Sample rules
Potential Persistence Attempt Via Run Keys Using Reg.EXE
- source: sigma
- technicques:
- t1547
- t1547.001
Description
Detects suspicious command line reg.exe tool adding key to RUN key in Registry
Detection logic
condition: selection
selection:
CommandLine|contains|all:
- reg
- ' ADD '
- Software\Microsoft\Windows\CurrentVersion\Run
Direct Autorun Keys Modification
- source: sigma
- technicques:
- t1547
- t1547.001
Description
Detects direct modification of autostart extensibility point (ASEP) in registry using reg.exe.
Detection logic
condition: all of selection_*
selection_1:
CommandLine|contains: add
Image|endswith: \reg.exe
selection_2:
CommandLine|contains:
- \software\Microsoft\Windows\CurrentVersion\Run
- \software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
- \software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
- \software\Microsoft\Windows NT\CurrentVersion\Windows
- \software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
- \system\CurrentControlSet\Control\SafeBoot\AlternateShell
Common Autorun Keys Modification
- source: sigma
- technicques:
- t1547
- t1547.001
Description
Detects modification of autostart extensibility point (ASEP) in registry.
Detection logic
condition: main_selection and not 1 of filter_*
filter_IE:
TargetObject|contains: \Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}
filter_chrome:
TargetObject|contains: \SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}
filter_edge:
TargetObject|contains: \SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}
filter_empty:
Details: (Empty)
filter_image:
Image:
- C:\Windows\System32\poqexec.exe
- C:\Program Files (x86)\Microsoft Office\root\integration\integrator.exe
filter_msoffice:
- TargetObject|contains:
- \Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\PROTOCOLS\Handler\
- \ClickToRunStore\HKMU\SOFTWARE\Classes\PROTOCOLS\Handler\
- Details:
- '{314111c7-a502-11d2-bbca-00c04f8ec294}'
- '{3459B272-CC19-4448-86C9-DDC3B4B2FAD3}'
- '{42089D2D-912D-4018-9087-2B87803E93FB}'
- '{5504BE45-A83B-4808-900A-3A5C36E7F77A}'
- '{807583E5-5146-11D5-A672-00B0D022E945}'
filter_office:
Image|endswith: \OfficeClickToRun.exe
Image|startswith:
- C:\Program Files\Common Files\Microsoft Shared\ClickToRun\
- C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\
main_selection:
TargetObject|contains:
- \SOFTWARE\Wow6432Node\Microsoft\Windows CE Services\AutoStart
- \Software\Wow6432Node\Microsoft\Command Processor\Autorun
- \SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components
- \SOFTWARE\Microsoft\Windows CE Services\AutoStartOnDisconnect
- \SOFTWARE\Microsoft\Windows CE Services\AutoStartOnConnect
- \SYSTEM\Setup\CmdLine
- \Software\Microsoft\Ctf\LangBarAddin
- \Software\Microsoft\Command Processor\Autorun
- \SOFTWARE\Microsoft\Active Setup\Installed Components
- \SOFTWARE\Classes\Protocols\Handler
- \SOFTWARE\Classes\Protocols\Filter
- \SOFTWARE\Classes\Htmlfile\Shell\Open\Command\(Default)
- \Environment\UserInitMprLogonScript
- \SOFTWARE\Policies\Microsoft\Windows\Control Panel\Desktop\Scrnsave.exe
- \Software\Microsoft\Internet Explorer\UrlSearchHooks
- \SOFTWARE\Microsoft\Internet Explorer\Desktop\Components
- \Software\Classes\Clsid\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\Inprocserver32
- \Control Panel\Desktop\Scrnsave.exe
System Scripts Autorun Keys Modification
- source: sigma
- technicques:
- t1547
- t1547.001
Description
Detects modification of autostart extensibility point (ASEP) in registry.
Detection logic
condition: scripts_base and scripts and not filter
filter:
Details: (Empty)
scripts:
TargetObject|contains:
- \Startup
- \Shutdown
- \Logon
- \Logoff
scripts_base:
TargetObject|contains: \Software\Policies\Microsoft\Windows\System\Scripts
CurrentVersion NT Autorun Keys Modification
- source: sigma
- technicques:
- t1547
- t1547.001
Description
Detects modification of autostart extensibility point (ASEP) in registry.
