/
registry_set_asep_reg_keys_modification_currentversion.yml
151 lines (151 loc) · 7.35 KB
/
registry_set_asep_reg_keys_modification_currentversion.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
title: CurrentVersion Autorun Keys Modification
id: 20f0ee37-5942-4e45-b7d5-c5b5db9df5cd
related:
- id: 17f878b8-9968-4578-b814-c4217fc5768c
type: derived
status: experimental
description: Detects modification of autostart extensibility point (ASEP) in registry.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md
- https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns
- https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys
- https://oddvar.moe/2018/03/21/persistence-using-runonceex-hidden-from-autoruns-exe/
author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)
date: 2019/10/25
modified: 2022/10/20
tags:
- attack.persistence
- attack.t1547.001
logsource:
category: registry_set
product: windows
detection:
current_version_base:
EventType: SetValue
TargetObject|contains: '\SOFTWARE\Microsoft\Windows\CurrentVersion'
current_version_keys:
TargetObject|contains:
- '\ShellServiceObjectDelayLoad'
- '\Run\'
- '\RunOnce\'
- '\RunOnceEx\'
- '\RunServices\'
- '\RunServicesOnce\'
- '\Policies\System\Shell'
- '\Policies\Explorer\Run'
- '\Group Policy\Scripts\Startup'
- '\Group Policy\Scripts\Shutdown'
- '\Group Policy\Scripts\Logon'
- '\Group Policy\Scripts\Logoff'
- '\Explorer\ShellServiceObjects'
- '\Explorer\ShellIconOverlayIdentifiers'
- '\Explorer\ShellExecuteHooks'
- '\Explorer\SharedTaskScheduler'
- '\Explorer\Browser Helper Objects'
- '\Authentication\PLAP Providers'
- '\Authentication\Credential Providers'
- '\Authentication\Credential Provider Filters'
filter_all:
- Details: '(Empty)'
- TargetObject|endswith: '\NgcFirst\ConsecutiveSwitchCount'
- Image|endswith:
- '\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe' # C:\Users\*\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe
- '\AppData\Roaming\Spotify\Spotify.exe'
- '\AppData\Local\WebEx\WebexHost.exe'
- Image:
- 'C:\WINDOWS\system32\devicecensus.exe'
- 'C:\Windows\system32\winsat.exe'
- 'C:\Program Files\Microsoft OneDrive\StandaloneUpdater\OneDriveSetup.exe'
- 'C:\Program Files\Microsoft OneDrive\Update\OneDriveSetup.exe'
- 'C:\Program Files (x86)\Microsoft OneDrive\Update\OneDriveSetup.exe'
- 'C:\Program Files\KeePass Password Safe 2\ShInstUtil.exe'
- 'C:\Program Files\Everything\Everything.exe'
- 'C:\Program Files (x86)\Microsoft Office\root\integration\integrator.exe'
filter_logonui:
Image: 'C:\Windows\system32\LogonUI.exe'
TargetObject|contains:
- '\Authentication\Credential Providers\{D6886603-9D2F-4EB2-B667-1971041FA96B}\' # PIN
- '\Authentication\Credential Providers\{BEC09223-B018-416D-A0AC-523971B639F5}\' # fingerprint
- '\Authentication\Credential Providers\{8AF662BF-65A0-4D0A-A540-A338A999D36F}\' # facial recognizion
- '\Authentication\Credential Providers\{27FBDB57-B613-4AF2-9D7E-4FA7A66C21AD}\' # Trusted Signal (Phone proximity, Network location)
filter_edge:
Image|startswith:
- 'C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\'
- 'C:\Program Files (x86)\Microsoft\EdgeWebView\'
- 'C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe'
filter_dropbox:
Image: 'C:\Windows\system32\regsvr32.exe'
TargetObject|contains: 'DropboxExt'
Details|endswith: 'A251-47B7-93E1-CDD82E34AF8B}'
filter_opera:
TargetObject|endswith: '\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Opera Browser Assistant'
Details: 'C:\Program Files\Opera\assistant\browser_assistant.exe'
filter_itunes:
TargetObject|endswith: '\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\iTunesHelper'
Details: '"C:\Program Files\iTunes\iTunesHelper.exe"'
filter_zoom:
TargetObject|endswith: '\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\zoommsirepair'
Details: '"C:\Program Files\Zoom\bin\installer.exe" /repair'
filter_greenshot:
TargetObject|endswith: '\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Greenshot'
Details: 'C:\Program Files\Greenshot\Greenshot.exe'
filter_googledrive1:
TargetObject|endswith: '\Software\Microsoft\Windows\CurrentVersion\Run\GoogleDriveFS'
Details|startswith: 'C:\Program Files\Google\Drive File Stream\'
Details|contains: '\GoogleDriveFS.exe'
filter_googledrive2:
TargetObject|contains: 'GoogleDrive'
Details:
- '{CFE8B367-77A7-41D7-9C90-75D16D7DC6B6}'
- '{A8E52322-8734-481D-A7E2-27B309EF8D56}'
- '{C973DA94-CBDF-4E77-81D1-E5B794FBD146}'
- '{51EF1569-67EE-4AD6-9646-E726C3FFC8A2}'
filter_onedrive:
Details|startswith:
- 'C:\Windows\system32\cmd.exe /q /c rmdir /s /q "C:\Users\'
- 'C:\Windows\system32\cmd.exe /q /c del /q "C:\Users\'
Details|contains: '\AppData\Local\Microsoft\OneDrive\'
filter_python:
TargetObject|contains: '\Microsoft\Windows\CurrentVersion\RunOnce\{'
Details|contains|all:
- '\AppData\Local\Package Cache\{'
- '}\python-'
Details|endswith: '.exe" /burn.runonce'
filter_officeclicktorun:
Image|startswith:
- 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\'
- 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\'
Image|endswith: '\OfficeClickToRun.exe'
filter_defender:
Image: 'C:\Program Files\Windows Defender\MsMpEng.exe'
filter_teams:
Image|endswith: '\Microsoft\Teams\current\Teams.exe'
Details|contains: '\Microsoft\Teams\Update.exe --processStart '
filter_ctfmon:
Image: 'C:\Windows\system32\userinit.exe'
Details: 'ctfmon.exe /n'
filter_AVG:
Image|startswith: 'C:\Program Files\AVG\Antivirus\Setup\'
Details:
- '"C:\Program Files\AVG\Antivirus\AvLaunch.exe" /gui'
- '"C:\Program Files (x86)\AVG\Antivirus\AvLaunch.exe" /gui'
- '{472083B0-C522-11CF-8763-00608CC02F24}'
filter_aurora_dashboard:
Image|endswith:
- '\aurora-agent-64.exe'
- '\aurora-agent.exe'
TargetObject|endswith: '\Microsoft\Windows\CurrentVersion\Run\aurora-dashboard'
Details: 'C:\Program Files\Aurora-Agent\tools\aurora-dashboard.exe'
filter_everything:
TargetObject|endswith: '\Microsoft\Windows\CurrentVersion\Run\Everything'
Details|endswith: '\Everything\Everything.exe" -startup' # We remove the starting part as it could be installed in different locations
condition: all of current_version_* and not 1 of filter_*
fields:
- SecurityID
- ObjectName
- OldValueType
- NewValueType
falsepositives:
- Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason
- Legitimate administrator sets up autorun keys for legitimate reason
level: medium