\Perflogs'
            - :\ProgramData'
            - ':\Windows\Temp'
            - ':\Temp'
            - '\AppData\Local\Temp'
            - '\AppData\Roaming'
            - ':\$Recycle.bin'
            - ':\Users\Default'
            - ':\Users\public'
            - '%temp%'
            - '%tmp%'
            - '%Public%'
            - '%AppData%'
    selection_suspicious_paths_user_1:
        CommandLine|contains: ':\Users\'
    selection_suspicious_paths_user_2:
        CommandLine|contains:
            - '\Favorites'
            - '\Favourites'
            - '\Contacts'
            - '\Music'
            - '\Pictures'
            - '\Documents'
            - '\Photos'
    condition: all of selection_execution_* and (selection_suspicious_paths_1 or (all of selection_suspicious_paths_user_*))
falsepositives:
    - Legitimate administrative activity or software installations
level: high

title: Suspicious Run Key from Download
id: 9c5037d1-c568-49b3-88c7-9846a5bdc2be
status: test
description: Detects the suspicious RUN keys created by software located in Download or temporary Outlook/Internet Explorer directories
references:
    - https://app.any.run/tasks/c5bef5b7-f484-4c43-9cf3-d5c5c7839def/
    - https://github.com/HackTricks-wiki/hacktricks/blob/e4c7b21b8f36c97c35b7c622732b38a189ce18f7/src/windows-hardening/windows-local-privilege-escalation/privilege-escalation-with-autorun-binaries.md
author: Florian Roth (Nextron Systems), Swachchhanda Shrawan Poude (Nextron Systems)
date: 2019-10-01
modified: 2025-02-17
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.t1547.001
logsource:
    category: registry_event
    product: windows
detection:
    selection:
        Image|contains:
            - '\AppData\Local\Packages\Microsoft.Outlook_'
            - '\AppData\Local\Microsoft\Olk\Attachments\'
            - '\Downloads\'
            - '\Temporary Internet Files\Content.Outlook\'
            - '\Local Settings\Temporary Internet Files\'
        TargetObject|contains:
            - '\Software\Microsoft\Windows\CurrentVersion\Run'
            - '\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run'
            - '\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run'
    condition: selection
falsepositives:
    - Software installers downloaded and used by users
level: high

title: Suspicious Startup Folder Persistence
id: 28208707-fe31-437f-9a7f-4b1108b94d2e
related:
    - id: 2aa0a6b4-a865-495b-ab51-c28249537b75
      type: similar
status: test
description: |
    Detects the creation of potentially malicious script and executable files in Windows startup folders, which is a common persistence technique used by threat actors.
    These files (.ps1, .vbs, .js, .bat, etc.) are automatically executed when a user logs in, making the Startup folder an attractive target for attackers.
    This technique is frequently observed in malvertising campaigns and malware distribution where attackers attempt to maintain long-term access to compromised systems.
references:
    - https://github.com/last-byte/PersistenceSniper
    - https://www.microsoft.com/en-us/security/blog/2025/03/06/malvertising-campaign-leads-to-info-stealers-hosted-on-github/
    - https://github.com/redcanaryco/atomic-red-team/blob/5ede8f21e42ebe37e0a6eff757dba60bcfa85859/atomics/T1547.001/T1547.001.md
author: Nasreddine Bencherchali (Nextron Systems), Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2022-08-10
modified: 2025-10-12
tags:
    - attack.privilege-escalation
    - attack.execution
    - attack.t1204.002
    - attack.persistence
    - attack.t1547.001
logsource:
    product: windows
    category: file_event
detection:
    selection:
        TargetFilename|contains: '\Windows\Start Menu\Programs\Startup\'
        TargetFilename|endswith:
            # Add or remove suspicious extensions according to your env needs
            - '.bat'
            - '.cmd'
            - '.dll'
            - '.hta'
            - '.jar'
            - '.js'
            - '.jse'
            - '.msi'
            - '.ps1'
            - '.psd1'
            - '.psm1'
            - '.scr'
            - '.url'
            - '.vba'
            - '.vbe'
            - '.vbs'
            - '.wsf'
    condition: selection
falsepositives:
    - Rare legitimate usage of some of the extensions mentioned in the rule
level: high

title: User Shell Folders Registry Modification via CommandLine
id: 8f3ab69a-aa22-4943-aa58-e0a52fdf6818
related:
    - id: 9c226817-8dc9-46c2-a58d-66655aafd7dc
      type: similar
status: experimental
description: |
    Detects modifications to User Shell Folders registry values via reg.exe or PowerShell, which could indicate persistence attempts.
    Attackers may modify User Shell Folders registry values to point to malicious executables or scripts that will be executed during startup.
    This technique is often used to maintain persistence on a compromised system by ensuring that malicious payloads are executed automatically.
references:
    - https://www.welivesecurity.com/en/eset-research/muddywater-snakes-riverbank/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2026-01-05
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.defense-impairment
    - attack.t1547.001
    - attack.t1112
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith:
              - '\powershell.exe'
              - '\pwsh.exe'
              - '\reg.exe'
        - OriginalFileName:
              - 'powershell.exe'
              - 'pwsh.dll'
              - 'reg.exe'
    selection_cli_action:
        CommandLine|contains:
            - ' add ' # reg.exe modification
            - 'New-ItemProperty'
            - 'Set-ItemProperty'
            - 'si ' # short for Set-ItemProperty
    selection_cli_paths_root:
        CommandLine|contains:
            - '\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders'
            - '\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders'
    selection_cli_paths_suffix:
        CommandLine|contains: 'Startup' # covers both 'Startup' and 'Common Startup'
    condition: all of selection_*
falsepositives:
    - Usage of reg.exe or PowerShell to modify User Shell Folders for legitimate purposes; but rare.
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_user_shell_folders_registry_modification/info.yml
simulation:
    - type: atomic-red-team
      name: Change Startup Folder - HKLM Modify User Shell Folders Common Startup Value
      technique: T1547.001
      atomic_guid: acfef903-7662-447e-a391-9c91c2f00f7b

title: VBScript Payload Stored in Registry
id: 46490193-1b22-4c29-bdd6-5bf63907216f
status: test
description: Detects VBScript content stored into registry keys as seen being used by UNC2452 group
references:
    - https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/
author: Florian Roth (Nextron Systems)
date: 2021-03-05
modified: 2023-08-17
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.t1547.001
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|contains: 'Software\Microsoft\Windows\CurrentVersion'
        Details|contains:
            - 'vbscript:'
            - 'jscript:'
            - 'mshtml,'
            - 'RunHTMLApplication'
            - 'Execute('
            - 'CreateObject'
            - 'window.close'
    filter:
        TargetObject|contains: 'Software\Microsoft\Windows\CurrentVersion\Run'
    filter_dotnet:
        Image|endswith: '\msiexec.exe'
        TargetObject|contains: '\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\'
        Details|contains:
            - '\Microsoft.NET\Primary Interop Assemblies\Microsoft.mshtml.dll'
            - '<\Microsoft.mshtml,fileVersion='
            - '_mshtml_dll_'
            - '<\Microsoft.mshtml,culture='
    condition: selection and not 1 of filter*
falsepositives:
    - Unknown
level: high