Detection logic
condition: nt_current_version_base and nt_current_version and not 1 of filter_*
filter_edge:
Image|endswith: \MicrosoftEdgeUpdate.exe
Image|startswith: C:\Program Files (x86)\Microsoft\Temp\
filter_empty:
Details: (Empty)
filter_legitimate_subkey:
TargetObject|contains: \Image File Execution Options\
TargetObject|endswith:
- \DisableExceptionChainValidation
- \MitigationOptions
filter_msoffice:
- TargetObject|contains:
- \ClickToRunStore\HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
- \ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows NT\CurrentVersion\
- Image:
- C:\Program Files\Microsoft Office\root\integration\integrator.exe
- C:\Program Files (x86)\Microsoft Office\root\integration\integrator.exe
filter_ngen:
Image|endswith: \ngen.exe
Image|startswith: C:\Windows\Microsoft.NET\Framework
filter_officeclicktorun:
Image|endswith: \OfficeClickToRun.exe
Image|startswith:
- C:\Program Files\Common Files\Microsoft Shared\ClickToRun\
- C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\
filter_onedrive:
Details|endswith: \AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe"
Details|startswith: C:\Windows\system32\cmd.exe /q /c del /q "C:\Users\
Image|endswith: \AppData\Local\Microsoft\OneDrive\StandaloneUpdater\OneDriveSetup.exe
TargetObject|endswith: \Microsoft\Windows\CurrentVersion\RunOnce\Delete Cached Update
Binary
filter_security_extension_dc:
Details:
- DWORD (0x00000009)
- DWORD (0x000003c0)
Image: C:\Windows\system32\svchost.exe
TargetObject|contains:
- \Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}\PreviousPolicyAreas
- \Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}\MaxNoGPOListChangesInterval
nt_current_version:
TargetObject|contains:
- \Winlogon\VmApplet
- \Winlogon\Userinit
- \Winlogon\Taskman
- \Winlogon\Shell
- \Winlogon\GpExtensions
- \Winlogon\AppSetup
- \Winlogon\AlternateShells\AvailableShells
- \Windows\IconServiceLib
- \Windows\Appinit_Dlls
- \Image File Execution Options
- \Font Drivers
- \Drivers32
- \Windows\Run
- \Windows\Load
nt_current_version_base:
TargetObject|contains: \SOFTWARE\Microsoft\Windows NT\CurrentVersion
Wow6432Node Classes Autorun Keys Modification
- source: sigma
- technicques:
- t1547
- t1547.001
Description
Detects modification of autostart extensibility point (ASEP) in registry.
Detection logic
condition: wow_classes_base and wow_classes and not filter
filter:
Details: (Empty)
wow_classes:
TargetObject|contains:
- \Folder\ShellEx\ExtShellFolderViews
- \Folder\ShellEx\DragDropHandlers
- \Folder\ShellEx\ColumnHandlers
- \Directory\Shellex\DragDropHandlers
- \Directory\Shellex\CopyHookHandlers
- \CLSID\{AC757296-3522-4E11-9862-C17BE5A1767E}\Instance
- \CLSID\{ABE3B9A4-257D-4B97-BD1A-294AF496222E}\Instance
- \CLSID\{7ED96837-96F0-4812-B211-F13C24117ED3}\Instance
- \CLSID\{083863F1-70DE-11d0-BD40-00A0C911CE86}\Instance
- \AllFileSystemObjects\ShellEx\DragDropHandlers
- \ShellEx\PropertySheetHandlers
- \ShellEx\ContextMenuHandlers
wow_classes_base:
TargetObject|contains: \Software\Wow6432Node\Classes
Wow6432Node Windows NT CurrentVersion Autorun Keys Modification
- source: sigma
- technicques:
- t1547
- t1547.001
Description
Detects modification of autostart extensibility point (ASEP) in registry.
Detection logic
condition: wow_nt_current_version_base and wow_nt_current_version and not filter
filter:
Details:
- (Empty)
- \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options
wow_nt_current_version:
TargetObject|contains:
- \Windows\Appinit_Dlls
- \Image File Execution Options
- \Drivers32
wow_nt_current_version_base:
TargetObject|contains: \SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion
Internet Explorer Autorun Keys Modification
- source: sigma
- technicques:
- t1547
- t1547.001
Description
Detects modification of autostart extensibility point (ASEP) in registry.
