Detection rules › Sigma
CurrentVersion NT Autorun Keys Modification
Detects modification of autostart extensibility point (ASEP) in registry.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Persistence | T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
| Privilege Escalation | T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
Event coverage
| Provider | Event | Title |
|---|---|---|
| Sysmon | Event ID 13 | RegistryEvent (Value Set) |
Rule body yaml
title: CurrentVersion NT Autorun Keys Modification
id: cbf93e5d-ca6c-4722-8bea-e9119007c248
related:
- id: 17f878b8-9968-4578-b814-c4217fc5768c
type: obsolete
status: test
description: Detects modification of autostart extensibility point (ASEP) in registry.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md
- https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns
- https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys
author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)
date: 2019-10-25
modified: 2025-10-22
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1547.001
logsource:
category: registry_set
product: windows
detection:
selection_nt_current_version_base:
TargetObject|contains: '\SOFTWARE\Microsoft\Windows NT\CurrentVersion'
selection_nt_current_version:
TargetObject|contains:
- '\Winlogon\VmApplet'
- '\Winlogon\Userinit'
- '\Winlogon\Taskman'
- '\Winlogon\Shell'
- '\Winlogon\GpExtensions'
- '\Winlogon\AppSetup'
- '\Winlogon\AlternateShells\AvailableShells'
- '\Windows\IconServiceLib'
- '\Windows\Appinit_Dlls'
- '\Image File Execution Options' # Covered in better details in 36803969-5421-41ec-b92f-8500f79c23b0
- '\Font Drivers'
- '\Drivers32'
- '\Windows\Run'
- '\Windows\Load'
filter_main_empty:
Details: '(Empty)'
filter_main_null:
Details: null
filter_main_poqexec:
Image: 'C:\Windows\System32\poqexec.exe'
filter_main_legitimate_subkey: # Legitimately used subkeys of \Image File Execution Options, which are not used for persistence (see https://pentestlab.blog/2020/01/13/persistence-image-file-execution-options-injection/)
TargetObject|contains: '\Image File Execution Options\'
TargetObject|endswith:
- '\DisableExceptionChainValidation'
- '\MitigationOptions'
filter_main_security_extension_dc:
Image: 'C:\Windows\system32\svchost.exe'
TargetObject|contains:
- '\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}\PreviousPolicyAreas'
- '\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}\MaxNoGPOListChangesInterval'
Details:
- 'DWORD (0x00000001)'
- 'DWORD (0x00000009)'
- 'DWORD (0x000003c0)'
filter_main_runtimebroker:
Image: 'C:\Windows\System32\RuntimeBroker.exe'
TargetObject|contains: '\runtimebroker.exe\Microsoft.Windows.ShellExperienceHost'
filter_optional_edge:
Image|startswith: 'C:\Program Files (x86)\Microsoft\Temp\'
Image|endswith: '\MicrosoftEdgeUpdate.exe'
filter_optional_avguard:
Image|startswith:
- 'C:\Program Files (x86)\Avira\Antivirus\avguard.exe'
- 'C:\Program Files\Avira\Antivirus\avguard.exe'
TargetObject|contains: 'SOFTWARE\WOW6432Node\Avira\Antivirus\Overwrite_Keys\HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\'
TargetObject|endswith:
- '\userinit\UseAsDefault'
- '\shell\UseAsDefault'
Details:
- 'explorer.exe'
- 'C:\Windows\system32\userinit.exe,'
filter_optional_msoffice:
- TargetObject|contains:
- '\ClickToRunStore\HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\'
- '\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows NT\CurrentVersion\'
- Image:
- 'C:\Program Files\Microsoft Office\root\integration\integrator.exe'
- 'C:\Program Files (x86)\Microsoft Office\root\integration\integrator.exe'
filter_optional_officeclicktorun:
Image|startswith:
- 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\'
- 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\'
Image|endswith: '\OfficeClickToRun.exe'
filter_optional_ngen:
Image|startswith: 'C:\Windows\Microsoft.NET\Framework'
Image|endswith: '\ngen.exe'
filter_optional_onedrive:
Image|endswith: '\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\OneDriveSetup.exe'
TargetObject|endswith: '\Microsoft\Windows\CurrentVersion\RunOnce\Delete Cached Update Binary'
Details|startswith: 'C:\Windows\system32\cmd.exe /q /c del /q "C:\Users\'
Details|endswith: '\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe"'
condition: all of selection_* and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason
- Legitimate administrator sets up autorun keys for legitimate reason
level: medium
Stages and Predicates
Stage 0: condition
all of selection_* and not 1 of filter_main_* and not 1 of filter_optional_*Stage 1: selection_nt_current_version_base
selection_nt_current_version_base:
TargetObject|contains: '\SOFTWARE\Microsoft\Windows NT\CurrentVersion'
Stage 2: selection_nt_current_version
selection_nt_current_version:
TargetObject|contains:
- '\Winlogon\VmApplet'
- '\Winlogon\Userinit'
- '\Winlogon\Taskman'
- '\Winlogon\Shell'
- '\Winlogon\GpExtensions'
- '\Winlogon\AppSetup'
- '\Winlogon\AlternateShells\AvailableShells'
- '\Windows\IconServiceLib'
- '\Windows\Appinit_Dlls'