title: WinRAR Creating Files in Startup Locations
id: 74a2b37d-fea4-41e0-9ac7-c9fbcf1f60cc
status: experimental
description: |
    Detects WinRAR creating files in Windows startup locations, which may indicate an attempt to establish persistence by adding malicious files to the Startup folder.
    This kind of behaviour has been associated with exploitation of WinRAR path traversal vulnerability CVE-2025-6218 or CVE-2025-8088.
references:
    - https://github.com/mulwareX/CVE-2025-6218-POC
    - https://x.com/0x534c/status/1944694507787710685
    - https://www.welivesecurity.com/en/eset-research/update-winrar-tools-now-romcom-and-others-exploiting-zero-day-vulnerability/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-07-16
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.t1547.001
logsource:
    category: file_event
    product: windows
detection:
    selection:
        Image|endswith:
            - '\WinRAR.exe'
            - '\Rar.exe'
        TargetFilename|contains: '\Start Menu\Programs\Startup\'
    condition: selection
falsepositives:
    - Unknown
level: high

title: Windows Event Log Access Tampering Via Registry
id: ba226dcf-d390-4642-b9af-b534872f1156
status: experimental
description: |
    Detects changes to the Windows EventLog channel permission values. It focuses on changes to the Security Descriptor Definition Language (SDDL) string, as modifications to these values can restrict access to specific users or groups, potentially aiding in defense evasion by controlling who can view or modify a event log channel. Upon execution, the user shouldn't be able to access the event log channel via the event viewer or via utilities such as "Get-EventLog" or "wevtutil".
references:
    - https://www.atomicredteam.io/atomic-red-team/atomics/T1562.002#atomic-test-8---modify-event-log-channel-access-permissions-via-registry---powershell
    - https://www.youtube.com/watch?v=uSYvHUVU8xY
    - https://learn.microsoft.com/en-us/windows/win32/secauthz/security-descriptor-definition-language
author: X__Junior
date: 2025-01-16
modified: 2025-08-16
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.defense-impairment
    - attack.t1547.001
    - attack.t1112
logsource:
    category: registry_set
    product: windows
detection:
    # O:SYG:SYD:(D;;0x1;;;WD)
    # O:BAG:SYD:(A;;0x2;;;S-1-15-2-1)(D;;0x1;;;WD)
    selection_key_1:
        TargetObject|contains: '\SYSTEM\CurrentControlSet\Services\EventLog\'
        TargetObject|endswith: '\CustomSD'
    selection_key_2:
        TargetObject|contains:
            - '\Policies\Microsoft\Windows\EventLog\'
            - '\Microsoft\Windows\CurrentVersion\WINEVT\Channels'
        TargetObject|endswith: '\ChannelAccess'
    selection_details:
        - Details|contains: 'D:(D;'
        - Details|contains|all:
              - 'D:('
              - ')(D;'
    filter_main_trustedinstaller:
        Image: 'C:\Windows\servicing\TrustedInstaller.exe'
    filter_main_tiworker:
        Image|startswith: 'C:\Windows\WinSxS\'
        Image|endswith: '\TiWorker.exe'
    filter_optional_empty:
        Image: ''
    filter_optional_null:
        Image: null
    condition: 1 of selection_key_* and selection_details and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - Administrative activity, still unlikely
level: high

title: Classes Autorun Keys Modification
id: 9df5f547-c86a-433e-b533-f2794357e242
related:
    - id: 17f878b8-9968-4578-b814-c4217fc5768c
      type: obsolete
status: test
description: |
    Detects modification of Windows Registry Classes keys used for persistence.
    Adversaries modify these autostart extensibility points (ASEP) to execute malicious code when file types are opened or actions are performed.
    Various legitimate software also uses these keys. Currently, this rule only filters out known legitimate software paths,
    thus it is recommended to review and tune filters for your environment to reduce false positives before deploying to production.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md
    - https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns
    - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys
author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)
date: 2019-10-25
modified: 2025-10-22
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.t1547.001
logsource:
    category: registry_set
    product: windows
detection:
    selection_classes_base:
        TargetObject|contains: '\Software\Classes'
    selection_classes_target:
        TargetObject|contains:
            - '\Folder\ShellEx\ExtShellFolderViews'
            - '\Folder\ShellEx\DragDropHandlers'
            - '\Folder\Shellex\ColumnHandlers'
            - '\Filter'
            - '\Exefile\Shell\Open\Command\(Default)'
            - '\Directory\Shellex\DragDropHandlers'
            - '\Directory\Shellex\CopyHookHandlers'
            - '\CLSID\{AC757296-3522-4E11-9862-C17BE5A1767E}\Instance'
            - '\CLSID\{ABE3B9A4-257D-4B97-BD1A-294AF496222E}\Instance'
            - '\CLSID\{7ED96837-96F0-4812-B211-F13C24117ED3}\Instance'
            - '\CLSID\{083863F1-70DE-11d0-BD40-00A0C911CE86}\Instance'
            - '\Classes\AllFileSystemObjects\ShellEx\DragDropHandlers'
            - '\.exe'
            - '\.cmd'
            - '\ShellEx\PropertySheetHandlers'
            - '\ShellEx\ContextMenuHandlers'
    filter_main_drivers:
        Image: 'C:\Windows\System32\drvinst.exe'
    filter_main_empty:
        Details: '(Empty)'
    filter_main_null:
        Details: null
    filter_main_svchost:
        Image: 'C:\Windows\System32\svchost.exe'
        # If more targets are found from "svchost". Please exclude the whole image
        TargetObject|contains: '\lnkfile\shellex\ContextMenuHandlers\'
    filter_optional_msoffice:
        Details: '{807583E5-5146-11D5-A672-00B0D022E945}'
    condition: all of selection_* and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason
    - Legitimate administrator sets up autorun keys for legitimate reason
level: medium

