title: Registry Persistence Mechanisms
id: 36803969-5421-41ec-b92f-8500f79c23b0
description: Detects persistence registry keys
references:
    - https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/
date: 2018/04/11
modified: 2020/09/06
author: Karneades, Jonhnathan Ribeiro
logsource:
    category: registry_event
    product: windows
detection:
    selection_reg1:
        TargetObject|contains:
            - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion'
    selection_reg2:
        - TargetObject|contains|all:
            - '\Image File Execution Options\'
            - '\GlobalFlag'
        - TargetObject|contains|all:
            - 'SilentProcessExit\'
            - '\ReportingMode'
        - TargetObject|contains|all:
            - 'SilentProcessExit\'
            - '\MonitorProcess'
    condition: selection_reg1 and selection_reg2
tags:
    - attack.privilege_escalation
    - attack.persistence
    - attack.defense_evasion
    - attack.t1183 # an old one
    - attack.t1546.012
    - car.2013-01-002
falsepositives:
    - unknown
level: critical