CurrentVersion Autorun Keys Modification

Original Source: [Sigma source]

Title: CurrentVersion Autorun Keys Modification
Status: test
Description:Detects modification of autostart extensibility point (ASEP) in registry.
References:
-https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md
-https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns
-https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d
-https://oddvar.moe/2018/03/21/persistence-using-runonceex-hidden-from-autoruns-exe/
Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)
Date: 2019-10-25
modified:2025-06-16
Tags:

-'attack.persistence'
-'attack.t1547.001'

Logsource:

category: registry_set
product: windows

Detection:
current_version_base:
TargetObject|contains: '\SOFTWARE\Microsoft\Windows\CurrentVersion'
current_version_keys:
TargetObject|contains:
-'\ShellServiceObjectDelayLoad'
-'\Run\'
-'\RunOnce\'
-'\RunOnceEx\'
-'\RunServices\'
-'\RunServicesOnce\'
-'\Policies\System\Shell'
-'\Policies\Explorer\Run'
-'\Group Policy\Scripts\Startup'
-'\Group Policy\Scripts\Shutdown'
-'\Group Policy\Scripts\Logon'
-'\Group Policy\Scripts\Logoff'
-'\Explorer\ShellServiceObjects'
-'\Explorer\ShellIconOverlayIdentifiers'
-'\Explorer\ShellExecuteHooks'
-'\Explorer\SharedTaskScheduler'
-'\Explorer\Browser Helper Objects'
-'\Authentication\PLAP Providers'
-'\Authentication\Credential Providers'
-'\Authentication\Credential Provider Filters'

filter_all:
Details:'(Empty)' TargetObject|endswith:'\NgcFirst\ConsecutiveSwitchCount' - Image|endswith:
- '\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe'
- '\AppData\Roaming\Spotify\Spotify.exe'
- '\AppData\Local\WebEx\WebexHost.exe'
- Image:
- 'C:\WINDOWS\system32\devicecensus.exe'
- 'C:\Windows\system32\winsat.exe'
- 'C:\Program Files\Microsoft OneDrive\StandaloneUpdater\OneDriveSetup.exe'
- 'C:\Program Files\Microsoft OneDrive\Update\OneDriveSetup.exe'
- 'C:\Program Files (x86)\Microsoft OneDrive\Update\OneDriveSetup.exe'
- 'C:\Program Files\KeePass Password Safe 2\ShInstUtil.exe'
- 'C:\Program Files\Everything\Everything.exe'
- 'C:\Program Files (x86)\Microsoft Office\root\integration\integrator.exe'
- 'C:\Program Files\Microsoft Office\root\integration\integrator.exe'
filter_logonui:
Image: 'C:\Windows\system32\LogonUI.exe'
TargetObject|contains:
-'\Authentication\Credential Providers\{D6886603-9D2F-4EB2-B667-1971041FA96B}\'
-'\Authentication\Credential Providers\{BEC09223-B018-416D-A0AC-523971B639F5}\'
-'\Authentication\Credential Providers\{8AF662BF-65A0-4D0A-A540-A338A999D36F}\'
-'\Authentication\Credential Providers\{27FBDB57-B613-4AF2-9D7E-4FA7A66C21AD}\'

filter_edge:
Image|startswith:
-'C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\'
-'C:\Program Files (x86)\Microsoft\EdgeWebView\'
-'C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe'

filter_dropbox:
Image: 'C:\Windows\system32\regsvr32.exe'
TargetObject|contains: 'DropboxExt'
Details|endswith: 'A251-47B7-93E1-CDD82E34AF8B}'
filter_opera:
TargetObject|endswith: '\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Opera Browser Assistant'
Details: 'C:\Program Files\Opera\assistant\browser_assistant.exe'
filter_itunes:
TargetObject|endswith: '\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\iTunesHelper'
Details: '"C:\Program Files\iTunes\iTunesHelper.exe"'
filter_zoom:
TargetObject|endswith: '\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\zoommsirepair'
Details: '"C:\Program Files\Zoom\bin\installer.exe" /repair'
filter_greenshot:
TargetObject|endswith: '\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Greenshot'
Details: 'C:\Program Files\Greenshot\Greenshot.exe'
filter_googledrive1:
TargetObject|endswith: '\Software\Microsoft\Windows\CurrentVersion\Run\GoogleDriveFS'
Details|startswith: 'C:\Program Files\Google\Drive File Stream\'
Details|contains: '\GoogleDriveFS.exe'
filter_googledrive2:
TargetObject|contains: 'GoogleDrive'
Details:
-'{CFE8B367-77A7-41D7-9C90-75D16D7DC6B6}'
-'{A8E52322-8734-481D-A7E2-27B309EF8D56}'
-'{C973DA94-CBDF-4E77-81D1-E5B794FBD146}'
-'{51EF1569-67EE-4AD6-9646-E726C3FFC8A2}'

filter_onedrive:
Details|startswith:
-'C:\Windows\system32\cmd.exe /q /c rmdir /s /q "C:\Users\'
-'C:\Windows\system32\cmd.exe /q /c del /q "C:\Users\'

Details|contains: '\AppData\Local\Microsoft\OneDrive\'
filter_python:
TargetObject|contains: '\Microsoft\Windows\CurrentVersion\RunOnce\{'
Details|contains|all:
-'\AppData\Local\Package Cache\{'
-'}\python-'

Details|endswith: '.exe" /burn.runonce'
filter_officeclicktorun:
Image|startswith:
-'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\'
-'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\'

Image|endswith: '\OfficeClickToRun.exe'
filter_defender:
Image: 'C:\Program Files\Windows Defender\MsMpEng.exe'
filter_teams:
Image|endswith: '\Microsoft\Teams\current\Teams.exe'
Details|contains: '\Microsoft\Teams\Update.exe --processStart '
filter_ctfmon:
Image: 'C:\Windows\system32\userinit.exe'
Details: 'ctfmon.exe /n'
filter_AVG:
Image|startswith: 'C:\Program Files\AVG\Antivirus\Setup\'
Details:
-'"C:\Program Files\AVG\Antivirus\AvLaunch.exe" /gui'
-'"C:\Program Files (x86)\AVG\Antivirus\AvLaunch.exe" /gui'
-'{472083B0-C522-11CF-8763-00608CC02F24}'

filter_aurora_dashboard:
Image|endswith:
-'\aurora-agent-64.exe'
-'\aurora-agent.exe'

TargetObject|endswith: '\Microsoft\Windows\CurrentVersion\Run\aurora-dashboard'
Details: 'C:\Program Files\Aurora-Agent\tools\aurora-dashboard.exe'
filter_everything:
TargetObject|endswith: '\Microsoft\Windows\CurrentVersion\Run\Everything'
Details|endswith: '\Everything\Everything.exe" -startup'
condition:all of current_version_* and not 1 of filter_*
Falsepositives:
-Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason
-Legitimate administrator sets up autorun keys for legitimate reason
Level: medium

Sign Up to Personalize and Manage Your Detection

CurrentVersion Autorun Keys Modification