SigmaHQ/rules/windows/registry_event/sysmon_asep_reg_keys_modification.yml

title: Autorun Keys Modification
id: 17f878b8-9968-4578-b814-c4217fc5768c
description: Detects modification of autostart extensibility point (ASEP) in registry
status: experimental
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1060/T1060.yaml
    - https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns
    - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys
tags:
    - attack.persistence
    - attack.t1547.001
    - attack.t1060      # an old one
date: 2019/10/25
modified: 2020/10/13
author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin oscd.community
logsource:
    category: registry_event
    product: windows 
level: medium
detection:
    main_selection: 
        TargetObject|contains:
            - '\SOFTWARE\Wow6432Node\Microsoft\Windows CE Services\AutoStart'
            - '\Software\Wow6432Node\Microsoft\Command Processor\Autorun'
            - '\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components'
            - '\SOFTWARE\Microsoft\Office test\Special\Perf'
            - '\SOFTWARE\Microsoft\Windows CE Services\AutoStartOnDisconnect'
            - '\SOFTWARE\Microsoft\Windows CE Services\AutoStartOnConnect'
            - '\SYSTEM\Setup\CmdLine'
            - '\Software\Microsoft\Ctf\LangBarAddin'
            - '\Software\Microsoft\Command Processor\Autorun'
            - '\SOFTWARE\Microsoft\Active Setup\Installed Components'
            - '\SOFTWARE\Classes\Protocols\Handler'
            - '\SOFTWARE\Classes\Protocols\Filter'
            - '\SOFTWARE\Classes\Htmlfile\Shell\Open\Command\(Default)'
            - '\Environment\UserInitMprLogonScript'
            - '\SOFTWARE\Policies\Microsoft\Windows\Control Panel\Desktop\Scrnsave.exe'
            - '\Software\Microsoft\Internet Explorer\UrlSearchHooks'
            - '\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components'
            - '\Software\Classes\Clsid\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\Inprocserver32'
            - '\Control Panel\Desktop\Scrnsave.exe'
    session_manager:
        TargetObject|contains:
            - '\System\CurrentControlSet\Control\Session Manager'
    session_manager_details:
        TargetObject|contains:
            - '\SetupExecute'
            - '\S0InitialCommand'
            - '\KnownDlls'
            - '\Execute'
            - '\BootExecute'
            - '\AppCertDlls'
    current_version:
        TargetObject|contains:
            - '\SOFTWARE\Microsoft\Windows\CurrentVersion'
    current_version_details:
        TargetObject|contains:
            - '\ShellServiceObjectDelayLoad'
            - '\Run'
            - '\Policies\System\Shell'
            - '\Policies\Explorer\Run'
            - '\Group Policy\Scripts\Startup'
            - '\Group Policy\Scripts\Shutdown'
            - '\Group Policy\Scripts\Logon'
            - '\Group Policy\Scripts\Logoff'
            - '\Explorer\ShellServiceObjects'
            - '\Explorer\ShellIconOverlayIdentifiers'
            - '\Explorer\ShellExecuteHooks'
            - '\Explorer\SharedTaskScheduler'
            - '\Explorer\Browser Helper Objects'
            - '\Authentication\PLAP Providers'
            - '\Authentication\Credential Providers'
            - '\Authentication\Credential Provider Filters'
    nt_current_version:
        TargetObject|contains:
            - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion'
    nt_current_version_details:
        TargetObject|contains:
            - '\Winlogon\VmApplet'
            - '\Winlogon\Userinit'
            - '\Winlogon\Taskman'
            - '\Winlogon\Shell'
            - '\Winlogon\GpExtensions'
            - '\Winlogon\AppSetup'
            - '\Winlogon\AlternateShells\AvailableShells'
            - '\Windows\IconServiceLib'
