detection.wiki

Detection rules › Sigma

CurrentControlSet Autorun Keys Modification

Status
test
Severity
medium
Log source
product windows, category registry_set
Author
Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)
Source
github.com/SigmaHQ/sigma

Detects modification of autostart extensibility point (ASEP) in registry.

MITRE ATT&CK coverage

TacticTechniques
PersistenceT1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
Privilege EscalationT1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Event coverage

ProviderEventTitle
SysmonEvent ID 13RegistryEvent (Value Set)

Rule body yaml

title: CurrentControlSet Autorun Keys Modification
id: f674e36a-4b91-431e-8aef-f8a96c2aca35
related:
    - id: 17f878b8-9968-4578-b814-c4217fc5768c
      type: obsolete
status: test
description: Detects modification of autostart extensibility point (ASEP) in registry.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md
    - https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns
    - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys
author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)
date: 2019-10-25
modified: 2023-08-17
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.t1547.001
logsource:
    category: registry_set
    product: windows
detection:
    system_control_base:
        TargetObject|contains: '\SYSTEM\CurrentControlSet\Control'
    system_control_keys:
        TargetObject|contains:
            - '\Terminal Server\WinStations\RDP-Tcp\InitialProgram'
            - '\Terminal Server\Wds\rdpwd\StartupPrograms'
            - '\SecurityProviders\SecurityProviders'
            - '\SafeBoot\AlternateShell'
            - '\Print\Providers'
            - '\Print\Monitors'
            - '\NetworkProvider\Order'
            - '\Lsa\Notification Packages'
            - '\Lsa\Authentication Packages'
            - '\BootVerificationProgram\ImagePath'
    filter_empty:
        Details: '(Empty)'
    filter_cutepdf:
        Image: 'C:\Windows\System32\spoolsv.exe'
        TargetObject|contains: '\Print\Monitors\CutePDF Writer Monitor'
        Details:
            - 'cpwmon64_v40.dll'
            - 'CutePDF Writer'
    filter_onenote:
        Image: C:\Windows\System32\spoolsv.exe
        TargetObject|contains: 'Print\Monitors\Appmon\Ports\Microsoft.Office.OneNote_'
        User|contains: # covers many language settings
            - 'AUTHORI'
            - 'AUTORI'
    filter_poqexec:
        Image: 'C:\Windows\System32\poqexec.exe'
        TargetObject|endswith: '\NetworkProvider\Order\ProviderOrder'
    filter_realvnc:
        Image: 'C:\Windows\System32\spoolsv.exe'
        TargetObject|endswith: '\Print\Monitors\MONVNC\Driver'
        Details: 'VNCpm.dll'
    condition: all of system_control_* and not 1 of filter_*
falsepositives:
    - Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason
    - Legitimate administrator sets up autorun keys for legitimate reason
level: medium

Stages and Predicates

Stage 0: condition

all of system_control_* and not 1 of filter_*

Stage 1: system_control_base

system_control_base:
    TargetObject|contains: '\SYSTEM\CurrentControlSet\Control'

Stage 2: system_control_keys

system_control_keys:
    TargetObject|contains:
        - '\Terminal Server\WinStations\RDP-Tcp\InitialProgram'
        - '\Terminal Server\Wds\rdpwd\StartupPrograms'
        - '\SecurityProviders\SecurityProviders'
        - '\SafeBoot\AlternateShell'
        - '\Print\Providers'
        - '\Print\Monitors'
        - '\NetworkProvider\Order'
        - '\Lsa\Notification Packages'
        - '\Lsa\Authentication Packages'
        - '\BootVerificationProgram\ImagePath'

Stage 3: not filter_*

filter_empty:
    Details: '(Empty)'
filter_cutepdf:
    Image: 'C:\Windows\System32\spoolsv.exe'
    TargetObject|contains: '\Print\Monitors\CutePDF Writer Monitor'
    Details:
        - 'cpwmon64_v40.dll'
        - 'CutePDF Writer'
filter_onenote:
    Image: C:\Windows\System32\spoolsv.exe
    TargetObject|contains: 'Print\Monitors\Appmon\Ports\Microsoft.Office.OneNote_'
    User|contains:
        - 'AUTHORI'
        - 'AUTORI'
filter_poqexec:
    Image: 'C:\Windows\System32\poqexec.exe'
    TargetObject|endswith: '\NetworkProvider\Order\ProviderOrder'
filter_realvnc:
    Image: 'C:\Windows\System32\spoolsv.exe'
    TargetObject|endswith: '\Print\Monitors\MONVNC\Driver'
    Details: 'VNCpm.dll'

Exclusions

Top-level NOT(...) conjuncts: predicates this rule actively suppresses.

FieldKindExcluded values
DetailseqCutePDF Writer
Detailseqcpwmon64_v40.dll
ImageeqC:\Windows\System32\spoolsv.exe
TargetObjectmatch\Print\Monitors\CutePDF Writer Monitor
UsermatchAUTHORI
UsermatchAUTORI
ImageeqC:\Windows\System32\spoolsv.exe
TargetObjectmatchPrint\Monitors\Appmon\Ports\Microsoft.Office.OneNote_
DetailseqVNCpm.dll
ImageeqC:\Windows\System32\spoolsv.exe
TargetObjectends_with\Print\Monitors\MONVNC\Driver
ImageeqC:\Windows\System32\poqexec.exe
TargetObjectends_with\NetworkProvider\Order\ProviderOrder
Detailseq(Empty)

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
TargetObjectmatch
  • \BootVerificationProgram\ImagePath
  • \Lsa\Authentication Packages
  • \Lsa\Notification Packages
  • \NetworkProvider\Order
  • \Print\Monitors
  • \Print\Providers
  • \SYSTEM\CurrentControlSet\Control
  • \SafeBoot\AlternateShell
  • \SecurityProviders\SecurityProviders
  • \Terminal Server\Wds\rdpwd\StartupPrograms
  • \Terminal Server\WinStations\RDP-Tcp\InitialProgram