Techniques
Sample rules
Common Autorun Keys Modification
- source: sigma
- technicques:
- t1547
- t1547.001
Description
Detects modification of autostart extensibility point (ASEP) in registry.
Detection logic
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
filter_main_empty:
Details: (Empty)
filter_main_null:
Details: null
filter_main_poqexec:
Image: C:\Windows\System32\poqexec.exe
filter_optional_IE:
TargetObject|contains: \Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}
filter_optional_chrome:
TargetObject|contains: \SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}
filter_optional_edge:
TargetObject|contains: \SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}
filter_optional_integrator:
Image:
- C:\Program Files (x86)\Microsoft Office\root\integration\integrator.exe
- C:\Program Files\Microsoft Office\root\integration\integrator.exe
filter_optional_msoffice:
- TargetObject|contains:
- \Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\PROTOCOLS\Handler\
- \ClickToRunStore\HKMU\SOFTWARE\Classes\PROTOCOLS\Handler\
- Details:
- '{314111c7-a502-11d2-bbca-00c04f8ec294}'
- '{3459B272-CC19-4448-86C9-DDC3B4B2FAD3}'
- '{42089D2D-912D-4018-9087-2B87803E93FB}'
- '{5504BE45-A83B-4808-900A-3A5C36E7F77A}'
- '{807583E5-5146-11D5-A672-00B0D022E945}'
filter_optional_office:
Image|endswith: \OfficeClickToRun.exe
Image|startswith:
- C:\Program Files\Common Files\Microsoft Shared\ClickToRun\
- C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\
selection:
TargetObject|contains:
- \SOFTWARE\Wow6432Node\Microsoft\Windows CE Services\AutoStart
- \Software\Wow6432Node\Microsoft\Command Processor\Autorun
- \SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components
- \SOFTWARE\Microsoft\Windows CE Services\AutoStartOnDisconnect
- \SOFTWARE\Microsoft\Windows CE Services\AutoStartOnConnect
- \SYSTEM\Setup\CmdLine
- \Software\Microsoft\Ctf\LangBarAddin
- \Software\Microsoft\Command Processor\Autorun
- \SOFTWARE\Microsoft\Active Setup\Installed Components
- \SOFTWARE\Classes\Protocols\Handler
- \SOFTWARE\Classes\Protocols\Filter
- \SOFTWARE\Classes\Htmlfile\Shell\Open\Command\(Default)
- \Environment\UserInitMprLogonScript
- \SOFTWARE\Policies\Microsoft\Windows\Control Panel\Desktop\Scrnsave.exe
- \Software\Microsoft\Internet Explorer\UrlSearchHooks
- \SOFTWARE\Microsoft\Internet Explorer\Desktop\Components
- \Software\Classes\Clsid\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\Inprocserver32
- \Control Panel\Desktop\Scrnsave.exe
System Scripts Autorun Keys Modification
- source: sigma
- technicques:
- t1547
- t1547.001
Description
Detects modification of autostart extensibility point (ASEP) in registry.
Detection logic
condition: scripts_base and scripts and not filter
filter:
Details: (Empty)
scripts:
TargetObject|contains:
- \Startup
- \Shutdown
- \Logon
- \Logoff
scripts_base:
TargetObject|contains: \Software\Policies\Microsoft\Windows\System\Scripts
CurrentVersion Autorun Keys Modification
- source: sigma
- technicques:
- t1547
- t1547.001
Description
Detects modification of autostart extensibility point (ASEP) in registry.