            - '\Windows\Appinit_Dlls'
            - '\Image File Execution Options'
            - '\Font Drivers'
            - '\Drivers32'
            - '\Windows\Run'
            - '\Windows\Load'
    wow_current_version:
        TargetObject|contains:
            - '\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion'
    wow_current_version_details:
        TargetObject|contains:
            - '\ShellServiceObjectDelayLoad'
            - '\Run'
            - '\Explorer\ShellServiceObjects'
            - '\Explorer\ShellIconOverlayIdentifiers'
            - '\Explorer\ShellExecuteHooks'
            - '\Explorer\SharedTaskScheduler'
            - '\Explorer\Browser Helper Objects'
    wow_nt_current_version:
        TargetObject|contains:
            - '\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion'
    wow_nt_current_version_details:
        TargetObject|contains:
            - '\Windows\Appinit_Dlls'
            - '\Image File Execution Options'
            - '\Drivers32'
    wow_office: 
        TargetObject|contains:
            - '\Software\Wow6432Node\Microsoft\Office'
    office: 
        TargetObject|contains:
            - '\Software\Microsoft\Office'
    wow_office_details:
        TargetObject|contains:
            - '\Word\Addins'
            - '\PowerPoint\Addins'
            - '\Outlook\Addins'
            - '\Onenote\Addins'
            - '\Excel\Addins'
            - '\Access\Addins'
    wow_ie: 
        TargetObject|contains:
            - '\Software\Wow6432Node\Microsoft\Internet Explorer'
    ie:
        TargetObject|contains:
            - '\Software\Microsoft\Internet Explorer'
    wow_ie_details:
        TargetObject|contains:
            - '\Toolbar'
            - '\Extensions'
            - '\Explorer Bars'
    wow_classes:
        TargetObject|contains:
            - '\Software\Wow6432Node\Classes'
    wow_classes_details:
        TargetObject|contains:
            - '\Folder\ShellEx\PropertySheetHandlers'
            - '\Folder\ShellEx\ExtShellFolderViews'
            - '\Folder\ShellEx\DragDropHandlers'
            - '\Folder\ShellEx\ColumnHandlers'
            - '\Directory\Shellex\DragDropHandlers'
            - '\Directory\Shellex\CopyHookHandlers'
            - '\CLSID\{AC757296-3522-4E11-9862-C17BE5A1767E}\Instance'
            - '\CLSID\{ABE3B9A4-257D-4B97-BD1A-294AF496222E}\Instance'
            - '\CLSID\{7ED96837-96F0-4812-B211-F13C24117ED3}\Instance'
            - '\CLSID\{083863F1-70DE-11d0-BD40-00A0C911CE86}\Instance'
            - '\AllFileSystemObjects\ShellEx\DragDropHandlers'
            - '\ShellEx\PropertySheetHandlers'
            - '\ShellEx\ContextMenuHandlers'
    classes:
        TargetObject|contains:
            - '\Software\Classes'
    classes_details:
        TargetObject|contains:
            - '\Folder\ShellEx\ExtShellFolderViews'
            - '\Folder\ShellEx\DragDropHandlers'
            - '\Folder\Shellex\ColumnHandlers'
            - '\Filter'
            - '\Exefile\Shell\Open\Command\(Default)'
            - '\Directory\Shellex\DragDropHandlers'
            - '\Directory\Shellex\CopyHookHandlers'
            - '\CLSID\{AC757296-3522-4E11-9862-C17BE5A1767E}\Instance'
            - '\CLSID\{ABE3B9A4-257D-4B97-BD1A-294AF496222E}\Instance'
            - '\CLSID\{7ED96837-96F0-4812-B211-F13C24117ED3}\Instance'
            - '\CLSID\{083863F1-70DE-11d0-BD40-00A0C911CE86}\Instance'
            - '\Classes\AllFileSystemObjects\ShellEx\DragDropHandlers'
            - '\.exe'
            - '\.cmd'
            - '\ShellEx\PropertySheetHandlers'
            - '\ShellEx\ContextMenuHandlers'
    scripts:
        TargetObject|contains:
            - '\Software\Policies\Microsoft\Windows\System\Scripts'
    scripts_details:
        TargetObject|contains:
            - '\Startup'
