title: Autorun Keys Modification id: 17f878b8-9968-4578-b814-c4217fc5768c description: Detects modification of autostart extensibility point (ASEP) in registry status: experimental references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1060/T1060.yaml - https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys tags: - attack.persistence - attack.t1547.001 - attack.t1060 # an old one date: 2019/10/25 modified: 2020/10/13 author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin oscd.community logsource: category: registry_event product: windows level: medium detection: main_selection: TargetObject|contains: - '\SOFTWARE\Wow6432Node\Microsoft\Windows CE Services\AutoStart' - '\Software\Wow6432Node\Microsoft\Command Processor\Autorun' - '\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components' - '\SOFTWARE\Microsoft\Office test\Special\Perf' - '\SOFTWARE\Microsoft\Windows CE Services\AutoStartOnDisconnect' - '\SOFTWARE\Microsoft\Windows CE Services\AutoStartOnConnect' - '\SYSTEM\Setup\CmdLine' - '\Software\Microsoft\Ctf\LangBarAddin' - '\Software\Microsoft\Command Processor\Autorun' - '\SOFTWARE\Microsoft\Active Setup\Installed Components' - '\SOFTWARE\Classes\Protocols\Handler' - '\SOFTWARE\Classes\Protocols\Filter' - '\SOFTWARE\Classes\Htmlfile\Shell\Open\Command\(Default)' - '\Environment\UserInitMprLogonScript' - '\SOFTWARE\Policies\Microsoft\Windows\Control Panel\Desktop\Scrnsave.exe' - '\Software\Microsoft\Internet Explorer\UrlSearchHooks' - '\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components' - '\Software\Classes\Clsid\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\Inprocserver32' - '\Control Panel\Desktop\Scrnsave.exe' session_manager: TargetObject|contains: - '\System\CurrentControlSet\Control\Session Manager' session_manager_details: TargetObject|contains: - '\SetupExecute' - '\S0InitialCommand' - '\KnownDlls' - '\Execute' - '\BootExecute' - '\AppCertDlls' current_version: TargetObject|contains: - '\SOFTWARE\Microsoft\Windows\CurrentVersion' current_version_details: TargetObject|contains: - '\ShellServiceObjectDelayLoad' - '\Run' - '\Policies\System\Shell' - '\Policies\Explorer\Run' - '\Group Policy\Scripts\Startup' - '\Group Policy\Scripts\Shutdown' - '\Group Policy\Scripts\Logon' - '\Group Policy\Scripts\Logoff' - '\Explorer\ShellServiceObjects' - '\Explorer\ShellIconOverlayIdentifiers' - '\Explorer\ShellExecuteHooks' - '\Explorer\SharedTaskScheduler' - '\Explorer\Browser Helper Objects' - '\Authentication\PLAP Providers' - '\Authentication\Credential Providers' - '\Authentication\Credential Provider Filters' nt_current_version: TargetObject|contains: - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion' nt_current_version_details: TargetObject|contains: - '\Winlogon\VmApplet' - '\Winlogon\Userinit' - '\Winlogon\Taskman' - '\Winlogon\Shell' - '\Winlogon\GpExtensions' - '\Winlogon\AppSetup' - '\Winlogon\AlternateShells\AvailableShells' - '\Windows\IconServiceLib' - '\Windows\Appinit_Dlls' - '\Image File Execution Options' - '\Font Drivers' - '\Drivers32' - '\Windows\Run' - '\Windows\Load' wow_current_version: TargetObject|contains: - '\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion' wow_current_version_details: TargetObject|contains: - '\ShellServiceObjectDelayLoad' - '\Run' - '\Explorer\ShellServiceObjects' - '\Explorer\ShellIconOverlayIdentifiers' - '\Explorer\ShellExecuteHooks' - '\Explorer\SharedTaskScheduler' - '\Explorer\Browser Helper Objects' wow_nt_current_version: TargetObject|contains: - '\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion' wow_nt_current_version_details: TargetObject|contains: - '\Windows\Appinit_Dlls' - '\Image File Execution Options' - '\Drivers32' wow_office: TargetObject|contains: - '\Software\Wow6432Node\Microsoft\Office' office: TargetObject|contains: - '\Software\Microsoft\Office' wow_office_details: TargetObject|contains: - '\Word\Addins' - '\PowerPoint\Addins' - '\Outlook\Addins' - '\Onenote\Addins' - '\Excel\Addins' - '\Access\Addins' wow_ie: TargetObject|contains: - '\Software\Wow6432Node\Microsoft\Internet Explorer' ie: TargetObject|contains: - '\Software\Microsoft\Internet Explorer' wow_ie_details: TargetObject|contains: - '\Toolbar' - '\Extensions' - '\Explorer Bars' wow_classes: TargetObject|contains: - '\Software\Wow6432Node\Classes' wow_classes_details: TargetObject|contains: - '\Folder\ShellEx\PropertySheetHandlers' - '\Folder\ShellEx\ExtShellFolderViews' - '\Folder\ShellEx\DragDropHandlers' - '\Folder\ShellEx\ColumnHandlers' - '\Directory\Shellex\DragDropHandlers' - '\Directory\Shellex\CopyHookHandlers' - '\CLSID\{AC757296-3522-4E11-9862-C17BE5A1767E}\Instance' - '\CLSID\{ABE3B9A4-257D-4B97-BD1A-294AF496222E}\Instance' - '\CLSID\{7ED96837-96F0-4812-B211-F13C24117ED3}\Instance' - '\CLSID\{083863F1-70DE-11d0-BD40-00A0C911CE86}\Instance' - '\AllFileSystemObjects\ShellEx\DragDropHandlers' - '\ShellEx\PropertySheetHandlers' - '\ShellEx\ContextMenuHandlers' classes: TargetObject|contains: - '\Software\Classes' classes_details: TargetObject|contains: - '\Folder\ShellEx\ExtShellFolderViews' - '\Folder\ShellEx\DragDropHandlers' - '\Folder\Shellex\ColumnHandlers' - '\Filter' - '\Exefile\Shell\Open\Command\(Default)' - '\Directory\Shellex\DragDropHandlers' - '\Directory\Shellex\CopyHookHandlers' - '\CLSID\{AC757296-3522-4E11-9862-C17BE5A1767E}\Instance' - '\CLSID\{ABE3B9A4-257D-4B97-BD1A-294AF496222E}\Instance' - '\CLSID\{7ED96837-96F0-4812-B211-F13C24117ED3}\Instance' - '\CLSID\{083863F1-70DE-11d0-BD40-00A0C911CE86}\Instance' - '\Classes\AllFileSystemObjects\ShellEx\DragDropHandlers' - '\.exe' - '\.cmd' - '\ShellEx\PropertySheetHandlers' - '\ShellEx\ContextMenuHandlers' scripts: TargetObject|contains: - '\Software\Policies\Microsoft\Windows\System\Scripts' scripts_details: TargetObject|contains: - '\Startup' - '\Shutdown' - '\Logon' - '\Logoff' winsock_parameters: TargetObject|contains: - '\System\CurrentControlSet\Services\WinSock2\Parameters' winsock_parameters_details: TargetObject|contains: - '\Protocol_Catalog9\Catalog_Entries64' - '\Protocol_Catalog9\Catalog_Entries64' - '\Protocol_Catalog9\Catalog_Entries' - '\NameSpace_Catalog5\Catalog_Entries64' - '\NameSpace_Catalog5\Catalog_Entries' system_control: TargetObject|contains: - '\SYSTEM\CurrentControlSet\Control' system_control_details: TargetObject|contains: - '\Terminal Server\WinStations\RDP-Tcp\InitialProgram' - '\Terminal Server\Wds\rdpwd\StartupPrograms' - '\SecurityProviders\SecurityProviders' - '\SafeBoot\AlternateShell' - '\Print\Providers' - '\Print\Monitors' - '\NetworkProvider\Order' - '\Lsa\Notification Packages' - '\Lsa\Authentication Packages' - '\BootVerificationProgram\ImagePath' condition: main_selection OR (session_manager AND session_manager_details) OR (current_version AND current_version_details) OR (nt_current_version AND nt_current_version_details) OR (wow_current_version AND wow_current_version_details) OR (wow_nt_current_version AND wow_nt_current_version_details) OR ((wow_office OR office) AND wow_office_details) OR ((wow_ie OR ie) AND wow_ie_details) OR (wow_classes AND wow_classes_details) OR (classes AND classes_details) OR (scripts AND scripts_details) OR (winsock_parameters AND winsock_parameters_details) OR (system_control AND system_control_details) fields: - SecurityID - ObjectName - OldValueType - NewValueType falsepositives: - Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason - Legitimate administrator sets up autorun keys for legitimate reason