Detection logic
condition: all of selection_* and not 1 of filter_main_* and not 1 of filter_optional_*
filter_main_ctfmon:
Details: ctfmon.exe /n
Image: C:\Windows\system32\userinit.exe
filter_main_defender:
Image: C:\Program Files\Windows Defender\MsMpEng.exe
filter_main_edge:
Image|startswith:
- C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\
- C:\Program Files (x86)\Microsoft\EdgeWebView\
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
filter_main_generic_all:
- Details: (Empty)
- TargetObject|endswith: \NgcFirst\ConsecutiveSwitchCount
- Image|endswith:
- \AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe
- \AppData\Roaming\Spotify\Spotify.exe
- \AppData\Local\WebEx\WebexHost.exe
- Image:
- C:\WINDOWS\system32\devicecensus.exe
- C:\Windows\system32\winsat.exe
- C:\Program Files\Microsoft OneDrive\StandaloneUpdater\OneDriveSetup.exe
- C:\Program Files (x86)\Microsoft OneDrive\StandaloneUpdater\OneDriveSetup.exe
- C:\Program Files\Microsoft OneDrive\Update\OneDriveSetup.exe
- C:\Program Files (x86)\Microsoft OneDrive\Update\OneDriveSetup.exe
- C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe
- C:\Program Files (x86)\Microsoft Office\root\integration\Addons\OneDriveSetup.exe
- C:\Program Files\KeePass Password Safe 2\ShInstUtil.exe
- C:\Program Files\Everything\Everything.exe
- C:\Program Files (x86)\Microsoft Office\root\integration\integrator.exe
- C:\Program Files\Microsoft Office\root\integration\integrator.exe
filter_main_logonui:
Image: C:\Windows\system32\LogonUI.exe
TargetObject|contains:
- \Authentication\Credential Providers\{D6886603-9D2F-4EB2-B667-1971041FA96B}\
- \Authentication\Credential Providers\{BEC09223-B018-416D-A0AC-523971B639F5}\
- \Authentication\Credential Providers\{8AF662BF-65A0-4D0A-A540-A338A999D36F}\
- \Authentication\Credential Providers\{27FBDB57-B613-4AF2-9D7E-4FA7A66C21AD}\
filter_main_null:
Details: null
filter_main_teams:
Details|contains: '\Microsoft\Teams\Update.exe --processStart '
Image|endswith: \Microsoft\Teams\current\Teams.exe
filter_optional_AVG_avgtoolsvc:
Details: Binary Data
Image:
- C:\Program Files\AVG\Antivirus\avgToolsSvc.exe
- C:\Program Files (x86)\AVG\Antivirus\avgToolsSvc.exe
TargetObject|contains: \Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run\
filter_optional_AVG_setup:
Details:
- '"C:\Program Files\AVG\Antivirus\AvLaunch.exe" /gui'
- '"C:\Program Files (x86)\AVG\Antivirus\AvLaunch.exe" /gui'
- '{472083B0-C522-11CF-8763-00608CC02F24}'
- '{472083B1-C522-11CF-8763-00608CC02F24}'
Image|contains:
- C:\Program Files\AVG\Antivirus\Setup\
- C:\Program Files (x86)\AVG\Antivirus\Setup\
- \instup.exe
filter_optional_Avast:
Details:
- '"C:\Program Files\Avast Software\Avast\AvLaunch.exe" /gui'
- '"C:\Program Files (x86)\Avast Software\Avast\AvLaunch.exe" /gui'
Image|contains:
- C:\Program Files\Avast Software\Avast\Setup\
- C:\Program Files (x86)\Avast Software\Avast\Setup\
- \instup.exe
filter_optional_aurora_dashboard:
Details: C:\Program Files\Aurora-Agent\tools\aurora-dashboard.exe
Image|endswith:
- \aurora-agent-64.exe
- \aurora-agent.exe
TargetObject|endswith: \Microsoft\Windows\CurrentVersion\Run\aurora-dashboard
filter_optional_discord:
Details|endswith: \Discord\Update.exe --processStart Discord.exe
TargetObject|endswith: \Software\Microsoft\Windows\CurrentVersion\Run\Discord
filter_optional_dropbox:
Details|endswith: A251-47B7-93E1-CDD82E34AF8B}
Image: C:\Windows\system32\regsvr32.exe
TargetObject|contains: DropboxExt
filter_optional_everything:
Details|endswith: \Everything\Everything.exe" -startup
TargetObject|endswith: \Microsoft\Windows\CurrentVersion\Run\Everything
filter_optional_googledrive1:
Details|contains: \GoogleDriveFS.exe
Details|startswith: C:\Program Files\Google\Drive File Stream\
TargetObject|endswith: \Software\Microsoft\Windows\CurrentVersion\Run\GoogleDriveFS
filter_optional_googledrive2:
Details:
- '{CFE8B367-77A7-41D7-9C90-75D16D7DC6B6}'
- '{A8E52322-8734-481D-A7E2-27B309EF8D56}'
