there are many legitimate applications that must execute upon system startup and will use these registry keys to accomplish that task.

Techniques

Sample rules

Registry Keys Used For Privilege Escalation

source: splunk
technicques:
- T1546.012
- T1546

Description

This search looks for modifications to registry keys that can be used to elevate privileges. The registry keys under “Image File Execution Options” are used to intercept calls to an executable and can be used to attach malicious binaries to benign system binaries.

Detection logic


| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE ((Registry.registry_path="*Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options*") AND (Registry.registry_value_name=GlobalFlag OR Registry.registry_value_name=Debugger)) BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid 
| `drop_dm_object_name(Registry)` 
| where isnotnull(registry_value_data) 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `registry_keys_used_for_privilege_escalation_filter`