LoFP LoFP / legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reasons.

Sample rules

Direct Autorun Keys Modification

Description

Detects direct modification of autostart extensibility point (ASEP) in registry using reg.exe.

Detection logic

condition: all of selection_*
selection_1:
  CommandLine|contains: add
  Image|endswith: \reg.exe
selection_2:
  CommandLine|contains:
  - \software\Microsoft\Windows\CurrentVersion\Run
  - \software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
  - \software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
  - \software\Microsoft\Windows NT\CurrentVersion\Windows
  - \software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
  - \system\CurrentControlSet\Control\SafeBoot\AlternateShell

Potential Persistence Attempt Via Run Keys Using Reg.EXE

Description

Detects suspicious command line reg.exe tool adding key to RUN key in Registry

Detection logic

condition: selection
selection:
  CommandLine|contains|all:
  - reg
  - ' ADD '
  - Software\Microsoft\Windows\CurrentVersion\Run

WinSock2 Autorun Keys Modification

Description

Detects modification of autostart extensibility point (ASEP) in registry.

Detection logic

condition: winsock_parameters_base and winsock_parameters and not filter
filter:
- Details: (Empty)
- Image: C:\Windows\System32\MsiExec.exe
- Image: C:\Windows\syswow64\MsiExec.exe
winsock_parameters:
  TargetObject|contains:
  - \Protocol_Catalog9\Catalog_Entries
  - \NameSpace_Catalog5\Catalog_Entries
winsock_parameters_base:
  TargetObject|contains: \System\CurrentControlSet\Services\WinSock2\Parameters

Internet Explorer Autorun Keys Modification

Description

Detects modification of autostart extensibility point (ASEP) in registry.

Detection logic

condition: ie and ie_details and not 1 of filter_*
filter_empty:
  Details: (Empty)
filter_extensions:
  TargetObject|contains:
  - \Extensions\{2670000A-7350-4f3c-8081-5663EE0C6C49}
  - \Extensions\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}
  - \Extensions\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}
  - \Extensions\{A95fe080-8f5d-11d2-a20b-00aa003c157a}
filter_toolbar:
  TargetObject|endswith:
  - \Toolbar\ShellBrowser\ITBar7Layout
  - \Toolbar\ShowDiscussionButton
  - \Toolbar\Locked
ie:
  TargetObject|contains:
  - \Software\Wow6432Node\Microsoft\Internet Explorer
  - \Software\Microsoft\Internet Explorer
ie_details:
  TargetObject|contains:
  - \Toolbar
  - \Extensions
  - \Explorer Bars

Classes Autorun Keys Modification

Description

Detects modification of autostart extensibility point (ASEP) in registry.

Detection logic

condition: all of selection_* and not 1 of filter_*
filter_drivers:
  Image: C:\Windows\System32\drvinst.exe
filter_empty:
  Details: (Empty)
filter_msoffice:
  Details: '{807583E5-5146-11D5-A672-00B0D022E945}'
filter_svchost:
  Image: C:\Windows\System32\svchost.exe
  TargetObject|contains: \lnkfile\shellex\ContextMenuHandlers\
selection_classes_base:
  TargetObject|contains: \Software\Classes
selection_classes_target:
  TargetObject|contains:
  - \Folder\ShellEx\ExtShellFolderViews
  - \Folder\ShellEx\DragDropHandlers
  - \Folder\Shellex\ColumnHandlers
  - \Filter
  - \Exefile\Shell\Open\Command\(Default)
  - \Directory\Shellex\DragDropHandlers
  - \Directory\Shellex\CopyHookHandlers
  - \CLSID\{AC757296-3522-4E11-9862-C17BE5A1767E}\Instance
  - \CLSID\{ABE3B9A4-257D-4B97-BD1A-294AF496222E}\Instance
  - \CLSID\{7ED96837-96F0-4812-B211-F13C24117ED3}\Instance
  - \CLSID\{083863F1-70DE-11d0-BD40-00A0C911CE86}\Instance
  - \Classes\AllFileSystemObjects\ShellEx\DragDropHandlers
  - \.exe
  - \.cmd
  - \ShellEx\PropertySheetHandlers
  - \ShellEx\ContextMenuHandlers

Wow6432Node Windows NT CurrentVersion Autorun Keys Modification

Description

Detects modification of autostart extensibility point (ASEP) in registry.