            - '\Shutdown'
            - '\Logon'
            - '\Logoff'
    winsock_parameters:
        TargetObject|contains:
            - '\System\CurrentControlSet\Services\WinSock2\Parameters'
    winsock_parameters_details:
        TargetObject|contains:
            - '\Protocol_Catalog9\Catalog_Entries64'
            - '\Protocol_Catalog9\Catalog_Entries64'
            - '\Protocol_Catalog9\Catalog_Entries'
            - '\NameSpace_Catalog5\Catalog_Entries64'
            - '\NameSpace_Catalog5\Catalog_Entries'
    system_control:
        TargetObject|contains:
            - '\SYSTEM\CurrentControlSet\Control'
    system_control_details:
        TargetObject|contains:
            - '\Terminal Server\WinStations\RDP-Tcp\InitialProgram'
            - '\Terminal Server\Wds\rdpwd\StartupPrograms'
            - '\SecurityProviders\SecurityProviders'
            - '\SafeBoot\AlternateShell'
            - '\Print\Providers'
            - '\Print\Monitors'
            - '\NetworkProvider\Order'
            - '\Lsa\Notification Packages'
            - '\Lsa\Authentication Packages'
            - '\BootVerificationProgram\ImagePath'
    condition: main_selection OR (session_manager AND session_manager_details) OR (current_version AND current_version_details) OR (nt_current_version AND nt_current_version_details) OR (wow_current_version AND wow_current_version_details) OR (wow_nt_current_version AND wow_nt_current_version_details) OR ((wow_office OR office) AND wow_office_details) OR ((wow_ie OR ie) AND wow_ie_details) OR (wow_classes AND wow_classes_details) OR (classes AND classes_details) OR (scripts AND scripts_details) OR (winsock_parameters AND winsock_parameters_details) OR (system_control AND system_control_details)
fields:
    - SecurityID
    - ObjectName
    - OldValueType
    - NewValueType
falsepositives:
    - Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason
    - Legitimate administrator sets up autorun keys for legitimate reason
Added rules files split into folders 2020-06-10 14:32:30 +00:00			`title: Autorun Keys Modification`
			`id: 17f878b8-9968-4578-b814-c4217fc5768c`
			`description: Detects modification of autostart extensibility point (ASEP) in registry`
			`status: experimental`
			`references:`
			`- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1060/T1060.yaml`
Updated Reference and Detection 2020-10-15 09:35:14 +00:00			`- https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns`
Changed to Placeholders Usage A query was too big to pass a test, so I changed logic to placeholders usage. 2020-11-02 21:56:42 +00:00			`- https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys`
Added rules files split into folders 2020-06-10 14:32:30 +00:00			`tags:`
			`- attack.persistence`
att&ck tags review: windows/registry_event 2020-09-06 19:08:27 +00:00			`- attack.t1547.001`
Added New Registry Keys Issue #576 2020-10-13 18:03:06 +00:00			`- attack.t1060 # an old one`
			`date: 2019/10/25`
			`modified: 2020/10/13`
			`author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin oscd.community`
Added rules files split into folders 2020-06-10 14:32:30 +00:00			`logsource:`
			`category: registry_event`
Added New Registry Keys Issue #576 2020-10-13 18:03:06 +00:00			`product: windows`
			`level: medium`
Added rules files split into folders 2020-06-10 14:32:30 +00:00			`detection:`
fixed optimization and references 2020-11-02 23:16:13 +00:00			`main_selection:`
			`TargetObject\|contains:`
			`- '\SOFTWARE\Wow6432Node\Microsoft\Windows CE Services\AutoStart'`
			`- '\Software\Wow6432Node\Microsoft\Command Processor\Autorun'`
			`- '\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components'`
			`- '\SOFTWARE\Microsoft\Office test\Special\Perf'`
			`- '\SOFTWARE\Microsoft\Windows CE Services\AutoStartOnDisconnect'`