title: Common Autorun Keys Modification
id: f59c3faf-50f3-464b-9f4c-1b67ab512d99
related:
    - id: 17f878b8-9968-4578-b814-c4217fc5768c
      type: obsolete
status: test
description: Detects modification of autostart extensibility point (ASEP) in registry.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md
    - https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns
    - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys
    - https://persistence-info.github.io/Data/userinitmprlogonscript.html # UserInitMprLogonScript
author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split), wagga (name)
date: 2019-10-25
modified: 2025-10-22
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.t1547.001
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|contains:
            - '\SOFTWARE\Wow6432Node\Microsoft\Windows CE Services\AutoStart'
            - '\Software\Wow6432Node\Microsoft\Command Processor\Autorun'
            - '\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components'
            - '\SOFTWARE\Microsoft\Windows CE Services\AutoStartOnDisconnect'
            - '\SOFTWARE\Microsoft\Windows CE Services\AutoStartOnConnect'
            - '\SYSTEM\Setup\CmdLine'
            - '\Software\Microsoft\Ctf\LangBarAddin'
            - '\Software\Microsoft\Command Processor\Autorun'
            - '\SOFTWARE\Microsoft\Active Setup\Installed Components'
            - '\SOFTWARE\Classes\Protocols\Handler'
            - '\SOFTWARE\Classes\Protocols\Filter'
            - '\SOFTWARE\Classes\Htmlfile\Shell\Open\Command\(Default)'
            - '\Environment\UserInitMprLogonScript'
            - '\SOFTWARE\Policies\Microsoft\Windows\Control Panel\Desktop\Scrnsave.exe'
            - '\Software\Microsoft\Internet Explorer\UrlSearchHooks'
            - '\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components'
            - '\Software\Classes\Clsid\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\Inprocserver32'
            - '\Control Panel\Desktop\Scrnsave.exe'
    filter_main_empty:
        Details: '(Empty)'
    filter_main_null:
        Details: null
    filter_main_poqexec:
        Image: 'C:\Windows\System32\poqexec.exe'
    filter_optional_msoffice:
        - TargetObject|contains:
              - '\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\PROTOCOLS\Handler\'
              - '\ClickToRunStore\HKMU\SOFTWARE\Classes\PROTOCOLS\Handler\'
        - Details:
              - '{314111c7-a502-11d2-bbca-00c04f8ec294}'
              - '{3459B272-CC19-4448-86C9-DDC3B4B2FAD3}'
              - '{42089D2D-912D-4018-9087-2B87803E93FB}'
              - '{5504BE45-A83B-4808-900A-3A5C36E7F77A}'
              - '{807583E5-5146-11D5-A672-00B0D022E945}'
    filter_optional_chrome:
        TargetObject|contains: '\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}'
    filter_optional_edge:
        TargetObject|contains: '\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}'
    filter_optional_IE:
        TargetObject|contains: '\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}'
    filter_optional_integrator:
        Image:
            - 'C:\Program Files (x86)\Microsoft Office\root\integration\integrator.exe'
            - 'C:\Program Files\Microsoft Office\root\integration\integrator.exe'
    filter_optional_office:
        Image|startswith:
            - 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\'
            - 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\'
        Image|endswith: '\OfficeClickToRun.exe'
    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason
    - Legitimate administrator sets up autorun keys for legitimate reason
level: medium

title: CurrentControlSet Autorun Keys Modification
id: f674e36a-4b91-431e-8aef-f8a96c2aca35
related:
    - id: 17f878b8-9968-4578-b814-c4217fc5768c
      type: obsolete
status: test
description: Detects modification of autostart extensibility point (ASEP) in registry.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md
    - https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns
    - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys
author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)
date: 2019-10-25
modified: 2023-08-17
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.t1547.001
logsource:
    category: registry_set
    product: windows
detection:
    system_control_base:
        TargetObject|contains: '\SYSTEM\CurrentControlSet\Control'
    system_control_keys:
        TargetObject|contains:
            - '\Terminal Server\WinStations\RDP-Tcp\InitialProgram'
            - '\Terminal Server\Wds\rdpwd\StartupPrograms'
            - '\SecurityProviders\SecurityProviders'
            - '\SafeBoot\AlternateShell'
            - '\Print\Providers'
            - '\Print\Monitors'
            - '\NetworkProvider\Order'
            - '\Lsa\Notification Packages'
            - '\Lsa\Authentication Packages'
            - '\BootVerificationProgram\ImagePath'
    filter_empty:
        Details: '(Empty)'
    filter_cutepdf:
        Image: 'C:\Windows\System32\spoolsv.exe'
        TargetObject|contains: '\Print\Monitors\CutePDF Writer Monitor'
        Details:
            - 'cpwmon64_v40.dll'
            - 'CutePDF Writer'
    filter_onenote:
        Image: C:\Windows\System32\spoolsv.exe
        TargetObject|contains: 'Print\Monitors\Appmon\Ports\Microsoft.Office.OneNote_'
        User|contains: # covers many language settings
            - 'AUTHORI'
            - 'AUTORI'
    filter_poqexec:
        Image: 'C:\Windows\System32\poqexec.exe'
        TargetObject|endswith: '\NetworkProvider\Order\ProviderOrder'
    filter_realvnc:
        Image: 'C:\Windows\System32\spoolsv.exe'
        TargetObject|endswith: '\Print\Monitors\MONVNC\Driver'
        Details: 'VNCpm.dll'
    condition: all of system_control_* and not 1 of filter_*
falsepositives:
    - Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason
    - Legitimate administrator sets up autorun keys for legitimate reason
level: medium