Detection logic

condition: wow_nt_current_version_base and wow_nt_current_version and not filter
filter:
  Details:
  - (Empty)
  - \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
    Options
wow_nt_current_version:
  TargetObject|contains:
  - \Windows\Appinit_Dlls
  - \Image File Execution Options
  - \Drivers32
wow_nt_current_version_base:
  TargetObject|contains: \SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion

Office Autorun Keys Modification

Description

Detects modification of autostart extensibility point (ASEP) in registry.

Detection logic

condition: office and office_details and not 1 of filter_*
filter_avg:
  Image: C:\Program Files\AVG\Antivirus\RegSvr.exe
  TargetObject|contains: \Microsoft\Office\Outlook\Addins\Antivirus.AsOutExt\
filter_empty:
  Details: (Empty)
filter_known_addins:
  Image|startswith:
  - C:\Program Files\Microsoft Office\
  - C:\Program Files (x86)\Microsoft Office\
  - C:\Windows\System32\msiexec.exe
  - C:\Windows\System32\regsvr32.exe
  TargetObject|contains:
  - \Excel\Addins\AdHocReportingExcelClientLib.AdHocReportingExcelClientAddIn.1\
  - \Excel\Addins\ExcelPlugInShell.PowerMapConnect\
  - \Excel\Addins\NativeShim\
  - \Excel\Addins\NativeShim.InquireConnector.1\
  - \Excel\Addins\PowerPivotExcelClientAddIn.NativeEntry.1\
  - \Outlook\AddIns\AccessAddin.DC\
  - \Outlook\AddIns\ColleagueImport.ColleagueImportAddin\
  - \Outlook\AddIns\EvernoteCC.EvernoteContactConnector\
  - \Outlook\AddIns\EvernoteOLRD.Connect\
  - \Outlook\Addins\Microsoft.VbaAddinForOutlook.1\
  - \Outlook\Addins\OcOffice.OcForms\
  - \Outlook\Addins\\OneNote.OutlookAddin
  - \Outlook\Addins\OscAddin.Connect\
  - \Outlook\Addins\OutlookChangeNotifier.Connect\
  - \Outlook\Addins\UCAddin.LyncAddin.1
  - \Outlook\Addins\UCAddin.UCAddin.1
  - \Outlook\Addins\UmOutlookAddin.FormRegionAddin\
filter_officeclicktorun:
  Image|endswith: \OfficeClickToRun.exe
  Image|startswith:
  - C:\Program Files\Common Files\Microsoft Shared\ClickToRun\
  - C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\
office:
  TargetObject|contains:
  - \Software\Wow6432Node\Microsoft\Office
  - \Software\Microsoft\Office
office_details:
  TargetObject|contains:
  - \Word\Addins
  - \PowerPoint\Addins
  - \Outlook\Addins
  - \Onenote\Addins
  - \Excel\Addins
  - \Access\Addins
  - test\Special\Perf

Common Autorun Keys Modification

Description

Detects modification of autostart extensibility point (ASEP) in registry.

Detection logic

condition: main_selection and not 1 of filter_*
filter_IE:
  TargetObject|contains: \Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}
filter_chrome:
  TargetObject|contains: \SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}
filter_edge:
  TargetObject|contains: \SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}
filter_empty:
  Details: (Empty)
filter_image:
  Image:
  - C:\Windows\System32\poqexec.exe
  - C:\Program Files (x86)\Microsoft Office\root\integration\integrator.exe
filter_msoffice:
- TargetObject|contains:
  - \Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\PROTOCOLS\Handler\
  - \ClickToRunStore\HKMU\SOFTWARE\Classes\PROTOCOLS\Handler\
- Details:
  - '{314111c7-a502-11d2-bbca-00c04f8ec294}'
  - '{3459B272-CC19-4448-86C9-DDC3B4B2FAD3}'
  - '{42089D2D-912D-4018-9087-2B87803E93FB}'
  - '{5504BE45-A83B-4808-900A-3A5C36E7F77A}'
  - '{807583E5-5146-11D5-A672-00B0D022E945}'
filter_office:
  Image|endswith: \OfficeClickToRun.exe
  Image|startswith:
  - C:\Program Files\Common Files\Microsoft Shared\ClickToRun\
  - C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\
main_selection:
  TargetObject|contains:
  - \SOFTWARE\Wow6432Node\Microsoft\Windows CE Services\AutoStart
  - \Software\Wow6432Node\Microsoft\Command Processor\Autorun
  - \SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components
  - \SOFTWARE\Microsoft\Windows CE Services\AutoStartOnDisconnect
  - \SOFTWARE\Microsoft\Windows CE Services\AutoStartOnConnect
  - \SYSTEM\Setup\CmdLine
  - \Software\Microsoft\Ctf\LangBarAddin
  - \Software\Microsoft\Command Processor\Autorun
  - \SOFTWARE\Microsoft\Active Setup\Installed Components
  - \SOFTWARE\Classes\Protocols\Handler
  - \SOFTWARE\Classes\Protocols\Filter
  - \SOFTWARE\Classes\Htmlfile\Shell\Open\Command\(Default)
  - \Environment\UserInitMprLogonScript
  - \SOFTWARE\Policies\Microsoft\Windows\Control Panel\Desktop\Scrnsave.exe
  - \Software\Microsoft\Internet Explorer\UrlSearchHooks
  - \SOFTWARE\Microsoft\Internet Explorer\Desktop\Components
  - \Software\Classes\Clsid\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\Inprocserver32
  - \Control Panel\Desktop\Scrnsave.exe