Detection logic
condition: ie and ie_details and not 1 of filter_*
filter_empty:
Details: (Empty)
filter_extensions:
TargetObject|contains:
- \Extensions\{2670000A-7350-4f3c-8081-5663EE0C6C49}
- \Extensions\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}
- \Extensions\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}
- \Extensions\{A95fe080-8f5d-11d2-a20b-00aa003c157a}
filter_toolbar:
TargetObject|endswith:
- \Toolbar\ShellBrowser\ITBar7Layout
- \Toolbar\ShowDiscussionButton
- \Toolbar\Locked
ie:
TargetObject|contains:
- \Software\Wow6432Node\Microsoft\Internet Explorer
- \Software\Microsoft\Internet Explorer
ie_details:
TargetObject|contains:
- \Toolbar
- \Extensions
- \Explorer Bars
Session Manager Autorun Keys Modification
- source: sigma
- technicques:
- t1546
- t1546.009
- t1547
- t1547.001
Description
Detects modification of autostart extensibility point (ASEP) in registry.
Detection logic
condition: session_manager_base and session_manager and not filter
filter:
Details: (Empty)
session_manager:
TargetObject|contains:
- \SetupExecute
- \S0InitialCommand
- \KnownDlls
- \Execute
- \BootExecute
- \AppCertDlls
session_manager_base:
TargetObject|contains: \System\CurrentControlSet\Control\Session Manager
CurrentControlSet Autorun Keys Modification
- source: sigma
- technicques:
- t1547
- t1547.001
Description
Detects modification of autostart extensibility point (ASEP) in registry.
Detection logic
condition: all of system_control_* and not 1 of filter_*
filter_cutepdf:
Details:
- cpwmon64_v40.dll
- CutePDF Writer
Image: C:\Windows\System32\spoolsv.exe
TargetObject|contains: \Print\Monitors\CutePDF Writer Monitor
filter_empty:
Details: (Empty)
filter_onenote:
Image: C:\Windows\System32\spoolsv.exe
TargetObject|contains: Print\Monitors\Appmon\Ports\Microsoft.Office.OneNote_
User|contains:
- AUTHORI
- AUTORI
filter_poqexec:
Image: C:\Windows\System32\poqexec.exe
TargetObject|endswith: \NetworkProvider\Order\ProviderOrder
filter_realvnc:
Details: VNCpm.dll
Image: C:\Windows\System32\spoolsv.exe
TargetObject|endswith: \Print\Monitors\MONVNC\Driver
system_control_base:
TargetObject|contains: \SYSTEM\CurrentControlSet\Control
system_control_keys:
TargetObject|contains:
- \Terminal Server\WinStations\RDP-Tcp\InitialProgram
- \Terminal Server\Wds\rdpwd\StartupPrograms
- \SecurityProviders\SecurityProviders
- \SafeBoot\AlternateShell
- \Print\Providers
- \Print\Monitors
- \NetworkProvider\Order
- \Lsa\Notification Packages
- \Lsa\Authentication Packages
- \BootVerificationProgram\ImagePath
Office Autorun Keys Modification
- source: sigma
- technicques:
- t1547
- t1547.001
Description
Detects modification of autostart extensibility point (ASEP) in registry.
