title: Autorun Keys Modification author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton date: 2019/10/25 description: Detects modification of autostart extensibility point (ASEP) in registry. detection: SELECTION_1: EventID: 12 SELECTION_10: TargetObject: '*\Software\Microsoft\Ctf\LangBarAddin*' SELECTION_100: TargetObject: '*\CLSID\{ABE3B9A4-257D-4B97-BD1A-294AF496222E}\Instance*' SELECTION_101: TargetObject: '*\CLSID\{7ED96837-96F0-4812-B211-F13C24117ED3}\Instance*' SELECTION_102: TargetObject: '*\CLSID\{083863F1-70DE-11d0-BD40-00A0C911CE86}\Instance*' SELECTION_103: TargetObject: '*\AllFileSystemObjects\ShellEx\DragDropHandlers*' SELECTION_104: TargetObject: '*\ShellEx\PropertySheetHandlers*' SELECTION_105: TargetObject: '*\ShellEx\ContextMenuHandlers*' SELECTION_106: TargetObject: '*\Software\Classes*' SELECTION_107: TargetObject: '*\Folder\ShellEx\ExtShellFolderViews*' SELECTION_108: TargetObject: '*\Folder\ShellEx\DragDropHandlers*' SELECTION_109: TargetObject: '*\Folder\Shellex\ColumnHandlers*' SELECTION_11: TargetObject: '*\Software\Microsoft\Command Processor\Autorun*' SELECTION_110: TargetObject: '*\Filter*' SELECTION_111: TargetObject: '*\Exefile\Shell\Open\Command\(Default)*' SELECTION_112: TargetObject: '*\Directory\Shellex\DragDropHandlers*' SELECTION_113: TargetObject: '*\Directory\Shellex\CopyHookHandlers*' SELECTION_114: TargetObject: '*\CLSID\{AC757296-3522-4E11-9862-C17BE5A1767E}\Instance*' SELECTION_115: TargetObject: '*\CLSID\{ABE3B9A4-257D-4B97-BD1A-294AF496222E}\Instance*' SELECTION_116: TargetObject: '*\CLSID\{7ED96837-96F0-4812-B211-F13C24117ED3}\Instance*' SELECTION_117: TargetObject: '*\CLSID\{083863F1-70DE-11d0-BD40-00A0C911CE86}\Instance*' SELECTION_118: TargetObject: '*\Classes\AllFileSystemObjects\ShellEx\DragDropHandlers*' SELECTION_119: TargetObject: '*\.exe*' SELECTION_12: TargetObject: '*\SOFTWARE\Microsoft\Active Setup\Installed Components*' SELECTION_120: TargetObject: '*\.cmd*' SELECTION_121: TargetObject: '*\ShellEx\PropertySheetHandlers*' SELECTION_122: TargetObject: '*\ShellEx\ContextMenuHandlers*' SELECTION_123: TargetObject: '*\Software\Policies\Microsoft\Windows\System\Scripts*' SELECTION_124: TargetObject: '*\Startup*' SELECTION_125: TargetObject: '*\Shutdown*' SELECTION_126: TargetObject: '*\Logon*' SELECTION_127: TargetObject: '*\Logoff*' SELECTION_128: TargetObject: '*\System\CurrentControlSet\Services\WinSock2\Parameters*' SELECTION_129: TargetObject: '*\Protocol_Catalog9\Catalog_Entries*' SELECTION_13: TargetObject: '*\SOFTWARE\Classes\Protocols\Handler*' SELECTION_130: TargetObject: '*\NameSpace_Catalog5\Catalog_Entries*' SELECTION_131: TargetObject: '*\SYSTEM\CurrentControlSet\Control*' SELECTION_132: TargetObject: '*\Terminal Server\WinStations\RDP-Tcp\InitialProgram*' SELECTION_133: TargetObject: '*\Terminal Server\Wds\rdpwd\StartupPrograms*' SELECTION_134: TargetObject: '*\SecurityProviders\SecurityProviders*' SELECTION_135: TargetObject: '*\SafeBoot\AlternateShell*' SELECTION_136: TargetObject: '*\Print\Providers*' SELECTION_137: TargetObject: '*\Print\Monitors*' SELECTION_138: TargetObject: '*\NetworkProvider\Order*' SELECTION_139: TargetObject: '*\Lsa\Notification Packages*' SELECTION_14: TargetObject: '*\SOFTWARE\Classes\Protocols\Filter*' SELECTION_140: TargetObject: '*\Lsa\Authentication Packages*' SELECTION_141: TargetObject: '*\BootVerificationProgram\ImagePath*' SELECTION_142: Details: (Empty) SELECTION_15: TargetObject: '*\SOFTWARE\Classes\Htmlfile\Shell\Open\Command\(Default)*' SELECTION_16: TargetObject: '*\Environment\UserInitMprLogonScript*' SELECTION_17: TargetObject: '*\SOFTWARE\Policies\Microsoft\Windows\Control Panel\Desktop\Scrnsave.exe*' SELECTION_18: TargetObject: '*\Software\Microsoft\Internet Explorer\UrlSearchHooks*' SELECTION_19: TargetObject: '*\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components*' SELECTION_2: EventID: 13 SELECTION_20: TargetObject: '*\Software\Classes\Clsid\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\Inprocserver32*' SELECTION_21: TargetObject: '*\Control Panel\Desktop\Scrnsave.exe*' SELECTION_22: TargetObject: '*\System\CurrentControlSet\Control\Session Manager*' SELECTION_23: TargetObject: '*\SetupExecute*' SELECTION_24: TargetObject: '*\S0InitialCommand*' SELECTION_25: TargetObject: '*\KnownDlls*' SELECTION_26: TargetObject: '*\Execute*' SELECTION_27: TargetObject: '*\BootExecute*' SELECTION_28: TargetObject: '*\AppCertDlls*' SELECTION_29: TargetObject: '*\SOFTWARE\Microsoft\Windows\CurrentVersion*' SELECTION_3: EventID: 14 SELECTION_30: TargetObject: '*\ShellServiceObjectDelayLoad*' SELECTION_31: TargetObject: '*\Run*' SELECTION_32: TargetObject: '*\Policies\System\Shell*' SELECTION_33: TargetObject: '*\Policies\Explorer\Run*' SELECTION_34: TargetObject: '*\Group Policy\Scripts\Startup*' SELECTION_35: TargetObject: '*\Group Policy\Scripts\Shutdown*' SELECTION_36: TargetObject: '*\Group Policy\Scripts\Logon*' SELECTION_37: TargetObject: '*\Group Policy\Scripts\Logoff*' SELECTION_38: TargetObject: '*\Explorer\ShellServiceObjects*' SELECTION_39: TargetObject: '*\Explorer\ShellIconOverlayIdentifiers*' SELECTION_4: TargetObject: '*\SOFTWARE\Wow6432Node\Microsoft\Windows CE Services\AutoStart*' SELECTION_40: TargetObject: '*\Explorer\ShellExecuteHooks*' SELECTION_41: TargetObject: '*\Explorer\SharedTaskScheduler*' SELECTION_42: TargetObject: '*\Explorer\Browser Helper Objects*' SELECTION_43: TargetObject: '*\Authentication\PLAP Providers*' SELECTION_44: TargetObject: '*\Authentication\Credential Providers*' SELECTION_45: TargetObject: '*\Authentication\Credential Provider Filters*' SELECTION_46: TargetObject: '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion*' SELECTION_47: TargetObject: '*\Winlogon\VmApplet*' SELECTION_48: TargetObject: '*\Winlogon\Userinit*' SELECTION_49: TargetObject: '*\Winlogon\Taskman*' SELECTION_5: TargetObject: '*\Software\Wow6432Node\Microsoft\Command Processor\Autorun*' SELECTION_50: TargetObject: '*\Winlogon\Shell*' SELECTION_51: TargetObject: '*\Winlogon\GpExtensions*' SELECTION_52: TargetObject: '*\Winlogon\AppSetup*' SELECTION_53: TargetObject: '*\Winlogon\AlternateShells\AvailableShells*' SELECTION_54: TargetObject: '*\Windows\IconServiceLib*' SELECTION_55: TargetObject: '*\Windows\Appinit_Dlls*' SELECTION_56: TargetObject: '*\Image File Execution Options*' SELECTION_57: TargetObject: '*\Font Drivers*' SELECTION_58: TargetObject: '*\Drivers32*' SELECTION_59: TargetObject: '*\Windows\Run*' SELECTION_6: TargetObject: '*\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components*' SELECTION_60: TargetObject: '*\Windows\Load*' SELECTION_61: TargetObject: '*\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion*' SELECTION_62: TargetObject: '*\ShellServiceObjectDelayLoad*' SELECTION_63: TargetObject: '*\Run*' SELECTION_64: TargetObject: '*\Explorer\ShellServiceObjects*' SELECTION_65: TargetObject: '*\Explorer\ShellIconOverlayIdentifiers*' SELECTION_66: TargetObject: '*\Explorer\ShellExecuteHooks*' SELECTION_67: TargetObject: '*\Explorer\SharedTaskScheduler*' SELECTION_68: TargetObject: '*\Explorer\Browser Helper Objects*' SELECTION_69: TargetObject: '*\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion*' SELECTION_7: TargetObject: '*\SOFTWARE\Microsoft\Windows CE Services\AutoStartOnDisconnect*' SELECTION_70: TargetObject: '*\Windows\Appinit_Dlls*' SELECTION_71: TargetObject: '*\Image File Execution Options*' SELECTION_72: TargetObject: '*\Drivers32*' SELECTION_73: EventID: 12 SELECTION_74: EventID: 13 SELECTION_75: EventID: 14 SELECTION_76: TargetObject: '*\Software\Wow6432Node\Microsoft\Office*' SELECTION_77: TargetObject: '*\Software\Microsoft\Office*' SELECTION_78: TargetObject: '*\Word\Addins*' SELECTION_79: TargetObject: '*\PowerPoint\Addins*' SELECTION_8: TargetObject: '*\SOFTWARE\Microsoft\Windows CE Services\AutoStartOnConnect*' SELECTION_80: TargetObject: '*\Outlook\Addins*' SELECTION_81: TargetObject: '*\Onenote\Addins*' SELECTION_82: TargetObject: '*\Excel\Addins*' SELECTION_83: TargetObject: '*\Access\Addins*' SELECTION_84: TargetObject: '*test\Special\Perf*' SELECTION_85: EventID: 12 SELECTION_86: EventID: 13 SELECTION_87: EventID: 14 SELECTION_88: TargetObject: '*\Software\Wow6432Node\Microsoft\Internet Explorer*' SELECTION_89: TargetObject: '*\Software\Microsoft\Internet Explorer*' SELECTION_9: TargetObject: '*\SYSTEM\Setup\CmdLine*' SELECTION_90: TargetObject: '*\Toolbar*' SELECTION_91: TargetObject: '*\Extensions*' SELECTION_92: TargetObject: '*\Explorer Bars*' SELECTION_93: TargetObject: '*\Software\Wow6432Node\Classes*' SELECTION_94: TargetObject: '*\Folder\ShellEx\ExtShellFolderViews*' SELECTION_95: TargetObject: '*\Folder\ShellEx\DragDropHandlers*' SELECTION_96: TargetObject: '*\Folder\ShellEx\ColumnHandlers*' SELECTION_97: TargetObject: '*\Directory\Shellex\DragDropHandlers*' SELECTION_98: TargetObject: '*\Directory\Shellex\CopyHookHandlers*' SELECTION_99: TargetObject: '*\CLSID\{AC757296-3522-4E11-9862-C17BE5A1767E}\Instance*' condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and (((((((((((((SELECTION_4 