CurrentVersion NT Autorun Keys Modification

Description

Detects modification of autostart extensibility point (ASEP) in registry.

Detection logic

condition: nt_current_version_base and nt_current_version and not 1 of filter_*
filter_edge:
  Image|endswith: \MicrosoftEdgeUpdate.exe
  Image|startswith: C:\Program Files (x86)\Microsoft\Temp\
filter_empty:
  Details: (Empty)
filter_legitimate_subkey:
  TargetObject|contains: \Image File Execution Options\
  TargetObject|endswith:
  - \DisableExceptionChainValidation
  - \MitigationOptions
filter_msoffice:
- TargetObject|contains:
  - \ClickToRunStore\HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
  - \ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows NT\CurrentVersion\
- Image:
  - C:\Program Files\Microsoft Office\root\integration\integrator.exe
  - C:\Program Files (x86)\Microsoft Office\root\integration\integrator.exe
filter_ngen:
  Image|endswith: \ngen.exe
  Image|startswith: C:\Windows\Microsoft.NET\Framework
filter_officeclicktorun:
  Image|endswith: \OfficeClickToRun.exe
  Image|startswith:
  - C:\Program Files\Common Files\Microsoft Shared\ClickToRun\
  - C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\
filter_onedrive:
  Details|endswith: \AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe"
  Details|startswith: C:\Windows\system32\cmd.exe /q /c del /q "C:\Users\
  Image|endswith: \AppData\Local\Microsoft\OneDrive\StandaloneUpdater\OneDriveSetup.exe
  TargetObject|endswith: \Microsoft\Windows\CurrentVersion\RunOnce\Delete Cached Update
    Binary
filter_security_extension_dc:
  Details:
  - DWORD (0x00000009)
  - DWORD (0x000003c0)
  Image: C:\Windows\system32\svchost.exe
  TargetObject|contains:
  - \Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}\PreviousPolicyAreas
  - \Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}\MaxNoGPOListChangesInterval
nt_current_version:
  TargetObject|contains:
  - \Winlogon\VmApplet
  - \Winlogon\Userinit
  - \Winlogon\Taskman
  - \Winlogon\Shell
  - \Winlogon\GpExtensions
  - \Winlogon\AppSetup
  - \Winlogon\AlternateShells\AvailableShells
  - \Windows\IconServiceLib
  - \Windows\Appinit_Dlls
  - \Image File Execution Options
  - \Font Drivers
  - \Drivers32
  - \Windows\Run
  - \Windows\Load
nt_current_version_base:
  TargetObject|contains: \SOFTWARE\Microsoft\Windows NT\CurrentVersion

CurrentControlSet Autorun Keys Modification

Description

Detects modification of autostart extensibility point (ASEP) in registry.

