Techniques
Sample rules
Direct Autorun Keys Modification
- source: sigma
- technicques:
- t1547
- t1547.001
Description
Detects direct modification of autostart extensibility point (ASEP) in registry using reg.exe.
Detection logic
condition: all of selection_*
selection_cli_add:
CommandLine|contains: add
selection_cli_keys:
CommandLine|contains:
- \software\Microsoft\Windows\CurrentVersion\Run
- \software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
- \software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
- \software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
- \software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
- \software\Microsoft\Windows NT\CurrentVersion\Windows
- \software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
- \system\CurrentControlSet\Control\SafeBoot\AlternateShell
selection_img:
- Image|endswith: \reg.exe
- OriginalFileName: reg.exe
Potential Persistence Attempt Via Run Keys Using Reg.EXE
- source: sigma
- technicques:
- t1547
- t1547.001
Description
Detects suspicious command line reg.exe tool adding key to RUN key in Registry
Detection logic
condition: selection
selection:
CommandLine|contains:
- Software\Microsoft\Windows\CurrentVersion\Run
- \Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
- \Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
CommandLine|contains|all:
- reg
- ' add '
Image|endswith: \reg.exe