or SELECTION_5 or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9 or SELECTION_10 or SELECTION_11 or SELECTION_12 or SELECTION_13 or SELECTION_14 or SELECTION_15 or SELECTION_16 or SELECTION_17 or SELECTION_18 or SELECTION_19 or SELECTION_20 or SELECTION_21) or (SELECTION_22 and (SELECTION_23 or SELECTION_24 or SELECTION_25 or SELECTION_26 or SELECTION_27 or SELECTION_28))) or (SELECTION_29 and (SELECTION_30 or SELECTION_31 or SELECTION_32 or SELECTION_33 or SELECTION_34 or SELECTION_35 or SELECTION_36 or SELECTION_37 or SELECTION_38 or SELECTION_39 or SELECTION_40 or SELECTION_41 or SELECTION_42 or SELECTION_43 or SELECTION_44 or SELECTION_45))) or (SELECTION_46 and (SELECTION_47 or SELECTION_48 or SELECTION_49 or SELECTION_50 or SELECTION_51 or SELECTION_52 or SELECTION_53 or SELECTION_54 or SELECTION_55 or SELECTION_56 or SELECTION_57 or SELECTION_58 or SELECTION_59 or SELECTION_60))) or (SELECTION_61 and (SELECTION_62 or SELECTION_63 or SELECTION_64 or SELECTION_65 or SELECTION_66 or SELECTION_67 or SELECTION_68))) or (SELECTION_69 and (SELECTION_70 or SELECTION_71 or SELECTION_72))) or ((SELECTION_73 or SELECTION_74 or SELECTION_75) and (SELECTION_76 or SELECTION_77) and (SELECTION_78 or SELECTION_79 or SELECTION_80 or SELECTION_81 or SELECTION_82 or SELECTION_83 or SELECTION_84))) or ((SELECTION_85 or SELECTION_86 or SELECTION_87) and (SELECTION_88 or SELECTION_89) and (SELECTION_90 or SELECTION_91 or SELECTION_92))) or (SELECTION_93 and (SELECTION_94 or SELECTION_95 or SELECTION_96 or SELECTION_97 or SELECTION_98 or SELECTION_99 or SELECTION_100 or SELECTION_101 or SELECTION_102 or SELECTION_103 or SELECTION_104 or SELECTION_105))) or (SELECTION_106 and (SELECTION_107 or SELECTION_108 or SELECTION_109 or SELECTION_110 or SELECTION_111 or SELECTION_112 or SELECTION_113 or SELECTION_114 or SELECTION_115 or SELECTION_116 or SELECTION_117 or SELECTION_118 or SELECTION_119 or SELECTION_120 or SELECTION_121 or SELECTION_122))) or (SELECTION_123 and (SELECTION_124 or SELECTION_125 or SELECTION_126 or SELECTION_127))) or (SELECTION_128 and (SELECTION_129 or SELECTION_130))) or ((SELECTION_131 and (SELECTION_132 or SELECTION_133 or SELECTION_134 or SELECTION_135 or SELECTION_136 or SELECTION_137 or SELECTION_138 or SELECTION_139 or SELECTION_140 or SELECTION_141)) and not (SELECTION_142)))) falsepositives: - Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason - Legitimate administrator sets up autorun keys for legitimate reason fields: - SecurityID - ObjectName - OldValueType - NewValueType id: 17f878b8-9968-4578-b814-c4217fc5768c level: medium logsource: category: registry_event product: windows modified: 2021/11/11 references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.001/T1547.001.md - https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d status: experimental tags: - attack.persistence - attack.t1547.001 - attack.t1060 yml_filename: sysmon_asep_reg_keys_modification.yml yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/registry_event