Detection logic

condition: all of system_control_* and not 1 of filter_*
filter_cutepdf:
  Details:
  - cpwmon64_v40.dll
  - CutePDF Writer
  Image: C:\Windows\System32\spoolsv.exe
  TargetObject|contains: \Print\Monitors\CutePDF Writer Monitor
filter_empty:
  Details: (Empty)
filter_onenote:
  Image: C:\Windows\System32\spoolsv.exe
  TargetObject|contains: Print\Monitors\Appmon\Ports\Microsoft.Office.OneNote_
  User|contains:
  - AUTHORI
  - AUTORI
filter_poqexec:
  Image: C:\Windows\System32\poqexec.exe
  TargetObject|endswith: \NetworkProvider\Order\ProviderOrder
filter_realvnc:
  Details: VNCpm.dll
  Image: C:\Windows\System32\spoolsv.exe
  TargetObject|endswith: \Print\Monitors\MONVNC\Driver
system_control_base:
  TargetObject|contains: \SYSTEM\CurrentControlSet\Control
system_control_keys:
  TargetObject|contains:
  - \Terminal Server\WinStations\RDP-Tcp\InitialProgram
  - \Terminal Server\Wds\rdpwd\StartupPrograms
  - \SecurityProviders\SecurityProviders
  - \SafeBoot\AlternateShell
  - \Print\Providers
  - \Print\Monitors
  - \NetworkProvider\Order
  - \Lsa\Notification Packages
  - \Lsa\Authentication Packages
  - \BootVerificationProgram\ImagePath

Wow6432Node Classes Autorun Keys Modification

Description

Detects modification of autostart extensibility point (ASEP) in registry.

Detection logic

condition: wow_classes_base and wow_classes and not filter
filter:
  Details: (Empty)
wow_classes:
  TargetObject|contains:
  - \Folder\ShellEx\ExtShellFolderViews
  - \Folder\ShellEx\DragDropHandlers
  - \Folder\ShellEx\ColumnHandlers
  - \Directory\Shellex\DragDropHandlers
  - \Directory\Shellex\CopyHookHandlers
  - \CLSID\{AC757296-3522-4E11-9862-C17BE5A1767E}\Instance
  - \CLSID\{ABE3B9A4-257D-4B97-BD1A-294AF496222E}\Instance
  - \CLSID\{7ED96837-96F0-4812-B211-F13C24117ED3}\Instance
  - \CLSID\{083863F1-70DE-11d0-BD40-00A0C911CE86}\Instance
  - \AllFileSystemObjects\ShellEx\DragDropHandlers
  - \ShellEx\PropertySheetHandlers
  - \ShellEx\ContextMenuHandlers
wow_classes_base:
  TargetObject|contains: \Software\Wow6432Node\Classes

Session Manager Autorun Keys Modification

Description

Detects modification of autostart extensibility point (ASEP) in registry.

Detection logic

condition: session_manager_base and session_manager and not filter
filter:
  Details: (Empty)
session_manager:
  TargetObject|contains:
  - \SetupExecute
  - \S0InitialCommand
  - \KnownDlls
  - \Execute
  - \BootExecute
  - \AppCertDlls
session_manager_base:
  TargetObject|contains: \System\CurrentControlSet\Control\Session Manager

System Scripts Autorun Keys Modification

Description

Detects modification of autostart extensibility point (ASEP) in registry.

Detection logic

condition: scripts_base and scripts and not filter
filter:
  Details: (Empty)
scripts:
  TargetObject|contains:
  - \Startup
  - \Shutdown
  - \Logon
  - \Logoff
scripts_base:
  TargetObject|contains: \Software\Policies\Microsoft\Windows\System\Scripts

Wow6432Node CurrentVersion Autorun Keys Modification

Description

Detects modification of autostart extensibility point (ASEP) in registry.