title: CurrentVersion Autorun Keys Modification
id: 20f0ee37-5942-4e45-b7d5-c5b5db9df5cd
related:
    - id: 17f878b8-9968-4578-b814-c4217fc5768c
      type: obsolete
status: test
description: Detects modification of autostart extensibility point (ASEP) in registry.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md
    - https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns
    - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys
    - https://oddvar.moe/2018/03/21/persistence-using-runonceex-hidden-from-autoruns-exe/
author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)
date: 2019-10-25
modified: 2025-10-22
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.t1547.001
logsource:
    category: registry_set
    product: windows
detection:
    selection_current_version_base:
        TargetObject|contains: '\SOFTWARE\Microsoft\Windows\CurrentVersion'
    selection_current_version_keys:
        TargetObject|contains:
            - '\ShellServiceObjectDelayLoad'
            - '\Run\'
            - '\RunOnce\'
            - '\RunOnceEx\'
            - '\RunServices\'
            - '\RunServicesOnce\'
            - '\Policies\System\Shell'
            - '\Policies\Explorer\Run'
            - '\Group Policy\Scripts\Startup'
            - '\Group Policy\Scripts\Shutdown'
            - '\Group Policy\Scripts\Logon'
            - '\Group Policy\Scripts\Logoff'
            - '\Explorer\ShellServiceObjects'
            - '\Explorer\ShellIconOverlayIdentifiers'
            - '\Explorer\ShellExecuteHooks'
            - '\Explorer\SharedTaskScheduler'
            - '\Explorer\Browser Helper Objects'
            - '\Authentication\PLAP Providers'
            - '\Authentication\Credential Providers'
            - '\Authentication\Credential Provider Filters'
    filter_main_generic_all:
        - Details: '(Empty)'
        - TargetObject|endswith: '\NgcFirst\ConsecutiveSwitchCount'
        - Image|endswith:
              - '\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe' # C:\Users\*\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe
              - '\AppData\Roaming\Spotify\Spotify.exe'
              - '\AppData\Local\WebEx\WebexHost.exe'
        - Image:
              - 'C:\WINDOWS\system32\devicecensus.exe'
              - 'C:\Windows\system32\winsat.exe'
              - 'C:\Program Files\Microsoft OneDrive\StandaloneUpdater\OneDriveSetup.exe'
              - 'C:\Program Files (x86)\Microsoft OneDrive\StandaloneUpdater\OneDriveSetup.exe'
              - 'C:\Program Files\Microsoft OneDrive\Update\OneDriveSetup.exe'
              - 'C:\Program Files (x86)\Microsoft OneDrive\Update\OneDriveSetup.exe'
              - 'C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe'
              - 'C:\Program Files (x86)\Microsoft Office\root\integration\Addons\OneDriveSetup.exe'
              - 'C:\Program Files\KeePass Password Safe 2\ShInstUtil.exe'
              - 'C:\Program Files\Everything\Everything.exe'
              - 'C:\Program Files (x86)\Microsoft Office\root\integration\integrator.exe'
              - 'C:\Program Files\Microsoft Office\root\integration\integrator.exe'
    filter_main_null:
        Details: null
    filter_main_logonui:
        Image: 'C:\Windows\system32\LogonUI.exe'
        TargetObject|contains:
            - '\Authentication\Credential Providers\{D6886603-9D2F-4EB2-B667-1971041FA96B}\'  # PIN
            - '\Authentication\Credential Providers\{BEC09223-B018-416D-A0AC-523971B639F5}\'  # fingerprint
            - '\Authentication\Credential Providers\{8AF662BF-65A0-4D0A-A540-A338A999D36F}\'  # facial recognizion
            - '\Authentication\Credential Providers\{27FBDB57-B613-4AF2-9D7E-4FA7A66C21AD}\'  # Trusted Signal (Phone proximity, Network location)
    filter_main_edge:
        Image|startswith:
            - 'C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\'
            - 'C:\Program Files (x86)\Microsoft\EdgeWebView\'
            - 'C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe'
    filter_main_defender:
        Image: 'C:\Program Files\Windows Defender\MsMpEng.exe'
    filter_main_teams:
        Image|endswith: '\Microsoft\Teams\current\Teams.exe'
        Details|contains: '\Microsoft\Teams\Update.exe --processStart '
    filter_main_ctfmon:
        Image: 'C:\Windows\system32\userinit.exe'
        Details: 'ctfmon.exe /n'
    filter_optional_dropbox:
        Image: 'C:\Windows\system32\regsvr32.exe'
        TargetObject|contains: 'DropboxExt'
        Details|endswith: 'A251-47B7-93E1-CDD82E34AF8B}'
    filter_optional_opera_1:
        TargetObject|endswith: '\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Opera Browser Assistant'
        Details: 'C:\Program Files\Opera\assistant\browser_assistant.exe'
    filter_optional_opera_2:
        TargetObject|endswith: '\Software\Microsoft\Windows\CurrentVersion\Run\Opera Stable'
        Details:
            - 'C:\Program Files\Opera\launcher.exe'
            - 'C:\Program Files (x86)\Opera\launcher.exe'
    filter_optional_itunes:
        TargetObject|endswith: '\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\iTunesHelper'
        Details: '"C:\Program Files\iTunes\iTunesHelper.exe"'
    filter_optional_zoom:
        TargetObject|endswith: '\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\zoommsirepair'
        Details: '"C:\Program Files\Zoom\bin\installer.exe" /repair'
    filter_optional_greenshot:
        TargetObject|endswith: '\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Greenshot'
        Details: 'C:\Program Files\Greenshot\Greenshot.exe'
    filter_optional_googledrive1:
        TargetObject|endswith: '\Software\Microsoft\Windows\CurrentVersion\Run\GoogleDriveFS'
        Details|startswith: 'C:\Program Files\Google\Drive File Stream\'
        Details|contains: '\GoogleDriveFS.exe'
    filter_optional_googledrive2:
        TargetObject|contains: 'GoogleDrive'
        Details:
            - '{CFE8B367-77A7-41D7-9C90-75D16D7DC6B6}'
            - '{A8E52322-8734-481D-A7E2-27B309EF8D56}'
            - '{C973DA94-CBDF-4E77-81D1-E5B794FBD146}'
            - '{51EF1569-67EE-4AD6-9646-E726C3FFC8A2}'
    filter_optional_onedrive:
        Details|startswith:
            - 'C:\Windows\system32\cmd.exe /q /c rmdir /s /q "C:\Users\'
            - 'C:\Windows\system32\cmd.exe /q /c del /q "C:\Users\'
        Details|contains: '\AppData\Local\Microsoft\OneDrive\'
    filter_optional_python:
        TargetObject|contains: '\Microsoft\Windows\CurrentVersion\RunOnce\{'
        Details|contains|all:
            - '\AppData\Local\Package Cache\{'
            - '}\python-'
        Details|endswith: '.exe" /burn.runonce'
    filter_optional_officeclicktorun:
        Image|startswith:
            - 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\'
            - 'C:\Program Files (x86)\Common Files\Microsoft Shared\ClickToRun\'
        Image|endswith: '\OfficeClickToRun.exe'
    filter_optional_teams:
        Image|endswith: '\Microsoft\Teams\current\Teams.exe'
        Details|contains: '\Microsoft\Teams\Update.exe --processStart'
    filter_optional_AVG_setup:
        Image|contains:
            - 'C:\Program Files\AVG\Antivirus\Setup\'
            - 'C:\Program Files (x86)\AVG\Antivirus\Setup\'
            - '\instup.exe'
        Details:
            - '"C:\Program Files\AVG\Antivirus\AvLaunch.exe" /gui'
            - '"C:\Program Files (x86)\AVG\Antivirus\AvLaunch.exe" /gui'
            - '{472083B0-C522-11CF-8763-00608CC02F24}'
            - '{472083B1-C522-11CF-8763-00608CC02F24}'
    filter_optional_Avast:
        Image|contains:
            - 'C:\Program Files\Avast Software\Avast\Setup\'
            - 'C:\Program Files (x86)\Avast Software\Avast\Setup\'
            - '\instup.exe'
        Details:
            - '"C:\Program Files\Avast Software\Avast\AvLaunch.exe" /gui'
            - '"C:\Program Files (x86)\Avast Software\Avast\AvLaunch.exe" /gui'
    filter_optional_AVG_avgtoolsvc:
        Image:
            - 'C:\Program Files\AVG\Antivirus\avgToolsSvc.exe'
            - 'C:\Program Files (x86)\AVG\Antivirus\avgToolsSvc.exe'
        TargetObject|contains: '\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run\'
        Details: 'Binary Data'
    filter_optional_aurora_dashboard:
        Image|endswith:
            - '\aurora-agent-64.exe'
            - '\aurora-agent.exe'
        TargetObject|endswith: '\Microsoft\Windows\CurrentVersion\Run\aurora-dashboard'
        Details: 'C:\Program Files\Aurora-Agent\tools\aurora-dashboard.exe'
    filter_optional_everything:
        TargetObject|endswith: '\Microsoft\Windows\CurrentVersion\Run\Everything'
        Details|endswith: '\Everything\Everything.exe" -startup' # We remove the starting part as it could be installed in different locations
    filter_optional_discord:
        TargetObject|endswith: '\Software\Microsoft\Windows\CurrentVersion\Run\Discord'
        Details|endswith: '\Discord\Update.exe --processStart Discord.exe'
    condition: all of selection_* and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason
    - Legitimate administrator sets up autorun keys for legitimate reason
level: medium