			`- '\SOFTWARE\Microsoft\Windows CE Services\AutoStartOnConnect'`
			`- '\SYSTEM\Setup\CmdLine'`
			`- '\Software\Microsoft\Ctf\LangBarAddin'`
			`- '\Software\Microsoft\Command Processor\Autorun'`
			`- '\SOFTWARE\Microsoft\Active Setup\Installed Components'`
			`- '\SOFTWARE\Classes\Protocols\Handler'`
			`- '\SOFTWARE\Classes\Protocols\Filter'`
			`- '\SOFTWARE\Classes\Htmlfile\Shell\Open\Command\(Default)'`
			`- '\Environment\UserInitMprLogonScript'`
			`- '\SOFTWARE\Policies\Microsoft\Windows\Control Panel\Desktop\Scrnsave.exe'`
			`- '\Software\Microsoft\Internet Explorer\UrlSearchHooks'`
			`- '\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components'`
			`- '\Software\Classes\Clsid\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\Inprocserver32'`
			`- '\Control Panel\Desktop\Scrnsave.exe'`
			`session_manager:`
			`TargetObject\|contains:`
			`- '\System\CurrentControlSet\Control\Session Manager'`
			`session_manager_details:`
			`TargetObject\|contains:`
			`- '\SetupExecute'`
			`- '\S0InitialCommand'`
			`- '\KnownDlls'`
			`- '\Execute'`
			`- '\BootExecute'`
			`- '\AppCertDlls'`
			`current_version:`
			`TargetObject\|contains:`
			`- '\SOFTWARE\Microsoft\Windows\CurrentVersion'`
			`current_version_details:`
			`TargetObject\|contains:`
			`- '\ShellServiceObjectDelayLoad'`
			`- '\Run'`
			`- '\Policies\System\Shell'`
			`- '\Policies\Explorer\Run'`
			`- '\Group Policy\Scripts\Startup'`
			`- '\Group Policy\Scripts\Shutdown'`
			`- '\Group Policy\Scripts\Logon'`
			`- '\Group Policy\Scripts\Logoff'`
			`- '\Explorer\ShellServiceObjects'`
			`- '\Explorer\ShellIconOverlayIdentifiers'`
			`- '\Explorer\ShellExecuteHooks'`
			`- '\Explorer\SharedTaskScheduler'`
			`- '\Explorer\Browser Helper Objects'`
			`- '\Authentication\PLAP Providers'`
			`- '\Authentication\Credential Providers'`
			`- '\Authentication\Credential Provider Filters'`
			`nt_current_version:`
			`TargetObject\|contains:`
			`- '\SOFTWARE\Microsoft\Windows NT\CurrentVersion'`
			`nt_current_version_details:`
			`TargetObject\|contains:`
			`- '\Winlogon\VmApplet'`
			`- '\Winlogon\Userinit'`
			`- '\Winlogon\Taskman'`
			`- '\Winlogon\Shell'`
			`- '\Winlogon\GpExtensions'`
			`- '\Winlogon\AppSetup'`
			`- '\Winlogon\AlternateShells\AvailableShells'`
			`- '\Windows\IconServiceLib'`
			`- '\Windows\Appinit_Dlls'`
			`- '\Image File Execution Options'`
			`- '\Font Drivers'`
			`- '\Drivers32'`
			`- '\Windows\Run'`
			`- '\Windows\Load'`
			`wow_current_version:`
			`TargetObject\|contains:`
			`- '\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion'`
			`wow_current_version_details:`
			`TargetObject\|contains:`
			`- '\ShellServiceObjectDelayLoad'`
			`- '\Run'`
			`- '\Explorer\ShellServiceObjects'`
			`- '\Explorer\ShellIconOverlayIdentifiers'`
			`- '\Explorer\ShellExecuteHooks'`
			`- '\Explorer\SharedTaskScheduler'`
			`- '\Explorer\Browser Helper Objects'`
			`wow_nt_current_version:`
			`TargetObject\|contains:`
			`- '\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion'`
			`wow_nt_current_version_details:`
			`TargetObject\|contains:`
			`- '\Windows\Appinit_Dlls'`
			`- '\Image File Execution Options'`
			`- '\Drivers32'`
			`wow_office:`
			`TargetObject\|contains:`
			`- '\Software\Wow6432Node\Microsoft\Office'`
			`office:`
			`TargetObject\|contains:`
			`- '\Software\Microsoft\Office'`
			`wow_office_details:`
			`TargetObject\|contains:`
			`- '\Word\Addins'`
			`- '\PowerPoint\Addins'`
			`- '\Outlook\Addins'`
			`- '\Onenote\Addins'`
			`- '\Excel\Addins'`
			`- '\Access\Addins'`
			`wow_ie:`
			`TargetObject\|contains:`
			`- '\Software\Wow6432Node\Microsoft\Internet Explorer'`
			`ie:`
			`TargetObject\|contains:`
			`- '\Software\Microsoft\Internet Explorer'`
			`wow_ie_details:`
			`TargetObject\|contains:`
			`- '\Toolbar'`