Detection logic

condition: all of selection_wow_current_version_* and not 1 of filter_*
filter_dotnet:
  Details|endswith: .exe" /burn.runonce
  Details|startswith: '"C:\ProgramData\Package Cache\'
  Image|contains: \windowsdesktop-runtime-
  TargetObject|endswith:
  - \WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{e2d1ae32-dd1d-4ad7-a298-10e42e7840fc}
  - \WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{7037b699-7382-448c-89a7-4765961d2537}
filter_dropbox:
- Details|endswith: -A251-47B7-93E1-CDD82E34AF8B}
- Details: grpconv -o
- Details|contains|all:
  - C:\Program Files
  - \Dropbox\Client\Dropbox.exe
  - ' /systemstartup'
filter_edge:
  Image|contains|all:
  - C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{
  - \setup.exe
filter_empty:
  Details: (Empty)
filter_evernote:
  TargetObject|endswith: \Explorer\Browser Helper Objects\{92EF2EAD-A7CE-4424-B0DB-499CF856608E}\NoExplorer
filter_ms_win_desktop_runtime:
  Details|startswith: '"C:\ProgramData\Package Cache\{d21a4f20-968a-4b0c-bf04-a38da5f06e41}\windowsdesktop-runtime-'
filter_msiexec:
  Image: C:\WINDOWS\system32\msiexec.exe
  TargetObject|contains: \SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\
filter_msoffice1:
  Image: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
  TargetObject|contains: \Office\ClickToRun\REGISTRY\MACHINE\Software\Wow6432Node\
filter_msoffice2:
  Image:
  - C:\Program Files\Microsoft Office\root\integration\integrator.exe
  - C:\Program Files (x86)\Microsoft Office\root\integration\integrator.exe
  TargetObject|contains: \Explorer\Browser Helper Objects\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}\
filter_office:
  Image|endswith: \OfficeClickToRun.exe
  Image|startswith:
  - C:\Program Files\Common Files\Microsoft Shared\ClickToRun\
  - C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\
filter_uninstallers:
  Image|startswith: C:\Windows\Installer\MSI
  TargetObject|contains: \Explorer\Browser Helper Objects
filter_upgrades:
  Details|endswith: ' /burn.runonce'
  Image|contains:
  - \winsdksetup.exe
  - \windowsdesktop-runtime-
  - \AspNetCoreSharedFrameworkBundle-
  Image|startswith:
  - C:\ProgramData\Package Cache
  - C:\Windows\Temp\
filter_vcredist:
  Details|endswith: '}\VC_redist.x64.exe" /burn.runonce'
  Image|endswith: \VC_redist.x64.exe
selection_wow_current_version_base:
  TargetObject|contains: \SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion
selection_wow_current_version_keys:
  TargetObject|contains:
  - \ShellServiceObjectDelayLoad
  - \Run\
  - \RunOnce\
  - \RunOnceEx\
  - \RunServices\
  - \RunServicesOnce\
  - \Explorer\ShellServiceObjects
  - \Explorer\ShellIconOverlayIdentifiers
  - \Explorer\ShellExecuteHooks
  - \Explorer\SharedTaskScheduler
  - \Explorer\Browser Helper Objects

CurrentVersion Autorun Keys Modification

Description

Detects modification of autostart extensibility point (ASEP) in registry.