- '{C973DA94-CBDF-4E77-81D1-E5B794FBD146}'
- '{51EF1569-67EE-4AD6-9646-E726C3FFC8A2}'
TargetObject|contains: GoogleDrive
filter_optional_greenshot:
Details: C:\Program Files\Greenshot\Greenshot.exe
TargetObject|endswith: \SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Greenshot
filter_optional_itunes:
Details: '"C:\Program Files\iTunes\iTunesHelper.exe"'
TargetObject|endswith: \SOFTWARE\Microsoft\Windows\CurrentVersion\Run\iTunesHelper
filter_optional_officeclicktorun:
Image|endswith: \OfficeClickToRun.exe
Image|startswith:
- C:\Program Files\Common Files\Microsoft Shared\ClickToRun\
- C:\Program Files (x86)\Common Files\Microsoft Shared\ClickToRun\
filter_optional_onedrive:
Details|contains: \AppData\Local\Microsoft\OneDrive\
Details|startswith:
- C:\Windows\system32\cmd.exe /q /c rmdir /s /q "C:\Users\
- C:\Windows\system32\cmd.exe /q /c del /q "C:\Users\
filter_optional_opera_1:
Details: C:\Program Files\Opera\assistant\browser_assistant.exe
TargetObject|endswith: \SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Opera Browser
Assistant
filter_optional_opera_2:
Details:
- C:\Program Files\Opera\launcher.exe
- C:\Program Files (x86)\Opera\launcher.exe
TargetObject|endswith: \Software\Microsoft\Windows\CurrentVersion\Run\Opera Stable
filter_optional_python:
Details|contains|all:
- \AppData\Local\Package Cache\{
- '}\python-'
Details|endswith: .exe" /burn.runonce
TargetObject|contains: \Microsoft\Windows\CurrentVersion\RunOnce\{
filter_optional_teams:
Details|contains: \Microsoft\Teams\Update.exe --processStart
Image|endswith: \Microsoft\Teams\current\Teams.exe
filter_optional_zoom:
Details: '"C:\Program Files\Zoom\bin\installer.exe" /repair'
TargetObject|endswith: \SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\zoommsirepair
selection_current_version_base:
TargetObject|contains: \SOFTWARE\Microsoft\Windows\CurrentVersion
selection_current_version_keys:
TargetObject|contains:
- \ShellServiceObjectDelayLoad
- \Run\
- \RunOnce\
- \RunOnceEx\
- \RunServices\
- \RunServicesOnce\
- \Policies\System\Shell
- \Policies\Explorer\Run
- \Group Policy\Scripts\Startup
- \Group Policy\Scripts\Shutdown
- \Group Policy\Scripts\Logon
- \Group Policy\Scripts\Logoff
- \Explorer\ShellServiceObjects
- \Explorer\ShellIconOverlayIdentifiers
- \Explorer\ShellExecuteHooks
- \Explorer\SharedTaskScheduler
- \Explorer\Browser Helper Objects
- \Authentication\PLAP Providers
- \Authentication\Credential Providers
- \Authentication\Credential Provider Filters
CurrentControlSet Autorun Keys Modification
- source: sigma
- technicques:
- t1547
- t1547.001
Description
Detects modification of autostart extensibility point (ASEP) in registry.
Detection logic
condition: all of system_control_* and not 1 of filter_*
filter_cutepdf:
Details:
- cpwmon64_v40.dll
- CutePDF Writer
Image: C:\Windows\System32\spoolsv.exe
TargetObject|contains: \Print\Monitors\CutePDF Writer Monitor
filter_empty:
Details: (Empty)
filter_onenote:
Image: C:\Windows\System32\spoolsv.exe
TargetObject|contains: Print\Monitors\Appmon\Ports\Microsoft.Office.OneNote_
User|contains:
- AUTHORI
- AUTORI
filter_poqexec:
Image: C:\Windows\System32\poqexec.exe
TargetObject|endswith: \NetworkProvider\Order\ProviderOrder
filter_realvnc:
Details: VNCpm.dll
Image: C:\Windows\System32\spoolsv.exe
TargetObject|endswith: \Print\Monitors\MONVNC\Driver
system_control_base:
TargetObject|contains: \SYSTEM\CurrentControlSet\Control
system_control_keys:
TargetObject|contains:
- \Terminal Server\WinStations\RDP-Tcp\InitialProgram
- \Terminal Server\Wds\rdpwd\StartupPrograms
- \SecurityProviders\SecurityProviders
- \SafeBoot\AlternateShell
- \Print\Providers
- \Print\Monitors
- \NetworkProvider\Order
- \Lsa\Notification Packages
- \Lsa\Authentication Packages
- \BootVerificationProgram\ImagePath
WinSock2 Autorun Keys Modification
- source: sigma
- technicques:
- t1547
- t1547.001
Description
Detects modification of autostart extensibility point (ASEP) in registry.