Detection logic
condition: office and office_details and not 1 of filter_*
filter_avg:
Image: C:\Program Files\AVG\Antivirus\RegSvr.exe
TargetObject|contains: \Microsoft\Office\Outlook\Addins\Antivirus.AsOutExt\
filter_empty:
Details: (Empty)
filter_known_addins:
Image|startswith:
- C:\Program Files\Microsoft Office\
- C:\Program Files (x86)\Microsoft Office\
- C:\Windows\System32\msiexec.exe
- C:\Windows\System32\regsvr32.exe
TargetObject|contains:
- \Excel\Addins\AdHocReportingExcelClientLib.AdHocReportingExcelClientAddIn.1\
- \Excel\Addins\ExcelPlugInShell.PowerMapConnect\
- \Excel\Addins\NativeShim\
- \Excel\Addins\NativeShim.InquireConnector.1\
- \Excel\Addins\PowerPivotExcelClientAddIn.NativeEntry.1\
- \Outlook\AddIns\AccessAddin.DC\
- \Outlook\AddIns\ColleagueImport.ColleagueImportAddin\
- \Outlook\AddIns\EvernoteCC.EvernoteContactConnector\
- \Outlook\AddIns\EvernoteOLRD.Connect\
- \Outlook\Addins\Microsoft.VbaAddinForOutlook.1\
- \Outlook\Addins\OcOffice.OcForms\
- \Outlook\Addins\\OneNote.OutlookAddin
- \Outlook\Addins\OscAddin.Connect\
- \Outlook\Addins\OutlookChangeNotifier.Connect\
- \Outlook\Addins\UCAddin.LyncAddin.1
- \Outlook\Addins\UCAddin.UCAddin.1
- \Outlook\Addins\UmOutlookAddin.FormRegionAddin\
filter_officeclicktorun:
Image|endswith: \OfficeClickToRun.exe
Image|startswith:
- C:\Program Files\Common Files\Microsoft Shared\ClickToRun\
- C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\
office:
TargetObject|contains:
- \Software\Wow6432Node\Microsoft\Office
- \Software\Microsoft\Office
office_details:
TargetObject|contains:
- \Word\Addins
- \PowerPoint\Addins
- \Outlook\Addins
- \Onenote\Addins
- \Excel\Addins
- \Access\Addins
- test\Special\Perf
Wow6432Node CurrentVersion Autorun Keys Modification
- source: sigma
- technicques:
- t1547
- t1547.001
Description
Detects modification of autostart extensibility point (ASEP) in registry.
Detection logic
condition: all of selection_wow_current_version_* and not 1 of filter_*
filter_dotnet:
Details|endswith: .exe" /burn.runonce
Details|startswith: '"C:\ProgramData\Package Cache\'
Image|contains: \windowsdesktop-runtime-
TargetObject|endswith:
- \WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{e2d1ae32-dd1d-4ad7-a298-10e42e7840fc}
- \WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{7037b699-7382-448c-89a7-4765961d2537}
filter_dropbox:
- Details|endswith: -A251-47B7-93E1-CDD82E34AF8B}
- Details: grpconv -o
- Details|contains|all:
- C:\Program Files
- \Dropbox\Client\Dropbox.exe
- ' /systemstartup'
filter_edge:
Image|contains|all:
- C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{
- \setup.exe
filter_empty:
Details: (Empty)
filter_evernote:
TargetObject|endswith: \Explorer\Browser Helper Objects\{92EF2EAD-A7CE-4424-B0DB-499CF856608E}\NoExplorer
filter_ms_win_desktop_runtime:
Details|startswith: '"C:\ProgramData\Package Cache\{d21a4f20-968a-4b0c-bf04-a38da5f06e41}\windowsdesktop-runtime-'
filter_msiexec:
Image: C:\WINDOWS\system32\msiexec.exe
TargetObject|contains: \SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\
filter_msoffice1:
Image: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
TargetObject|contains: \Office\ClickToRun\REGISTRY\MACHINE\Software\Wow6432Node\
filter_msoffice2:
Image:
- C:\Program Files\Microsoft Office\root\integration\integrator.exe
- C:\Program Files (x86)\Microsoft Office\root\integration\integrator.exe
TargetObject|contains: \Explorer\Browser Helper Objects\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}\
filter_office:
Image|endswith: \OfficeClickToRun.exe
Image|startswith:
- C:\Program Files\Common Files\Microsoft Shared\ClickToRun\
- C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\
filter_uninstallers:
Image|startswith: C:\Windows\Installer\MSI
TargetObject|contains: \Explorer\Browser Helper Objects
filter_upgrades:
Details|endswith: ' /burn.runonce'
Image|contains:
- \winsdksetup.exe
- \windowsdesktop-runtime-
- \AspNetCoreSharedFrameworkBundle-
Image|startswith:
- C:\ProgramData\Package Cache
- C:\Windows\Temp\
filter_vcredist:
Details|endswith: '}\VC_redist.x64.exe" /burn.runonce'
Image|endswith: \VC_redist.x64.exe
selection_wow_current_version_base:
TargetObject|contains: \SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion
selection_wow_current_version_keys:
TargetObject|contains:
- \ShellServiceObjectDelayLoad
- \Run\
- \RunOnce\
- \RunOnceEx\
- \RunServices\
- \RunServicesOnce\
- \Explorer\ShellServiceObjects
- \Explorer\ShellIconOverlayIdentifiers
- \Explorer\ShellExecuteHooks
- \Explorer\SharedTaskScheduler
- \Explorer\Browser Helper Objects
CurrentVersion Autorun Keys Modification
- source: sigma
- technicques:
- t1547
- t1547.001
Description
Detects modification of autostart extensibility point (ASEP) in registry.