Detection logic

condition: all of current_version_* and not 1 of filter_*
current_version_base:
  TargetObject|contains: \SOFTWARE\Microsoft\Windows\CurrentVersion
current_version_keys:
  TargetObject|contains:
  - \ShellServiceObjectDelayLoad
  - \Run\
  - \RunOnce\
  - \RunOnceEx\
  - \RunServices\
  - \RunServicesOnce\
  - \Policies\System\Shell
  - \Policies\Explorer\Run
  - \Group Policy\Scripts\Startup
  - \Group Policy\Scripts\Shutdown
  - \Group Policy\Scripts\Logon
  - \Group Policy\Scripts\Logoff
  - \Explorer\ShellServiceObjects
  - \Explorer\ShellIconOverlayIdentifiers
  - \Explorer\ShellExecuteHooks
  - \Explorer\SharedTaskScheduler
  - \Explorer\Browser Helper Objects
  - \Authentication\PLAP Providers
  - \Authentication\Credential Providers
  - \Authentication\Credential Provider Filters
filter_AVG:
  Details:
  - '"C:\Program Files\AVG\Antivirus\AvLaunch.exe" /gui'
  - '"C:\Program Files (x86)\AVG\Antivirus\AvLaunch.exe" /gui'
  - '{472083B0-C522-11CF-8763-00608CC02F24}'
  Image|startswith: C:\Program Files\AVG\Antivirus\Setup\
filter_all:
- Details: (Empty)
- TargetObject|endswith: \NgcFirst\ConsecutiveSwitchCount
- Image|endswith:
  - \AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe
  - \AppData\Roaming\Spotify\Spotify.exe
  - \AppData\Local\WebEx\WebexHost.exe
- Image:
  - C:\WINDOWS\system32\devicecensus.exe
  - C:\Windows\system32\winsat.exe
  - C:\Program Files\Microsoft OneDrive\StandaloneUpdater\OneDriveSetup.exe
  - C:\Program Files\Microsoft OneDrive\Update\OneDriveSetup.exe
  - C:\Program Files (x86)\Microsoft OneDrive\Update\OneDriveSetup.exe
  - C:\Program Files\KeePass Password Safe 2\ShInstUtil.exe
  - C:\Program Files\Everything\Everything.exe
  - C:\Program Files (x86)\Microsoft Office\root\integration\integrator.exe
filter_aurora_dashboard:
  Details: C:\Program Files\Aurora-Agent\tools\aurora-dashboard.exe
  Image|endswith:
  - \aurora-agent-64.exe
  - \aurora-agent.exe
  TargetObject|endswith: \Microsoft\Windows\CurrentVersion\Run\aurora-dashboard
filter_ctfmon:
  Details: ctfmon.exe /n
  Image: C:\Windows\system32\userinit.exe
filter_defender:
  Image: C:\Program Files\Windows Defender\MsMpEng.exe
filter_dropbox:
  Details|endswith: A251-47B7-93E1-CDD82E34AF8B}
  Image: C:\Windows\system32\regsvr32.exe
  TargetObject|contains: DropboxExt
filter_edge:
  Image|startswith:
  - C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\
  - C:\Program Files (x86)\Microsoft\EdgeWebView\
  - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
filter_everything:
  Details|endswith: \Everything\Everything.exe" -startup
  TargetObject|endswith: \Microsoft\Windows\CurrentVersion\Run\Everything
filter_googledrive1:
  Details|contains: \GoogleDriveFS.exe
  Details|startswith: C:\Program Files\Google\Drive File Stream\
  TargetObject|endswith: \Software\Microsoft\Windows\CurrentVersion\Run\GoogleDriveFS
filter_googledrive2:
  Details:
  - '{CFE8B367-77A7-41D7-9C90-75D16D7DC6B6}'
  - '{A8E52322-8734-481D-A7E2-27B309EF8D56}'
  - '{C973DA94-CBDF-4E77-81D1-E5B794FBD146}'
  - '{51EF1569-67EE-4AD6-9646-E726C3FFC8A2}'
  TargetObject|contains: GoogleDrive
filter_greenshot:
  Details: C:\Program Files\Greenshot\Greenshot.exe
  TargetObject|endswith: \SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Greenshot
filter_itunes:
  Details: '"C:\Program Files\iTunes\iTunesHelper.exe"'
  TargetObject|endswith: \SOFTWARE\Microsoft\Windows\CurrentVersion\Run\iTunesHelper
filter_logonui:
  Image: C:\Windows\system32\LogonUI.exe
  TargetObject|contains:
  - \Authentication\Credential Providers\{D6886603-9D2F-4EB2-B667-1971041FA96B}\
  - \Authentication\Credential Providers\{BEC09223-B018-416D-A0AC-523971B639F5}\
  - \Authentication\Credential Providers\{8AF662BF-65A0-4D0A-A540-A338A999D36F}\
  - \Authentication\Credential Providers\{27FBDB57-B613-4AF2-9D7E-4FA7A66C21AD}\
filter_officeclicktorun:
  Image|endswith: \OfficeClickToRun.exe
  Image|startswith:
  - C:\Program Files\Common Files\Microsoft Shared\ClickToRun\
  - C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\
filter_onedrive:
  Details|contains: \AppData\Local\Microsoft\OneDrive\
  Details|startswith:
  - C:\Windows\system32\cmd.exe /q /c rmdir /s /q "C:\Users\
  - C:\Windows\system32\cmd.exe /q /c del /q "C:\Users\
filter_opera:
  Details: C:\Program Files\Opera\assistant\browser_assistant.exe
  TargetObject|endswith: \SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Opera Browser
    Assistant
filter_python:
  Details|contains|all:
  - \AppData\Local\Package Cache\{
  - '}\python-'
  Details|endswith: .exe" /burn.runonce
  TargetObject|contains: \Microsoft\Windows\CurrentVersion\RunOnce\{
filter_teams:
  Details|contains: '\Microsoft\Teams\Update.exe --processStart '
  Image|endswith: \Microsoft\Teams\current\Teams.exe
filter_zoom:
  Details: '"C:\Program Files\Zoom\bin\installer.exe" /repair'
  TargetObject|endswith: \SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\zoommsirepair