Detection logic
condition: winsock_parameters_base and winsock_parameters and not filter
filter:
- Details: (Empty)
- Image: C:\Windows\System32\MsiExec.exe
- Image: C:\Windows\syswow64\MsiExec.exe
winsock_parameters:
TargetObject|contains:
- \Protocol_Catalog9\Catalog_Entries
- \NameSpace_Catalog5\Catalog_Entries
winsock_parameters_base:
TargetObject|contains: \System\CurrentControlSet\Services\WinSock2\Parameters
Wow6432Node Classes Autorun Keys Modification
- source: sigma
- technicques:
- t1547
- t1547.001
Description
Detects modification of autostart extensibility point (ASEP) in registry.
Detection logic
condition: wow_classes_base and wow_classes and not filter
filter:
Details: (Empty)
wow_classes:
TargetObject|contains:
- \Folder\ShellEx\ExtShellFolderViews
- \Folder\ShellEx\DragDropHandlers
- \Folder\ShellEx\ColumnHandlers
- \Directory\Shellex\DragDropHandlers
- \Directory\Shellex\CopyHookHandlers
- \CLSID\{AC757296-3522-4E11-9862-C17BE5A1767E}\Instance
- \CLSID\{ABE3B9A4-257D-4B97-BD1A-294AF496222E}\Instance
- \CLSID\{7ED96837-96F0-4812-B211-F13C24117ED3}\Instance
- \CLSID\{083863F1-70DE-11d0-BD40-00A0C911CE86}\Instance
- \AllFileSystemObjects\ShellEx\DragDropHandlers
- \ShellEx\PropertySheetHandlers
- \ShellEx\ContextMenuHandlers
wow_classes_base:
TargetObject|contains: \Software\Wow6432Node\Classes
Wow6432Node CurrentVersion Autorun Keys Modification
- source: sigma
- technicques:
- t1547
- t1547.001
Description
Detects modification of autostart extensibility point (ASEP) in registry.
Detection logic
condition: all of selection_* and not 1 of filter_main_* and not 1 of filter_optional_*
filter_main_edge:
Image|contains|all:
- C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{
- \setup.exe
filter_main_empty:
Details: (Empty)
filter_main_ms_win_desktop_runtime:
Details|startswith: '"C:\ProgramData\Package Cache\{d21a4f20-968a-4b0c-bf04-a38da5f06e41}\windowsdesktop-runtime-'
filter_main_msiexec:
Image: C:\WINDOWS\system32\msiexec.exe
TargetObject|contains: \SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\
filter_main_null:
Details: null
filter_main_uninstallers:
Image|startswith: C:\Windows\Installer\MSI
TargetObject|contains: \Explorer\Browser Helper Objects
filter_main_upgrades:
Details|endswith: ' /burn.runonce'
Image|contains:
- \winsdksetup.exe
- \windowsdesktop-runtime-
- \AspNetCoreSharedFrameworkBundle-
Image|startswith:
- C:\ProgramData\Package Cache
- C:\Windows\Temp\
filter_main_vcredist:
Details|endswith: '}\VC_redist.x64.exe" /burn.runonce'
Image|endswith: \VC_redist.x64.exe
filter_optional_avg_1:
Details|endswith: instup.exe" /instop:repair /wait
Image|endswith: \instup.exe
TargetObject|endswith: \SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\AvRepair
filter_optional_avg_2:
Details:
- '{472083B1-C522-11CF-8763-00608CC02F24}'
- '{472083B0-C522-11CF-8763-00608CC02F24}'
Image|endswith: \instup.exe
TargetObject|endswith:
- \SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\00avg\(Default)
- \SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\00asw\(Default)
filter_optional_avira:
Details|endswith: \Avira.OE.Setup.Bundle.exe" /burn.runonce
Image|endswith: \Avira.OE.Setup.Bundle.exe
filter_optional_discord:
Details|endswith: Discord.exe --checkInstall
TargetObject|endswith: \SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Discord
filter_optional_dotnet:
Details|endswith: .exe" /burn.runonce
Details|startswith: '"C:\ProgramData\Package Cache\'
Image|contains: \windowsdesktop-runtime-
TargetObject|endswith:
- \WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{e2d1ae32-dd1d-4ad7-a298-10e42e7840fc}
- \WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{7037b699-7382-448c-89a7-4765961d2537}
filter_optional_dropbox:
- Details|endswith: -A251-47B7-93E1-CDD82E34AF8B}
- Details: grpconv -o
- Details|contains|all:
- C:\Program Files
- \Dropbox\Client\Dropbox.exe
- ' /systemstartup'
filter_optional_evernote:
TargetObject|endswith: \Explorer\Browser Helper Objects\{92EF2EAD-A7CE-4424-B0DB-499CF856608E}\NoExplorer
filter_optional_msoffice1:
Image: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
TargetObject|contains: \Office\ClickToRun\REGISTRY\MACHINE\Software\Wow6432Node\
filter_optional_msoffice2:
Image:
- C:\Program Files\Microsoft Office\root\integration\integrator.exe
- C:\Program Files (x86)\Microsoft Office\root\integration\integrator.exe
TargetObject|contains: \Explorer\Browser Helper Objects\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}\
filter_optional_office:
Image|endswith: \OfficeClickToRun.exe
Image|startswith:
- C:\Program Files\Common Files\Microsoft Shared\ClickToRun\
- C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\
selection_wow_current_version_base:
TargetObject|contains: \SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion
selection_wow_current_version_keys:
TargetObject|contains:
- \ShellServiceObjectDelayLoad
- \Run\
- \RunOnce\
- \RunOnceEx\
- \RunServices\
- \RunServicesOnce\
- \Explorer\ShellServiceObjects
- \Explorer\ShellIconOverlayIdentifiers
- \Explorer\ShellExecuteHooks
- \Explorer\SharedTaskScheduler
- \Explorer\Browser Helper Objects
Classes Autorun Keys Modification
- source: sigma
- technicques:
- t1547
- t1547.001
Description
Detects modification of Windows Registry Classes keys used for persistence. Adversaries modify these autostart extensibility points (ASEP) to execute malicious code when file types are opened or actions are performed. Various legitimate software also uses these keys. Currently, this rule only filters out known legitimate software paths, thus it is recommended to review and tune filters for your environment to reduce false positives before deploying to production.
Detection logic
condition: all of selection_* and not 1 of filter_main_* and not 1 of filter_optional_*
filter_main_drivers:
Image: C:\Windows\System32\drvinst.exe
filter_main_empty:
Details: (Empty)
filter_main_null:
Details: null
filter_main_svchost:
Image: C:\Windows\System32\svchost.exe
TargetObject|contains: \lnkfile\shellex\ContextMenuHandlers\
filter_optional_msoffice:
Details: '{807583E5-5146-11D5-A672-00B0D022E945}'
selection_classes_base:
TargetObject|contains: \Software\Classes
selection_classes_target:
TargetObject|contains:
- \Folder\ShellEx\ExtShellFolderViews
- \Folder\ShellEx\DragDropHandlers
- \Folder\Shellex\ColumnHandlers
- \Filter
- \Exefile\Shell\Open\Command\(Default)
- \Directory\Shellex\DragDropHandlers
- \Directory\Shellex\CopyHookHandlers
- \CLSID\{AC757296-3522-4E11-9862-C17BE5A1767E}\Instance
- \CLSID\{ABE3B9A4-257D-4B97-BD1A-294AF496222E}\Instance
- \CLSID\{7ED96837-96F0-4812-B211-F13C24117ED3}\Instance
- \CLSID\{083863F1-70DE-11d0-BD40-00A0C911CE86}\Instance
- \Classes\AllFileSystemObjects\ShellEx\DragDropHandlers
- \.exe
- \.cmd
- \ShellEx\PropertySheetHandlers
- \ShellEx\ContextMenuHandlers
CurrentVersion NT Autorun Keys Modification
- source: sigma
- technicques:
- t1547
- t1547.001
Description
Detects modification of autostart extensibility point (ASEP) in registry.