- '\Image File Execution Options'
- '\Font Drivers'
- '\Drivers32'
- '\Windows\Run'
- '\Windows\Load'
Stage 3: not filter_main_*
filter_main_empty:
Details: '(Empty)'
filter_main_null:
Details: null
filter_main_poqexec:
Image: 'C:\Windows\System32\poqexec.exe'
filter_main_legitimate_subkey:
TargetObject|contains: '\Image File Execution Options\'
TargetObject|endswith:
- '\DisableExceptionChainValidation'
- '\MitigationOptions'
filter_main_security_extension_dc:
Image: 'C:\Windows\system32\svchost.exe'
TargetObject|contains:
- '\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}\PreviousPolicyAreas'
- '\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}\MaxNoGPOListChangesInterval'
Details:
- 'DWORD (0x00000001)'
- 'DWORD (0x00000009)'
- 'DWORD (0x000003c0)'
filter_main_runtimebroker:
Image: 'C:\Windows\System32\RuntimeBroker.exe'
TargetObject|contains: '\runtimebroker.exe\Microsoft.Windows.ShellExperienceHost'
Stage 4: not filter_optional_*
filter_optional_edge:
Image|startswith: 'C:\Program Files (x86)\Microsoft\Temp\'
Image|endswith: '\MicrosoftEdgeUpdate.exe'
filter_optional_avguard:
Image|startswith:
- 'C:\Program Files (x86)\Avira\Antivirus\avguard.exe'
- 'C:\Program Files\Avira\Antivirus\avguard.exe'
TargetObject|contains: 'SOFTWARE\WOW6432Node\Avira\Antivirus\Overwrite_Keys\HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\'
TargetObject|endswith:
- '\userinit\UseAsDefault'
- '\shell\UseAsDefault'
Details:
- 'explorer.exe'
- 'C:\Windows\system32\userinit.exe,'
filter_optional_msoffice:
- TargetObject|contains:
- '\ClickToRunStore\HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\'
- '\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows NT\CurrentVersion\'
- Image:
- 'C:\Program Files\Microsoft Office\root\integration\integrator.exe'
- 'C:\Program Files (x86)\Microsoft Office\root\integration\integrator.exe'
filter_optional_officeclicktorun:
Image|startswith:
- 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\'
- 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\'
Image|endswith: '\OfficeClickToRun.exe'
filter_optional_ngen:
Image|startswith: 'C:\Windows\Microsoft.NET\Framework'
Image|endswith: '\ngen.exe'
filter_optional_onedrive:
Image|endswith: '\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\OneDriveSetup.exe'
TargetObject|endswith: '\Microsoft\Windows\CurrentVersion\RunOnce\Delete Cached Update Binary'
Details|startswith: 'C:\Windows\system32\cmd.exe /q /c del /q "C:\Users\'
Details|endswith: '\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe"'
Exclusions
Top-level NOT(...) conjuncts: predicates this rule actively suppresses.
| Field | Kind | Excluded values |
|---|---|---|
Details | eq | DWORD (0x00000001) |
Details | eq | DWORD (0x00000009) |
Details | eq | DWORD (0x000003c0) |
TargetObject | match | \Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}\MaxNoGPOListChangesInterval |
TargetObject | match | \Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}\PreviousPolicyAreas |
Image | eq | C:\Windows\system32\svchost.exe |
TargetObject | ends_with | \DisableExceptionChainValidation |
TargetObject | ends_with | \MitigationOptions |
TargetObject | match | \Image File Execution Options\ |
Image | eq | C:\Windows\System32\RuntimeBroker.exe |
TargetObject | match | \runtimebroker.exe\Microsoft.Windows.ShellExperienceHost |
Details | eq | (Empty) |
Details | is_null | |
Image | eq | C:\Windows\System32\poqexec.exe |
Details | eq | C:\Windows\system32\userinit.exe, |
Details | eq | explorer.exe |
Image | starts_with | C:\Program Files (x86)\Avira\Antivirus\avguard.exe |
Image | starts_with | C:\Program Files\Avira\Antivirus\avguard.exe |
TargetObject | ends_with | \shell\UseAsDefault |
TargetObject | ends_with | \userinit\UseAsDefault |
TargetObject | match | SOFTWARE\WOW6432Node\Avira\Antivirus\Overwrite_Keys\HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ |
Image | starts_with | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\ |
Image | starts_with | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\ |
Image | ends_with | \OfficeClickToRun.exe |
Details | ends_with | \AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe" |
Details | starts_with | C:\Windows\system32\cmd.exe /q /c del /q "C:\Users\ |
Image | ends_with | \AppData\Local\Microsoft\OneDrive\StandaloneUpdater\OneDriveSetup.exe |
TargetObject | ends_with | \Microsoft\Windows\CurrentVersion\RunOnce\Delete Cached Update Binary |
Image | ends_with | \MicrosoftEdgeUpdate.exe |
Image | starts_with | C:\Program Files (x86)\Microsoft\Temp\ |
Image | ends_with | \ngen.exe |
Image | starts_with | C:\Windows\Microsoft.NET\Framework |
Image | eq | C:\Program Files (x86)\Microsoft Office\root\integration\integrator.exe |
Image | eq | C:\Program Files\Microsoft Office\root\integration\integrator.exe |
TargetObject | match | \ClickToRunStore\HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ |
TargetObject | match | \ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ |
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
TargetObject | match |
|