			`- '\Extensions'`
			`- '\Explorer Bars'`
			`wow_classes:`
			`TargetObject\|contains:`
			`- '\Software\Wow6432Node\Classes'`
			`wow_classes_details:`
			`TargetObject\|contains:`
			`- '\Folder\ShellEx\PropertySheetHandlers'`
			`- '\Folder\ShellEx\ExtShellFolderViews'`
			`- '\Folder\ShellEx\DragDropHandlers'`
			`- '\Folder\ShellEx\ColumnHandlers'`
			`- '\Directory\Shellex\DragDropHandlers'`
			`- '\Directory\Shellex\CopyHookHandlers'`
			`- '\CLSID\{AC757296-3522-4E11-9862-C17BE5A1767E}\Instance'`
			`- '\CLSID\{ABE3B9A4-257D-4B97-BD1A-294AF496222E}\Instance'`
			`- '\CLSID\{7ED96837-96F0-4812-B211-F13C24117ED3}\Instance'`
			`- '\CLSID\{083863F1-70DE-11d0-BD40-00A0C911CE86}\Instance'`
			`- '\AllFileSystemObjects\ShellEx\DragDropHandlers'`
			`- '\ShellEx\PropertySheetHandlers'`
			`- '\ShellEx\ContextMenuHandlers'`
			`classes:`
			`TargetObject\|contains:`
			`- '\Software\Classes'`
			`classes_details:`
			`TargetObject\|contains:`
			`- '\Folder\ShellEx\ExtShellFolderViews'`
			`- '\Folder\ShellEx\DragDropHandlers'`
			`- '\Folder\Shellex\ColumnHandlers'`
			`- '\Filter'`
			`- '\Exefile\Shell\Open\Command\(Default)'`
			`- '\Directory\Shellex\DragDropHandlers'`
			`- '\Directory\Shellex\CopyHookHandlers'`
			`- '\CLSID\{AC757296-3522-4E11-9862-C17BE5A1767E}\Instance'`
			`- '\CLSID\{ABE3B9A4-257D-4B97-BD1A-294AF496222E}\Instance'`
			`- '\CLSID\{7ED96837-96F0-4812-B211-F13C24117ED3}\Instance'`
			`- '\CLSID\{083863F1-70DE-11d0-BD40-00A0C911CE86}\Instance'`
			`- '\Classes\AllFileSystemObjects\ShellEx\DragDropHandlers'`
			`- '\.exe'`
			`- '\.cmd'`
			`- '\ShellEx\PropertySheetHandlers'`
			`- '\ShellEx\ContextMenuHandlers'`
			`scripts:`
			`TargetObject\|contains:`
			`- '\Software\Policies\Microsoft\Windows\System\Scripts'`
			`scripts_details:`
			`TargetObject\|contains:`
			`- '\Startup'`
			`- '\Shutdown'`
			`- '\Logon'`
			`- '\Logoff'`
			`winsock_parameters:`
			`TargetObject\|contains:`
			`- '\System\CurrentControlSet\Services\WinSock2\Parameters'`
			`winsock_parameters_details:`
			`TargetObject\|contains:`
			`- '\Protocol_Catalog9\Catalog_Entries64'`
			`- '\Protocol_Catalog9\Catalog_Entries64'`
			`- '\Protocol_Catalog9\Catalog_Entries'`
			`- '\NameSpace_Catalog5\Catalog_Entries64'`
			`- '\NameSpace_Catalog5\Catalog_Entries'`
			`system_control:`
			`TargetObject\|contains:`
			`- '\SYSTEM\CurrentControlSet\Control'`
			`system_control_details:`
			`TargetObject\|contains:`
			`- '\Terminal Server\WinStations\RDP-Tcp\InitialProgram'`
			`- '\Terminal Server\Wds\rdpwd\StartupPrograms'`
			`- '\SecurityProviders\SecurityProviders'`
			`- '\SafeBoot\AlternateShell'`
			`- '\Print\Providers'`
			`- '\Print\Monitors'`
			`- '\NetworkProvider\Order'`
			`- '\Lsa\Notification Packages'`
			`- '\Lsa\Authentication Packages'`
			`- '\BootVerificationProgram\ImagePath'`
			condition: main_selection OR (session_manager AND session_manager_details) OR (current_version AND current_version_details) OR (nt_current_version AND nt_current_version_details) OR (wow_current_version AND wow_current_version_details) OR (wow_nt_current_version AND wow_nt_current_version_details) OR ((wow_office OR office) AND wow_office_details) OR ((wow_ie OR ie) AND wow_ie_details) OR (wow_classes AND wow_classes_details) OR (classes AND classes_details) OR (scripts AND scripts_details) OR (winsock_parameters AND winsock_parameters_details) OR (system_control AND system_control_details)
Added New Registry Keys Issue #576 2020-10-13 18:03:06 +00:00			`fields:`
			`- SecurityID`
			`- ObjectName`
			`- OldValueType`
			`- NewValueType`
Added rules files split into folders 2020-06-10 14:32:30 +00:00			`falsepositives:`
			`- Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason`
			`- Legitimate administrator sets up autorun keys for legitimate reason`