Detection logic
condition: all of selection_* and not 1 of filter_main_* and not 1 of filter_optional_*
filter_main_empty:
Details: (Empty)
filter_main_legitimate_subkey:
TargetObject|contains: \Image File Execution Options\
TargetObject|endswith:
- \DisableExceptionChainValidation
- \MitigationOptions
filter_main_null:
Details: null
filter_main_poqexec:
Image: C:\Windows\System32\poqexec.exe
filter_main_runtimebroker:
Image: C:\Windows\System32\RuntimeBroker.exe
TargetObject|contains: \runtimebroker.exe\Microsoft.Windows.ShellExperienceHost
filter_main_security_extension_dc:
Details:
- DWORD (0x00000001)
- DWORD (0x00000009)
- DWORD (0x000003c0)
Image: C:\Windows\system32\svchost.exe
TargetObject|contains:
- \Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}\PreviousPolicyAreas
- \Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}\MaxNoGPOListChangesInterval
filter_optional_avguard:
Details:
- explorer.exe
- C:\Windows\system32\userinit.exe,
Image|startswith:
- C:\Program Files (x86)\Avira\Antivirus\avguard.exe
- C:\Program Files\Avira\Antivirus\avguard.exe
TargetObject|contains: SOFTWARE\WOW6432Node\Avira\Antivirus\Overwrite_Keys\HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon\
TargetObject|endswith:
- \userinit\UseAsDefault
- \shell\UseAsDefault
filter_optional_edge:
Image|endswith: \MicrosoftEdgeUpdate.exe
Image|startswith: C:\Program Files (x86)\Microsoft\Temp\
filter_optional_msoffice:
- TargetObject|contains:
- \ClickToRunStore\HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
- \ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows NT\CurrentVersion\
- Image:
- C:\Program Files\Microsoft Office\root\integration\integrator.exe
- C:\Program Files (x86)\Microsoft Office\root\integration\integrator.exe
filter_optional_ngen:
Image|endswith: \ngen.exe
Image|startswith: C:\Windows\Microsoft.NET\Framework
filter_optional_officeclicktorun:
Image|endswith: \OfficeClickToRun.exe
Image|startswith:
- C:\Program Files\Common Files\Microsoft Shared\ClickToRun\
- C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\
filter_optional_onedrive:
Details|endswith: \AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe"
Details|startswith: C:\Windows\system32\cmd.exe /q /c del /q "C:\Users\
Image|endswith: \AppData\Local\Microsoft\OneDrive\StandaloneUpdater\OneDriveSetup.exe
TargetObject|endswith: \Microsoft\Windows\CurrentVersion\RunOnce\Delete Cached Update
Binary
selection_nt_current_version:
TargetObject|contains:
- \Winlogon\VmApplet
- \Winlogon\Userinit
- \Winlogon\Taskman
- \Winlogon\Shell
- \Winlogon\GpExtensions
- \Winlogon\AppSetup
- \Winlogon\AlternateShells\AvailableShells
- \Windows\IconServiceLib
- \Windows\Appinit_Dlls
- \Image File Execution Options
- \Font Drivers
- \Drivers32
- \Windows\Run
- \Windows\Load
selection_nt_current_version_base:
TargetObject|contains: \SOFTWARE\Microsoft\Windows NT\CurrentVersion
Wow6432Node Windows NT CurrentVersion Autorun Keys Modification
- source: sigma
- technicques:
- t1547
- t1547.001
Description
Detects modification of autostart extensibility point (ASEP) in registry.
Detection logic
condition: all of selection_* and not 1 of filter_main_*
filter_main_empty:
Details: (Empty)
filter_main_file_exec_options:
Details|endswith: \Microsoft\Windows NT\CurrentVersion\Image File Execution Options
filter_main_null:
Details: null
selection_wow_nt_current_version:
TargetObject|contains:
- \Windows\Appinit_Dlls
- \Image File Execution Options
- \Drivers32
selection_wow_nt_current_version_base:
TargetObject|contains: \SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion
Internet Explorer Autorun Keys Modification
- source: sigma
- technicques:
- t1547
- t1547.001
Description
Detects modification of autostart extensibility point (ASEP) in registry.
Detection logic
condition: ie and ie_details and not 1 of filter_*
filter_empty:
Details: (Empty)
filter_extensions:
TargetObject|contains:
- \Extensions\{2670000A-7350-4f3c-8081-5663EE0C6C49}
- \Extensions\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}
- \Extensions\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}
- \Extensions\{A95fe080-8f5d-11d2-a20b-00aa003c157a}
filter_toolbar:
TargetObject|endswith:
- \Toolbar\ShellBrowser\ITBar7Layout
- \Toolbar\ShowDiscussionButton
- \Toolbar\Locked
ie:
TargetObject|contains:
- \Software\Wow6432Node\Microsoft\Internet Explorer
- \Software\Microsoft\Internet Explorer
ie_details:
TargetObject|contains:
- \Toolbar
- \Extensions
- \Explorer Bars
Session Manager Autorun Keys Modification
- source: sigma
- technicques:
- t1546
- t1546.009
- t1547
- t1547.001
Description
Detects modification of autostart extensibility point (ASEP) in registry.
Detection logic
condition: session_manager_base and session_manager and not filter
filter:
Details: (Empty)
session_manager:
TargetObject|contains:
- \SetupExecute
- \S0InitialCommand
- \KnownDlls
- \Execute
- \BootExecute
- \AppCertDlls
session_manager_base:
TargetObject|contains: \System\CurrentControlSet\Control\Session Manager