Detects modification of autostart extensibility point (ASEP) in registry.
title: CurrentControlSet Autorun Keys Modification
id: f674e36a-4b91-431e-8aef-f8a96c2aca35
related:
- id: 17f878b8-9968-4578-b814-c4217fc5768c
type: obsolete
status: test
description: Detects modification of autostart extensibility point (ASEP) in registry.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md
- https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns
- https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys
author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)
date: 2019-10-25
modified: 2023-08-17
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1547.001
logsource:
category: registry_set
product: windows
detection:
system_control_base:
TargetObject|contains: '\SYSTEM\CurrentControlSet\Control'
system_control_keys:
TargetObject|contains:
- '\Terminal Server\WinStations\RDP-Tcp\InitialProgram'
- '\Terminal Server\Wds\rdpwd\StartupPrograms'
- '\SecurityProviders\SecurityProviders'
- '\SafeBoot\AlternateShell'
- '\Print\Providers'
- '\Print\Monitors'
- '\NetworkProvider\Order'
- '\Lsa\Notification Packages'
- '\Lsa\Authentication Packages'
- '\BootVerificationProgram\ImagePath'
filter_empty:
Details: '(Empty)'
filter_cutepdf:
Image: 'C:\Windows\System32\spoolsv.exe'
TargetObject|contains: '\Print\Monitors\CutePDF Writer Monitor'
Details:
- 'cpwmon64_v40.dll'
- 'CutePDF Writer'
filter_onenote:
Image: C:\Windows\System32\spoolsv.exe
TargetObject|contains: 'Print\Monitors\Appmon\Ports\Microsoft.Office.OneNote_'
User|contains: # covers many language settings
- 'AUTHORI'
- 'AUTORI'
filter_poqexec:
Image: 'C:\Windows\System32\poqexec.exe'
TargetObject|endswith: '\NetworkProvider\Order\ProviderOrder'
filter_realvnc:
Image: 'C:\Windows\System32\spoolsv.exe'
TargetObject|endswith: '\Print\Monitors\MONVNC\Driver'
Details: 'VNCpm.dll'
condition: all of system_control_* and not 1 of filter_*
falsepositives:
- Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason
- Legitimate administrator sets up autorun keys for legitimate reason
level: medium
imRegistry
| where (RegistryKey contains "\\SYSTEM\\CurrentControlSet\\Control" and (RegistryKey contains "\\Terminal Server\\WinStations\\RDP-Tcp\\InitialProgram" or RegistryKey contains "\\Terminal Server\\Wds\\rdpwd\\StartupPrograms" or RegistryKey contains "\\SecurityProviders\\SecurityProviders" or RegistryKey contains "\\SafeBoot\\AlternateShell" or RegistryKey contains "\\Print\\Providers" or RegistryKey contains "\\Print\\Monitors" or RegistryKey contains "\\NetworkProvider\\Order" or RegistryKey contains "\\Lsa\\Notification Packages" or RegistryKey contains "\\Lsa\\Authentication Packages" or RegistryKey contains "\\BootVerificationProgram\\ImagePath")) and (not((RegistryValueData =~ "(Empty)" or (ActingProcessName =~ "C:\\Windows\\System32\\spoolsv.exe" and RegistryKey contains "\\Print\\Monitors\\CutePDF Writer Monitor" and (RegistryValueData in~ ("cpwmon64_v40.dll", "CutePDF Writer"))) or (ActingProcessName =~ "C:\\Windows\\System32\\spoolsv.exe" and RegistryKey contains "Print\\Monitors\\Appmon\\Ports\\Microsoft.Office.OneNote_" and (ActorUsername contains "AUTHORI" or ActorUsername contains "AUTORI")) or (ActingProcessName =~ "C:\\Windows\\System32\\poqexec.exe" and RegistryKey endswith "\\NetworkProvider\\Order\\ProviderOrder") or (ActingProcessName =~ "C:\\Windows\\System32\\spoolsv.exe" and RegistryKey endswith "\\Print\\Monitors\\MONVNC\\Driver" and RegistryValueData =~ "VNCpm.dll"))))| Sentinel Table | Notes |
|---|---|
imRegistry | Ensure this data connector is enabled |