Detects modification of autostart extensibility point (ASEP) in registry.
title: CurrentVersion Autorun Keys Modification
id: 20f0ee37-5942-4e45-b7d5-c5b5db9df5cd
related:
- id: 17f878b8-9968-4578-b814-c4217fc5768c
type: obsolete
status: test
description: Detects modification of autostart extensibility point (ASEP) in registry.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md
- https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns
- https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys
- https://oddvar.moe/2018/03/21/persistence-using-runonceex-hidden-from-autoruns-exe/
author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)
date: 2019-10-25
modified: 2025-10-22
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1547.001
logsource:
category: registry_set
product: windows
detection:
selection_current_version_base:
TargetObject|contains: '\SOFTWARE\Microsoft\Windows\CurrentVersion'
selection_current_version_keys:
TargetObject|contains:
- '\ShellServiceObjectDelayLoad'
- '\Run\'
- '\RunOnce\'
- '\RunOnceEx\'
- '\RunServices\'
- '\RunServicesOnce\'
- '\Policies\System\Shell'
- '\Policies\Explorer\Run'
- '\Group Policy\Scripts\Startup'
- '\Group Policy\Scripts\Shutdown'
- '\Group Policy\Scripts\Logon'
- '\Group Policy\Scripts\Logoff'
- '\Explorer\ShellServiceObjects'
- '\Explorer\ShellIconOverlayIdentifiers'
- '\Explorer\ShellExecuteHooks'
- '\Explorer\SharedTaskScheduler'
- '\Explorer\Browser Helper Objects'
- '\Authentication\PLAP Providers'
- '\Authentication\Credential Providers'
- '\Authentication\Credential Provider Filters'
filter_main_generic_all:
- Details: '(Empty)'
- TargetObject|endswith: '\NgcFirst\ConsecutiveSwitchCount'
- Image|endswith:
- '\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe' # C:\Users\*\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe
- '\AppData\Roaming\Spotify\Spotify.exe'
- '\AppData\Local\WebEx\WebexHost.exe'
- Image:
- 'C:\WINDOWS\system32\devicecensus.exe'
- 'C:\Windows\system32\winsat.exe'
- 'C:\Program Files\Microsoft OneDrive\StandaloneUpdater\OneDriveSetup.exe'
- 'C:\Program Files (x86)\Microsoft OneDrive\StandaloneUpdater\OneDriveSetup.exe'
- 'C:\Program Files\Microsoft OneDrive\Update\OneDriveSetup.exe'
- 'C:\Program Files (x86)\Microsoft OneDrive\Update\OneDriveSetup.exe'
- 'C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe'
- 'C:\Program Files (x86)\Microsoft Office\root\integration\Addons\OneDriveSetup.exe'
- 'C:\Program Files\KeePass Password Safe 2\ShInstUtil.exe'
- 'C:\Program Files\Everything\Everything.exe'
- 'C:\Program Files (x86)\Microsoft Office\root\integration\integrator.exe'
- 'C:\Program Files\Microsoft Office\root\integration\integrator.exe'
filter_main_null:
Details: null
filter_main_logonui:
Image: 'C:\Windows\system32\LogonUI.exe'
TargetObject|contains:
- '\Authentication\Credential Providers\{D6886603-9D2F-4EB2-B667-1971041FA96B}\' # PIN
- '\Authentication\Credential Providers\{BEC09223-B018-416D-A0AC-523971B639F5}\' # fingerprint
- '\Authentication\Credential Providers\{8AF662BF-65A0-4D0A-A540-A338A999D36F}\' # facial recognizion
- '\Authentication\Credential Providers\{27FBDB57-B613-4AF2-9D7E-4FA7A66C21AD}\' # Trusted Signal (Phone proximity, Network location)
filter_main_edge:
Image|startswith:
- 'C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\'
- 'C:\Program Files (x86)\Microsoft\EdgeWebView\'
- 'C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe'
filter_main_defender:
Image: 'C:\Program Files\Windows Defender\MsMpEng.exe'