title: CurrentVersion NT Autorun Keys Modification
id: cbf93e5d-ca6c-4722-8bea-e9119007c248
related:
    - id: 17f878b8-9968-4578-b814-c4217fc5768c
      type: obsolete
status: test
description: Detects modification of autostart extensibility point (ASEP) in registry.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md
    - https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns
    - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys
author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)
date: 2019-10-25
modified: 2025-10-22
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.t1547.001
logsource:
    category: registry_set
    product: windows
detection:
    selection_nt_current_version_base:
        TargetObject|contains: '\SOFTWARE\Microsoft\Windows NT\CurrentVersion'
    selection_nt_current_version:
        TargetObject|contains:
            - '\Winlogon\VmApplet'
            - '\Winlogon\Userinit'
            - '\Winlogon\Taskman'
            - '\Winlogon\Shell'
            - '\Winlogon\GpExtensions'
            - '\Winlogon\AppSetup'
            - '\Winlogon\AlternateShells\AvailableShells'
            - '\Windows\IconServiceLib'
            - '\Windows\Appinit_Dlls'
            - '\Image File Execution Options' # Covered in better details in 36803969-5421-41ec-b92f-8500f79c23b0
            - '\Font Drivers'
            - '\Drivers32'
            - '\Windows\Run'
            - '\Windows\Load'
    filter_main_empty:
        Details: '(Empty)'
    filter_main_null:
        Details: null
    filter_main_poqexec:
        Image: 'C:\Windows\System32\poqexec.exe'
    filter_main_legitimate_subkey:  # Legitimately used subkeys of \Image File Execution Options, which are not used for persistence (see https://pentestlab.blog/2020/01/13/persistence-image-file-execution-options-injection/)
        TargetObject|contains: '\Image File Execution Options\'
        TargetObject|endswith:
            - '\DisableExceptionChainValidation'
            - '\MitigationOptions'
    filter_main_security_extension_dc:
        Image: 'C:\Windows\system32\svchost.exe'
        TargetObject|contains:
            - '\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}\PreviousPolicyAreas'
            - '\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}\MaxNoGPOListChangesInterval'
        Details:
            - 'DWORD (0x00000001)'
            - 'DWORD (0x00000009)'
            - 'DWORD (0x000003c0)'
    filter_main_runtimebroker:
        Image: 'C:\Windows\System32\RuntimeBroker.exe'
        TargetObject|contains: '\runtimebroker.exe\Microsoft.Windows.ShellExperienceHost'
    filter_optional_edge:
        Image|startswith: 'C:\Program Files (x86)\Microsoft\Temp\'
        Image|endswith: '\MicrosoftEdgeUpdate.exe'
    filter_optional_avguard:
        Image|startswith:
            - 'C:\Program Files (x86)\Avira\Antivirus\avguard.exe'
            - 'C:\Program Files\Avira\Antivirus\avguard.exe'
        TargetObject|contains: 'SOFTWARE\WOW6432Node\Avira\Antivirus\Overwrite_Keys\HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\'
        TargetObject|endswith:
            - '\userinit\UseAsDefault'
            - '\shell\UseAsDefault'
        Details:
            - 'explorer.exe'
            - 'C:\Windows\system32\userinit.exe,'
    filter_optional_msoffice:
        - TargetObject|contains:
              - '\ClickToRunStore\HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\'
              - '\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows NT\CurrentVersion\'
        - Image:
              - 'C:\Program Files\Microsoft Office\root\integration\integrator.exe'
              - 'C:\Program Files (x86)\Microsoft Office\root\integration\integrator.exe'
    filter_optional_officeclicktorun:
        Image|startswith:
            - 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\'
            - 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\'
        Image|endswith: '\OfficeClickToRun.exe'
    filter_optional_ngen:
        Image|startswith: 'C:\Windows\Microsoft.NET\Framework'
        Image|endswith: '\ngen.exe'
    filter_optional_onedrive:
        Image|endswith: '\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\OneDriveSetup.exe'
        TargetObject|endswith: '\Microsoft\Windows\CurrentVersion\RunOnce\Delete Cached Update Binary'
        Details|startswith: 'C:\Windows\system32\cmd.exe /q /c del /q "C:\Users\'
        Details|endswith: '\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe"'
    condition: all of selection_* and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason
    - Legitimate administrator sets up autorun keys for legitimate reason
level: medium

title: Direct Autorun Keys Modification
id: 24357373-078f-44ed-9ac4-6d334a668a11
status: test
description: Detects direct modification of autostart extensibility point (ASEP) in registry using reg.exe.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md
    - https://github.com/HackTricks-wiki/hacktricks/blob/e4c7b21b8f36c97c35b7c622732b38a189ce18f7/src/windows-hardening/windows-local-privilege-escalation/privilege-escalation-with-autorun-binaries.md
author: Victor Sergeev, Daniil Yugoslavskiy, oscd.community, Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2019-10-25
modified: 2026-01-05
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.t1547.001
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\reg.exe'
        - OriginalFileName: 'reg.exe'
    selection_cli_add:
        CommandLine|contains: 'add'     # to avoid intersection with discovery tactic rules
    selection_cli_keys:
        CommandLine|contains:           # need to improve this list, there are plenty of ASEP reg keys
            - '\software\Microsoft\Windows\CurrentVersion\Run' # Also covers the strings "RunOnce", "RunOnceEx", "RunServices", "RunServicesOnce"
            - '\software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run'
            - '\software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run'
            - '\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit'
            - '\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell'
            - '\software\Microsoft\Windows NT\CurrentVersion\Windows'
            - '\system\CurrentControlSet\Control\SafeBoot\AlternateShell'
    condition: all of selection_*
falsepositives:
    - Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reasons.
    - Legitimate administrator sets up autorun keys for legitimate reasons.
    - Discord
level: medium

title: Internet Explorer Autorun Keys Modification
id: a80f662f-022f-4429-9b8c-b1a41aaa6688
related:
    - id: 17f878b8-9968-4578-b814-c4217fc5768c
      type: obsolete
status: test
description: Detects modification of autostart extensibility point (ASEP) in registry.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md
    - https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns
    - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys
author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)
date: 2019-10-25
modified: 2023-08-17
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.t1547.001
logsource:
    category: registry_set
    product: windows
detection:
    ie:
        TargetObject|contains:
            - '\Software\Wow6432Node\Microsoft\Internet Explorer'
            - '\Software\Microsoft\Internet Explorer'
    ie_details:
        TargetObject|contains:
            - '\Toolbar'
            - '\Extensions'
            - '\Explorer Bars'
    filter_empty:
        Details: '(Empty)'
    filter_extensions:
        TargetObject|contains:
            - '\Extensions\{2670000A-7350-4f3c-8081-5663EE0C6C49}'
            - '\Extensions\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}'
            - '\Extensions\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}'
            - '\Extensions\{A95fe080-8f5d-11d2-a20b-00aa003c157a}'
    filter_toolbar:
        TargetObject|endswith:
            - '\Toolbar\ShellBrowser\ITBar7Layout'
            - '\Toolbar\ShowDiscussionButton'
            - '\Toolbar\Locked'
    condition: ie and ie_details and not 1 of filter_*
falsepositives:
    - Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason
    - Legitimate administrator sets up autorun keys for legitimate reason
level: medium