Detection logic
condition: all of current_version_* and not 1 of filter_*
current_version_base:
TargetObject|contains: \SOFTWARE\Microsoft\Windows\CurrentVersion
current_version_keys:
TargetObject|contains:
- \ShellServiceObjectDelayLoad
- \Run\
- \RunOnce\
- \RunOnceEx\
- \RunServices\
- \RunServicesOnce\
- \Policies\System\Shell
- \Policies\Explorer\Run
- \Group Policy\Scripts\Startup
- \Group Policy\Scripts\Shutdown
- \Group Policy\Scripts\Logon
- \Group Policy\Scripts\Logoff
- \Explorer\ShellServiceObjects
- \Explorer\ShellIconOverlayIdentifiers
- \Explorer\ShellExecuteHooks
- \Explorer\SharedTaskScheduler
- \Explorer\Browser Helper Objects
- \Authentication\PLAP Providers
- \Authentication\Credential Providers
- \Authentication\Credential Provider Filters
filter_AVG:
Details:
- '"C:\Program Files\AVG\Antivirus\AvLaunch.exe" /gui'
- '"C:\Program Files (x86)\AVG\Antivirus\AvLaunch.exe" /gui'
- '{472083B0-C522-11CF-8763-00608CC02F24}'
Image|startswith: C:\Program Files\AVG\Antivirus\Setup\
filter_all:
- Details: (Empty)
- TargetObject|endswith: \NgcFirst\ConsecutiveSwitchCount
- Image|endswith:
- \AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe
- \AppData\Roaming\Spotify\Spotify.exe
- \AppData\Local\WebEx\WebexHost.exe
- Image:
- C:\WINDOWS\system32\devicecensus.exe
- C:\Windows\system32\winsat.exe
- C:\Program Files\Microsoft OneDrive\StandaloneUpdater\OneDriveSetup.exe
- C:\Program Files\Microsoft OneDrive\Update\OneDriveSetup.exe
- C:\Program Files (x86)\Microsoft OneDrive\Update\OneDriveSetup.exe
- C:\Program Files\KeePass Password Safe 2\ShInstUtil.exe
- C:\Program Files\Everything\Everything.exe
- C:\Program Files (x86)\Microsoft Office\root\integration\integrator.exe
filter_aurora_dashboard:
Details: C:\Program Files\Aurora-Agent\tools\aurora-dashboard.exe
Image|endswith:
- \aurora-agent-64.exe
- \aurora-agent.exe
TargetObject|endswith: \Microsoft\Windows\CurrentVersion\Run\aurora-dashboard
filter_ctfmon:
Details: ctfmon.exe /n
Image: C:\Windows\system32\userinit.exe
filter_defender:
Image: C:\Program Files\Windows Defender\MsMpEng.exe
filter_dropbox:
Details|endswith: A251-47B7-93E1-CDD82E34AF8B}
Image: C:\Windows\system32\regsvr32.exe
TargetObject|contains: DropboxExt
filter_edge:
Image|startswith:
- C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\
- C:\Program Files (x86)\Microsoft\EdgeWebView\
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
filter_everything:
Details|endswith: \Everything\Everything.exe" -startup
TargetObject|endswith: \Microsoft\Windows\CurrentVersion\Run\Everything
filter_googledrive1:
Details|contains: \GoogleDriveFS.exe
Details|startswith: C:\Program Files\Google\Drive File Stream\
TargetObject|endswith: \Software\Microsoft\Windows\CurrentVersion\Run\GoogleDriveFS
filter_googledrive2:
Details:
- '{CFE8B367-77A7-41D7-9C90-75D16D7DC6B6}'
- '{A8E52322-8734-481D-A7E2-27B309EF8D56}'
- '{C973DA94-CBDF-4E77-81D1-E5B794FBD146}'
- '{51EF1569-67EE-4AD6-9646-E726C3FFC8A2}'
TargetObject|contains: GoogleDrive
filter_greenshot:
Details: C:\Program Files\Greenshot\Greenshot.exe
TargetObject|endswith: \SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Greenshot
filter_itunes:
Details: '"C:\Program Files\iTunes\iTunesHelper.exe"'
TargetObject|endswith: \SOFTWARE\Microsoft\Windows\CurrentVersion\Run\iTunesHelper
filter_logonui:
Image: C:\Windows\system32\LogonUI.exe
TargetObject|contains:
- \Authentication\Credential Providers\{D6886603-9D2F-4EB2-B667-1971041FA96B}\
- \Authentication\Credential Providers\{BEC09223-B018-416D-A0AC-523971B639F5}\
- \Authentication\Credential Providers\{8AF662BF-65A0-4D0A-A540-A338A999D36F}\
- \Authentication\Credential Providers\{27FBDB57-B613-4AF2-9D7E-4FA7A66C21AD}\
filter_officeclicktorun:
Image|endswith: \OfficeClickToRun.exe
Image|startswith:
- C:\Program Files\Common Files\Microsoft Shared\ClickToRun\
- C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\
filter_onedrive:
Details|contains: \AppData\Local\Microsoft\OneDrive\
Details|startswith:
- C:\Windows\system32\cmd.exe /q /c rmdir /s /q "C:\Users\
- C:\Windows\system32\cmd.exe /q /c del /q "C:\Users\
filter_opera:
Details: C:\Program Files\Opera\assistant\browser_assistant.exe
TargetObject|endswith: \SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Opera Browser
Assistant
filter_python:
Details|contains|all:
- \AppData\Local\Package Cache\{
- '}\python-'
Details|endswith: .exe" /burn.runonce
TargetObject|contains: \Microsoft\Windows\CurrentVersion\RunOnce\{
filter_teams:
Details|contains: '\Microsoft\Teams\Update.exe --processStart '
Image|endswith: \Microsoft\Teams\current\Teams.exe
filter_zoom:
Details: '"C:\Program Files\Zoom\bin\installer.exe" /repair'
TargetObject|endswith: \SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\zoommsirepair
Classes Autorun Keys Modification
- source: sigma
- technicques:
- t1547
- t1547.001
Description
Detects modification of autostart extensibility point (ASEP) in registry.
Detection logic
condition: all of selection_* and not 1 of filter_*
filter_drivers:
Image: C:\Windows\System32\drvinst.exe
filter_empty:
Details: (Empty)
filter_msoffice:
Details: '{807583E5-5146-11D5-A672-00B0D022E945}'
filter_svchost:
Image: C:\Windows\System32\svchost.exe
TargetObject|contains: \lnkfile\shellex\ContextMenuHandlers\
selection_classes_base:
TargetObject|contains: \Software\Classes
selection_classes_target:
TargetObject|contains:
- \Folder\ShellEx\ExtShellFolderViews
- \Folder\ShellEx\DragDropHandlers
- \Folder\Shellex\ColumnHandlers
- \Filter
- \Exefile\Shell\Open\Command\(Default)
- \Directory\Shellex\DragDropHandlers
- \Directory\Shellex\CopyHookHandlers
- \CLSID\{AC757296-3522-4E11-9862-C17BE5A1767E}\Instance
- \CLSID\{ABE3B9A4-257D-4B97-BD1A-294AF496222E}\Instance
- \CLSID\{7ED96837-96F0-4812-B211-F13C24117ED3}\Instance
- \CLSID\{083863F1-70DE-11d0-BD40-00A0C911CE86}\Instance
- \Classes\AllFileSystemObjects\ShellEx\DragDropHandlers
- \.exe
- \.cmd
- \ShellEx\PropertySheetHandlers
- \ShellEx\ContextMenuHandlers
WinSock2 Autorun Keys Modification
- source: sigma
- technicques:
- t1547
- t1547.001
Description
Detects modification of autostart extensibility point (ASEP) in registry.
Detection logic
condition: winsock_parameters_base and winsock_parameters and not filter
filter:
- Details: (Empty)
- Image: C:\Windows\System32\MsiExec.exe
- Image: C:\Windows\syswow64\MsiExec.exe
winsock_parameters:
TargetObject|contains:
- \Protocol_Catalog9\Catalog_Entries
- \NameSpace_Catalog5\Catalog_Entries
winsock_parameters_base:
TargetObject|contains: \System\CurrentControlSet\Services\WinSock2\Parameters