title: Office Autorun Keys Modification
id: baecf8fb-edbf-429f-9ade-31fc3f22b970
related:
    - id: 17f878b8-9968-4578-b814-c4217fc5768c
      type: obsolete
status: test
description: |
    Detects modification of autostart extensibility point (ASEP) in registry. Adversaries may modify these keys to execute malicious code when Office files are opened.
    There are various legitimate add-ins that also use these keys and this filter list might not be exhaustive.
    Thus, it is recommended to review and tune filters for your environment to reduce false positives before deploying to production.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md
    - https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns
    - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys
author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)
date: 2019-10-25
modified: 2026-01-09
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.t1547.001
logsource:
    category: registry_set
    product: windows
detection:
    selection_office_root:
        TargetObject|contains:
            - '\Software\Wow6432Node\Microsoft\Office'
            - '\Software\Microsoft\Office'
    selection_office_details:
        TargetObject|contains:
            - '\Word\Addins'
            - '\PowerPoint\Addins'
            - '\Outlook\Addins'
            - '\Onenote\Addins'
            - '\Excel\Addins'
            - '\Access\Addins'
            - 'test\Special\Perf'
    filter_main_empty:
        Details: '(Empty)'
    filter_main_null:
        Details: null
    filter_main_known_addins:
        Image|startswith:
            - 'C:\Program Files\Microsoft Office\'
            - 'C:\Program Files (x86)\Microsoft Office\'
            - 'C:\PROGRA~2\MICROS~2\Office'
            - 'C:\Windows\System32\msiexec.exe'
            - 'C:\Windows\SysWOW64\msiexec.exe'
            - 'C:\Windows\System32\regsvr32.exe'
            - 'C:\Windows\SysWOW64\regsvr32.exe '
        TargetObject|contains:
            # Remove any unused addins in your environment from the filter
            # Known addins for excel
            - '\Excel\Addins\AdHocReportingExcelClientLib.AdHocReportingExcelClientAddIn.1\'
            - '\Excel\Addins\ExcelPlugInShell.PowerMapConnect\'
            - '\Excel\Addins\NativeShim\'
            - '\Excel\Addins\NativeShim.InquireConnector.1\'
            - '\Excel\Addins\PowerPivotExcelClientAddIn.NativeEntry.1\'
            # Known addins for outlook
            - '\Outlook\AddIns\AccessAddin.DC\'
            - '\Outlook\AddIns\ColleagueImport.ColleagueImportAddin\'
            - '\Outlook\AddIns\EvernoteCC.EvernoteContactConnector\'
            - '\Outlook\AddIns\EvernoteOLRD.Connect\'
            # - '\Outlook\Addins\GrammarlyAddIn.Connect' # Uncomment if you use Grammarly
            - '\Outlook\Addins\\OneNote.OutlookAddin'
            - '\Outlook\Addins\DriveFSExtensionLib.Connect\' # An Outlook Add-in to talk with Google Drive
            - '\Outlook\Addins\GoogleAppsSync.Connect\' # Google Apps Sync for Microsoft Outlook
            - '\Outlook\Addins\Microsoft.VbaAddinForOutlook.1\'
            - '\Outlook\Addins\OcOffice.OcForms\'
            - '\Outlook\Addins\OscAddin.Connect\'
            - '\Outlook\Addins\OutlookChangeNotifier.Connect\'
            - '\Outlook\Addins\UCAddin.LyncAddin.1'
            - '\Outlook\Addins\UCAddin.UCAddin.1'
            - '\Outlook\Addins\UmOutlookAddin.FormRegionAddin\'
            - 'AddinTakeNotesService\FriendlyName'
    filter_main_officeclicktorun:
        Image|startswith:
            - 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\'
            - 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\'
        Image|endswith: '\OfficeClickToRun.exe'
    filter_main_vsto:
        Image|startswith:
            - 'C:\Program Files\Common Files\Microsoft Shared\VSTO\'
            - 'C:\Program Files (x86)\Microsoft Shared\VSTO\'
        Image|endswith: '\VSTOInstaller.exe'
    filter_optional_avg:
        Image:
            - 'C:\Program Files\AVG\Antivirus\RegSvr.exe'
            - 'C:\Program Files\AVG\Antivirus\x86\RegSvr.exe'
        TargetObject|contains: '\Microsoft\Office\Outlook\Addins\Antivirus.AsOutExt\'
    filter_optional_avast:
        Image:
            - 'C:\Program Files\Avast Software\Avast\RegSvr.exe'
            - 'C:\Program Files\Avast Software\Avast\x86\RegSvr.exe'
        TargetObject|contains: '\Microsoft\Office\Outlook\Addins\Avast.AsOutExt\'
    # These filters are not exhaustive, filter can be expanded based on environment
    condition: all of selection_office_* and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - Legitimate software or add-in installations and administrative configurations
    - Automatic registry modifications during legitimate software installations
level: medium

title: Potential Persistence Attempt Via Run Keys Using Reg.EXE
id: de587dce-915e-4218-aac4-835ca6af6f70
status: test
description: Detects suspicious command line reg.exe tool adding key to RUN key in Registry
references:
    - https://app.any.run/tasks/9c0f37bc-867a-4314-b685-e101566766d7/
    - https://learn.microsoft.com/en-us/windows/win32/setupapi/run-and-runonce-registry-keys
    - https://github.com/HackTricks-wiki/hacktricks/blob/e4c7b21b8f36c97c35b7c622732b38a189ce18f7/src/windows-hardening/windows-local-privilege-escalation/privilege-escalation-with-autorun-binaries.md
author: Florian Roth (Nextron Systems), Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2021-06-28
modified: 2025-02-17
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.t1547.001
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\reg.exe'
        CommandLine|contains|all:
            - 'reg'
            - ' add '
        CommandLine|contains:
            - 'Software\Microsoft\Windows\CurrentVersion\Run'
            - '\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run'
            - '\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run'
    condition: selection
falsepositives:
    - Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reasons.
    - Legitimate administrator sets up autorun keys for legitimate reasons.
    - Discord
level: medium
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_reg_add_run_key/info.yml

title: Potential Suspicious Activity Using SeCEdit
id: c2c76b77-32be-4d1f-82c9-7e544bdfe0eb
status: test
description: Detects potential suspicious behaviour using secedit.exe. Such as exporting or modifying the security policy
references:
    - https://blueteamops.medium.com/secedit-and-i-know-it-595056dee53d
    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/secedit
author: Janantha Marasinghe
date: 2022-11-18
modified: 2022-12-30
tags:
    - attack.collection
    - attack.discovery
    - attack.persistence
    - attack.credential-access
    - attack.privilege-escalation
    - attack.execution
    - attack.stealth
    - attack.defense-impairment
    - attack.t1685.001
    - attack.t1547.001
    - attack.t1505.005
    - attack.t1556.002
    - attack.t1685
    - attack.t1574.007
    - attack.t1564.002
    - attack.t1546.008
    - attack.t1546.007
    - attack.t1547.014
    - attack.t1547.010
    - attack.t1547.002
    - attack.t1557
    - attack.t1082
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\secedit.exe'
        - OriginalFileName: 'SeCEdit'
    selection_flags_discovery:
        CommandLine|contains|all:
            - '/export'
            - '/cfg'
    selection_flags_configure:
        CommandLine|contains|all:
            - '/configure'
            - '/db'
    # filter:
    #     SubjectUserName|endswith: '$'  SubjectUserName is from event ID 4719 in the Windows Security log
    condition: selection_img and (1 of selection_flags_*)
falsepositives:
    - Legitimate administrative use
level: medium

title: Session Manager Autorun Keys Modification
id: 046218bd-e0d8-4113-a3c3-895a12b2b298
related:
    - id: 17f878b8-9968-4578-b814-c4217fc5768c
      type: obsolete
status: test
description: Detects modification of autostart extensibility point (ASEP) in registry.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md
    - https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns
    - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys
author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)
date: 2019-10-25
modified: 2023-08-17
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.t1547.001
    - attack.t1546.009
logsource:
    category: registry_set
    product: windows
detection:
    session_manager_base:
        TargetObject|contains: '\System\CurrentControlSet\Control\Session Manager'
    session_manager:
        TargetObject|contains:
            - '\SetupExecute'
            - '\S0InitialCommand'
            - '\KnownDlls'
            - '\Execute'
            - '\BootExecute'
            - '\AppCertDlls'
    filter:
        Details: '(Empty)'
    condition: session_manager_base and session_manager and not filter
falsepositives:
    - Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason
    - Legitimate administrator sets up autorun keys for legitimate reason
level: medium

title: Startup Folder File Write
id: 2aa0a6b4-a865-495b-ab51-c28249537b75
related:
    - id: 28208707-fe31-437f-9a7f-4b1108b94d2e
      type: similar
status: test
description: A General detection for files being created in the Windows startup directory. This could be an indicator of persistence.
references:
    - https://github.com/OTRF/detection-hackathon-apt29/issues/12
    - https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/5.B.1_611FCA99-97D0-4873-9E51-1C1BA2DBB40D.md
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2020-05-02
modified: 2025-12-03
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.t1547.001
logsource:
    product: windows
    category: file_event
detection:
    selection:
        TargetFilename|contains: '\Microsoft\Windows\Start Menu\Programs\StartUp'
    filter_main_update:
        - Image:
              - 'C:\Windows\System32\wuauclt.exe'
              - 'C:\Windows\uus\ARM64\wuaucltcore.exe'
        - TargetFilename|startswith:
              - 'C:\$WINDOWS.~BT\NewOS\'
              - 'C:\$WinREAgent\Scratch\Mount\'
    filter_optional_onenote:
        Image|endswith: '\ONENOTE.EXE'
        TargetFilename|endswith: '\Send to OneNote.lnk'
    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - FP could be caused by legitimate application writing shortcuts for example. This folder should always be inspected to make sure that all the files in there are legitimate
level: medium

title: Suspicious PowerShell In Registry Run Keys
id: 8d85cf08-bf97-4260-ba49-986a2a65129c
status: test
description: Detects potential PowerShell commands or code within registry run keys
references:
    - https://github.com/frack113/atomic-red-team/blob/a9051c38de8a5320b31c7039efcbd3b56cf2d65a/atomics/T1547.001/T1547.001.md#atomic-test-9---systembc-malware-as-a-service-registry
    - https://www.trendmicro.com/en_us/research/22/j/lv-ransomware-exploits-proxyshell-in-attack.html
    - https://github.com/HackTricks-wiki/hacktricks/blob/e4c7b21b8f36c97c35b7c622732b38a189ce18f7/src/windows-hardening/windows-local-privilege-escalation/privilege-escalation-with-autorun-binaries.md
author: frack113, Florian Roth (Nextron Systems)
date: 2022-03-17
modified: 2025-07-18
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.t1547.001
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|contains:
            - '\Software\Microsoft\Windows\CurrentVersion\Run' # Also covers "RunOnce" and "RunOnceEx"
            - '\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run'
            - '\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run'
        Details|contains:
            - 'powershell'
            - 'pwsh '
            - 'FromBase64String'
            - '.DownloadFile('
            - '.DownloadString('
            - ' -w hidden '
            - ' -w 1 '
            - '-windowstyle hidden'
            - '-window hidden'
            - ' -nop '
            - ' -encodedcommand '
            - '-ExecutionPolicy Bypass'
            - 'Invoke-Expression'
            - 'IEX ('
            - 'Invoke-Command'
            - 'ICM -'
            - 'Invoke-WebRequest'
            - 'IWR '
            - 'Invoke-RestMethod'
            - 'IRM '
            - ' -noni '
            - ' -noninteractive '
    condition: selection
falsepositives:
    - Legitimate admin or third party scripts. Baseline according to your environment
level: medium

title: System Scripts Autorun Keys Modification
id: e7a2fd40-3ae1-4a85-bf80-15cf624fb1b1
related:
    - id: 17f878b8-9968-4578-b814-c4217fc5768c
      type: obsolete
status: test
description: Detects modification of autostart extensibility point (ASEP) in registry.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md
    - https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns
    - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys
author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)
date: 2019-10-25
modified: 2023-08-17
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.t1547.001
logsource:
    category: registry_set
    product: windows
detection:
    scripts_base:
        TargetObject|contains: '\Software\Policies\Microsoft\Windows\System\Scripts'
    scripts:
        TargetObject|contains:
            - '\Startup'
            - '\Shutdown'
            - '\Logon'
            - '\Logoff'
    filter:
        Details: '(Empty)'
    condition: scripts_base and scripts and not filter
falsepositives:
    - Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason
    - Legitimate administrator sets up autorun keys for legitimate reason
level: medium

title: WinSock2 Autorun Keys Modification
id: d6c2ce7e-afb5-4337-9ca4-4b5254ed0565
related:
    - id: 17f878b8-9968-4578-b814-c4217fc5768c
      type: derived
status: test
description: Detects modification of autostart extensibility point (ASEP) in registry.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md
    - https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns
    - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys
author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)
date: 2019-10-25
modified: 2023-08-17
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.t1547.001
logsource:
    category: registry_set
    product: windows
detection:
    winsock_parameters_base:
        TargetObject|contains: '\System\CurrentControlSet\Services\WinSock2\Parameters'
    winsock_parameters:
        TargetObject|contains:
            - '\Protocol_Catalog9\Catalog_Entries'
            - '\NameSpace_Catalog5\Catalog_Entries'
    filter:
        - Details: '(Empty)'
        - Image: 'C:\Windows\System32\MsiExec.exe'
        - Image: 'C:\Windows\syswow64\MsiExec.exe'
    condition: winsock_parameters_base and winsock_parameters and not filter
falsepositives:
    - Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason
    - Legitimate administrator sets up autorun keys for legitimate reason
level: medium

title: Wow6432Node Classes Autorun Keys Modification
id: 18f2065c-d36c-464a-a748-bcf909acb2e3
related:
    - id: 17f878b8-9968-4578-b814-c4217fc5768c
      type: obsolete
status: test
description: Detects modification of autostart extensibility point (ASEP) in registry.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md
    - https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns
    - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys
author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)
date: 2019-10-25
modified: 2023-08-17
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.t1547.001
logsource:
    category: registry_set
    product: windows
detection:
    wow_classes_base:
        TargetObject|contains: '\Software\Wow6432Node\Classes'
    wow_classes:
        TargetObject|contains:
            - '\Folder\ShellEx\ExtShellFolderViews'
            - '\Folder\ShellEx\DragDropHandlers'
            - '\Folder\ShellEx\ColumnHandlers'
            - '\Directory\Shellex\DragDropHandlers'
            - '\Directory\Shellex\CopyHookHandlers'
            - '\CLSID\{AC757296-3522-4E11-9862-C17BE5A1767E}\Instance'
            - '\CLSID\{ABE3B9A4-257D-4B97-BD1A-294AF496222E}\Instance'
            - '\CLSID\{7ED96837-96F0-4812-B211-F13C24117ED3}\Instance'
            - '\CLSID\{083863F1-70DE-11d0-BD40-00A0C911CE86}\Instance'
            - '\AllFileSystemObjects\ShellEx\DragDropHandlers'
            - '\ShellEx\PropertySheetHandlers'
            - '\ShellEx\ContextMenuHandlers'
    filter:
        Details: '(Empty)'
    condition: wow_classes_base and wow_classes and not filter
falsepositives:
    - Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason
    - Legitimate administrator sets up autorun keys for legitimate reason
level: medium

title: Wow6432Node CurrentVersion Autorun Keys Modification
id: b29aed60-ebd1-442b-9cb5-16a1d0324adb
related:
    - id: 17f878b8-9968-4578-b814-c4217fc5768c
      type: obsolete
status: test
description: Detects modification of autostart extensibility point (ASEP) in registry.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md
    - https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns
    - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys
    - https://oddvar.moe/2018/03/21/persistence-using-runonceex-hidden-from-autoruns-exe/
author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)
date: 2019-10-25
modified: 2025-12-08
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.t1547.001
logsource:
    category: registry_set
    product: windows
detection:
    selection_wow_current_version_base:
        TargetObject|contains: '\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion'
    selection_wow_current_version_keys:
        TargetObject|contains:
            - '\ShellServiceObjectDelayLoad'
            - '\Run\'
            - '\RunOnce\'
            - '\RunOnceEx\'
            - '\RunServices\'
            - '\RunServicesOnce\'
            - '\Explorer\ShellServiceObjects'
            - '\Explorer\ShellIconOverlayIdentifiers'
            - '\Explorer\ShellExecuteHooks'
            - '\Explorer\SharedTaskScheduler'
            - '\Explorer\Browser Helper Objects'
    filter_main_empty:
        Details: '(Empty)'
    filter_main_null:
        Details: null
    filter_main_ms_win_desktop_runtime:
        Details|startswith: '"C:\ProgramData\Package Cache\{d21a4f20-968a-4b0c-bf04-a38da5f06e41}\windowsdesktop-runtime-'
    filter_main_vcredist:
        Image|endswith: '\VC_redist.x64.exe'
        Details|endswith: '}\VC_redist.x64.exe" /burn.runonce'
    filter_main_upgrades:
        Image|startswith:
            - 'C:\ProgramData\Package Cache'
            - 'C:\Windows\Temp\'
        Image|contains:
            - '\winsdksetup.exe'
            - '\windowsdesktop-runtime-'  # C:\WINDOWS\Temp\{751E2E78-46DC-4376-9205-99219CDC34AE}\.be\windowsdesktop-runtime-6.0.12-win-x86.exe
            - '\AspNetCoreSharedFrameworkBundle-'  # "C:\ProgramData\Package Cache\{b52191c1-a9c0-4b34-9a4e-930c2dd8a540}\AspNetCoreSharedFrameworkBundle-x86.exe" /burn.runonce
        Details|endswith: ' /burn.runonce'
    filter_main_uninstallers:
        # This image path is linked with different uninstallers when running as admin unfortunately
        Image|startswith: 'C:\Windows\Installer\MSI'
        TargetObject|contains: '\Explorer\Browser Helper Objects'
    filter_main_msiexec:
        Image: 'C:\WINDOWS\system32\msiexec.exe'
        TargetObject|contains: '\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\'
    filter_main_edge:
        Image|contains|all:
            - 'C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{'
            - '\setup.exe'
    filter_optional_msoffice1:
        Image: 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe'
        TargetObject|contains: '\Office\ClickToRun\REGISTRY\MACHINE\Software\Wow6432Node\'
    filter_optional_msoffice2:
        Image:
            - 'C:\Program Files\Microsoft Office\root\integration\integrator.exe'
            - 'C:\Program Files (x86)\Microsoft Office\root\integration\integrator.exe'
        TargetObject|contains: '\Explorer\Browser Helper Objects\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}\'
    filter_optional_dropbox:
        - Details|endswith: '-A251-47B7-93E1-CDD82E34AF8B}'
        - Details: 'grpconv -o'
        - Details|contains|all:
              - 'C:\Program Files'
              - '\Dropbox\Client\Dropbox.exe'
              - ' /systemstartup'
    filter_optional_evernote:
        TargetObject|endswith: '\Explorer\Browser Helper Objects\{92EF2EAD-A7CE-4424-B0DB-499CF856608E}\NoExplorer'
    filter_optional_dotnet:
        Image|contains: '\windowsdesktop-runtime-'
        TargetObject|endswith:
            - '\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{e2d1ae32-dd1d-4ad7-a298-10e42e7840fc}'
            - '\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{7037b699-7382-448c-89a7-4765961d2537}'
        Details|startswith: '"C:\ProgramData\Package Cache\'
        Details|endswith: '.exe" /burn.runonce'
    filter_optional_office:
        Image|startswith:
            - 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\'
            - 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\'
        Image|endswith: '\OfficeClickToRun.exe'
    filter_optional_discord:
        TargetObject|endswith: '\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Discord'
        Details|endswith: 'Discord.exe --checkInstall'
    filter_optional_avira:
        Details|endswith: '\Avira.OE.Setup.Bundle.exe" /burn.runonce'
        Image|endswith: '\Avira.OE.Setup.Bundle.exe'
    filter_optional_avg_1:
        Image|endswith: '\instup.exe'
        TargetObject|endswith: '\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\AvRepair'
        Details|endswith: 'instup.exe" /instop:repair /wait'
    filter_optional_avg_2:
        Image|endswith: '\instup.exe'
        TargetObject|endswith:
            - '\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\00avg\(Default)'
            - '\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\00asw\(Default)'
        Details:
            - '{472083B1-C522-11CF-8763-00608CC02F24}'
            - '{472083B0-C522-11CF-8763-00608CC02F24}'
    condition: all of selection_* and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason
    - Legitimate administrator sets up autorun keys for legitimate reason
level: medium

title: Wow6432Node Windows NT CurrentVersion Autorun Keys Modification
id: 480421f9-417f-4d3b-9552-fd2728443ec8
related:
    - id: 17f878b8-9968-4578-b814-c4217fc5768c
      type: obsolete
status: test
description: Detects modification of autostart extensibility point (ASEP) in registry.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md
    - https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns
    - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys
author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)
date: 2019-10-25
modified: 2025-10-22
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.t1547.001
logsource:
    category: registry_set
    product: windows
detection:
    selection_wow_nt_current_version_base:
        TargetObject|contains: '\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion'
    selection_wow_nt_current_version:
        TargetObject|contains:
            - '\Windows\Appinit_Dlls'
            - '\Image File Execution Options'
            - '\Drivers32'
    filter_main_empty:
        Details: '(Empty)'
    filter_main_null:
        Details: null
    filter_main_file_exec_options:
        Details|endswith: '\Microsoft\Windows NT\CurrentVersion\Image File Execution Options'
    condition: all of selection_* and not 1 of filter_main_*
falsepositives:
    - Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason
    - Legitimate administrator sets up autorun keys for legitimate reason
level: medium