filter_main_teams:
Image|endswith: '\Microsoft\Teams\current\Teams.exe'
Details|contains: '\Microsoft\Teams\Update.exe --processStart '
filter_main_ctfmon:
Image: 'C:\Windows\system32\userinit.exe'
Details: 'ctfmon.exe /n'
filter_optional_dropbox:
Image: 'C:\Windows\system32\regsvr32.exe'
TargetObject|contains: 'DropboxExt'
Details|endswith: 'A251-47B7-93E1-CDD82E34AF8B}'
filter_optional_opera_1:
TargetObject|endswith: '\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Opera Browser Assistant'
Details: 'C:\Program Files\Opera\assistant\browser_assistant.exe'
filter_optional_opera_2:
TargetObject|endswith: '\Software\Microsoft\Windows\CurrentVersion\Run\Opera Stable'
Details:
- 'C:\Program Files\Opera\launcher.exe'
- 'C:\Program Files (x86)\Opera\launcher.exe'
filter_optional_itunes:
TargetObject|endswith: '\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\iTunesHelper'
Details: '"C:\Program Files\iTunes\iTunesHelper.exe"'
filter_optional_zoom:
TargetObject|endswith: '\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\zoommsirepair'
Details: '"C:\Program Files\Zoom\bin\installer.exe" /repair'
filter_optional_greenshot:
TargetObject|endswith: '\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Greenshot'
Details: 'C:\Program Files\Greenshot\Greenshot.exe'
filter_optional_googledrive1:
TargetObject|endswith: '\Software\Microsoft\Windows\CurrentVersion\Run\GoogleDriveFS'
Details|startswith: 'C:\Program Files\Google\Drive File Stream\'
Details|contains: '\GoogleDriveFS.exe'
filter_optional_googledrive2:
TargetObject|contains: 'GoogleDrive'
Details:
- '{CFE8B367-77A7-41D7-9C90-75D16D7DC6B6}'
- '{A8E52322-8734-481D-A7E2-27B309EF8D56}'
- '{C973DA94-CBDF-4E77-81D1-E5B794FBD146}'
- '{51EF1569-67EE-4AD6-9646-E726C3FFC8A2}'
filter_optional_onedrive:
Details|startswith:
- 'C:\Windows\system32\cmd.exe /q /c rmdir /s /q "C:\Users\'
- 'C:\Windows\system32\cmd.exe /q /c del /q "C:\Users\'
Details|contains: '\AppData\Local\Microsoft\OneDrive\'
filter_optional_python:
TargetObject|contains: '\Microsoft\Windows\CurrentVersion\RunOnce\{'
Details|contains|all:
- '\AppData\Local\Package Cache\{'
- '}\python-'
Details|endswith: '.exe" /burn.runonce'
filter_optional_officeclicktorun:
Image|startswith:
- 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\'
- 'C:\Program Files (x86)\Common Files\Microsoft Shared\ClickToRun\'
Image|endswith: '\OfficeClickToRun.exe'
filter_optional_teams:
Image|endswith: '\Microsoft\Teams\current\Teams.exe'
Details|contains: '\Microsoft\Teams\Update.exe --processStart'
filter_optional_AVG_setup:
Image|contains:
- 'C:\Program Files\AVG\Antivirus\Setup\'
- 'C:\Program Files (x86)\AVG\Antivirus\Setup\'
- '\instup.exe'
Details:
- '"C:\Program Files\AVG\Antivirus\AvLaunch.exe" /gui'
- '"C:\Program Files (x86)\AVG\Antivirus\AvLaunch.exe" /gui'
- '{472083B0-C522-11CF-8763-00608CC02F24}'
- '{472083B1-C522-11CF-8763-00608CC02F24}'
filter_optional_Avast:
Image|contains:
- 'C:\Program Files\Avast Software\Avast\Setup\'
- 'C:\Program Files (x86)\Avast Software\Avast\Setup\'
- '\instup.exe'
Details:
- '"C:\Program Files\Avast Software\Avast\AvLaunch.exe" /gui'
- '"C:\Program Files (x86)\Avast Software\Avast\AvLaunch.exe" /gui'
filter_optional_AVG_avgtoolsvc:
Image:
- 'C:\Program Files\AVG\Antivirus\avgToolsSvc.exe'
- 'C:\Program Files (x86)\AVG\Antivirus\avgToolsSvc.exe'
TargetObject|contains: '\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run\'
Details: 'Binary Data'
filter_optional_aurora_dashboard:
Image|endswith:
- '\aurora-agent-64.exe'
- '\aurora-agent.exe'
TargetObject|endswith: '\Microsoft\Windows\CurrentVersion\Run\aurora-dashboard'
Details: 'C:\Program Files\Aurora-Agent\tools\aurora-dashboard.exe'
filter_optional_everything:
TargetObject|endswith: '\Microsoft\Windows\CurrentVersion\Run\Everything'
Details|endswith: '\Everything\Everything.exe" -startup' # We remove the starting part as it could be installed in different locations
filter_optional_discord:
TargetObject|endswith: '\Software\Microsoft\Windows\CurrentVersion\Run\Discord'
Details|endswith: '\Discord\Update.exe --processStart Discord.exe'
condition: all of selection_* and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason
- Legitimate administrator sets up autorun keys for legitimate reason
level: medium
imRegistry
| where (RegistryKey contains "\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion" and (RegistryKey contains "\\ShellServiceObjectDelayLoad" or RegistryKey endswith "\\Run*" or RegistryKey endswith "\\RunOnce*" or RegistryKey endswith "\\RunOnceEx*" or RegistryKey endswith "\\RunServices*" or RegistryKey endswith "\\RunServicesOnce*" or RegistryKey contains "\\Policies\\System\\Shell" or RegistryKey contains "\\Policies\\Explorer\\Run" or RegistryKey contains "\\Group Policy\\Scripts\\Startup" or RegistryKey contains "\\Group Policy\\Scripts\\Shutdown" or RegistryKey contains "\\Group Policy\\Scripts\\Logon" or RegistryKey contains "\\Group Policy\\Scripts\\Logoff" or RegistryKey contains "\\Explorer\\ShellServiceObjects" or RegistryKey contains "\\Explorer\\ShellIconOverlayIdentifiers" or RegistryKey contains "\\Explorer\\ShellExecuteHooks" or RegistryKey contains "\\Explorer\\SharedTaskScheduler" or RegistryKey contains "\\Explorer\\Browser Helper Objects" or RegistryKey contains "\\Authentication\\PLAP Providers" or RegistryKey contains "\\Authentication\\Credential Providers" or RegistryKey contains "\\Authentication\\Credential Provider Filters")) and (not(((RegistryValueData =~ "(Empty)" or RegistryKey endswith "\\NgcFirst\\ConsecutiveSwitchCount" or (ActingProcessName endswith "\\AppData\\Local\\Microsoft\\OneDrive\\Update\\OneDriveSetup.exe" or ActingProcessName endswith "\\AppData\\Roaming\\Spotify\\Spotify.exe" or ActingProcessName endswith "\\AppData\\Local\\WebEx\\WebexHost.exe") or (ActingProcessName in~ ("C:\\WINDOWS\\system32\\devicecensus.exe", "C:\\Windows\\system32\\winsat.exe", "C:\\Program Files\\Microsoft OneDrive\\StandaloneUpdater\\OneDriveSetup.exe", "C:\\Program Files (x86)\\Microsoft OneDrive\\StandaloneUpdater\\OneDriveSetup.exe", "C:\\Program Files\\Microsoft OneDrive\\Update\\OneDriveSetup.exe", "C:\\Program Files (x86)\\Microsoft OneDrive\\Update\\OneDriveSetup.exe", "C:\\Program Files\\Microsoft Office\\root\\integration\\Addons\\OneDriveSetup.exe", "C:\\Program Files (x86)\\Microsoft Office\\root\\integration\\Addons\\OneDriveSetup.exe", "C:\\Program Files\\KeePass Password Safe 2\\ShInstUtil.exe", "C:\\Program Files\\Everything\\Everything.exe", "C:\\Program Files (x86)\\Microsoft Office\\root\\integration\\integrator.exe", "C:\\Program Files\\Microsoft Office\\root\\integration\\integrator.exe"))) or isnull(RegistryValueData) or (ActingProcessName =~ "C:\\Windows\\system32\\LogonUI.exe" and (RegistryKey endswith "\\Authentication\\Credential Providers\\{D6886603-9D2F-4EB2-B667-1971041FA96B}*" or RegistryKey endswith "\\Authentication\\Credential Providers\\{BEC09223-B018-416D-A0AC-523971B639F5}*" or RegistryKey endswith "\\Authentication\\Credential Providers\\{8AF662BF-65A0-4D0A-A540-A338A999D36F}*" or RegistryKey endswith "\\Authentication\\Credential Providers\\{27FBDB57-B613-4AF2-9D7E-4FA7A66C21AD}*")) or (ActingProcessName startswith "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\Install\\" or ActingProcessName startswith "C:\\Program Files (x86)\\Microsoft\\EdgeWebView\\" or ActingProcessName startswith "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe") or ActingProcessName =~ "C:\\Program Files\\Windows Defender\\MsMpEng.exe" or (ActingProcessName endswith "\\Microsoft\\Teams\\current\\Teams.exe" and RegistryValueData contains "\\Microsoft\\Teams\\Update.exe --processStart ") or (ActingProcessName =~ "C:\\Windows\\system32\\userinit.exe" and RegistryValueData =~ "ctfmon.exe /n")))) and (not(((ActingProcessName =~ "C:\\Windows\\system32\\regsvr32.exe" and RegistryKey contains "DropboxExt" and RegistryValueData endswith "A251-47B7-93E1-CDD82E34AF8B}") or (RegistryKey endswith "\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\Opera Browser Assistant" and RegistryValueData =~ "C:\\Program Files\\Opera\\assistant\\browser_assistant.exe") or (RegistryKey endswith "\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Opera Stable" and (RegistryValueData in~ ("C:\\Program Files\\Opera\\launcher.exe", "C:\\Program Files (x86)\\Opera\\launcher.exe"))) or (RegistryKey endswith "\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\iTunesHelper" and RegistryValueData =~ "\"C:\\Program Files\\iTunes\\iTunesHelper.exe\"") or (RegistryKey endswith "\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\zoommsirepair" and RegistryValueData =~ "\"C:\\Program Files\\Zoom\\bin\\installer.exe\" /repair") or (RegistryKey endswith "\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\Greenshot" and RegistryValueData =~ "C:\\Program Files\\Greenshot\\Greenshot.exe") or (RegistryKey endswith "\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\GoogleDriveFS" and RegistryValueData startswith "C:\\Program Files\\Google\\Drive File Stream\\" and RegistryValueData contains "\\GoogleDriveFS.exe") or (RegistryKey contains "GoogleDrive" and (RegistryValueData in~ ("{CFE8B367-77A7-41D7-9C90-75D16D7DC6B6}", "{A8E52322-8734-481D-A7E2-27B309EF8D56}", "{C973DA94-CBDF-4E77-81D1-E5B794FBD146}", "{51EF1569-67EE-4AD6-9646-E726C3FFC8A2}"))) or ((RegistryValueData startswith "C:\\Windows\\system32\\cmd.exe /q /c rmdir /s /q \"C:\\Users\\" or RegistryValueData startswith "C:\\Windows\\system32\\cmd.exe /q /c del /q \"C:\\Users\\") and RegistryValueData contains "\\AppData\\Local\\Microsoft\\OneDrive\\") or (RegistryKey contains "\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\{" and (RegistryValueData contains "\\AppData\\Local\\Package Cache\\{" and RegistryValueData contains "}\\python-") and RegistryValueData endswith ".exe\" /burn.runonce") or ((ActingProcessName startswith "C:\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\" or ActingProcessName startswith "C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\ClickToRun\\") and ActingProcessName endswith "\\OfficeClickToRun.exe") or (ActingProcessName endswith "\\Microsoft\\Teams\\current\\Teams.exe" and RegistryValueData contains "\\Microsoft\\Teams\\Update.exe --processStart") or ((ActingProcessName contains "C:\\Program Files\\AVG\\Antivirus\\Setup\\" or ActingProcessName contains "C:\\Program Files (x86)\\AVG\\Antivirus\\Setup\\" or ActingProcessName contains "\\instup.exe") and (RegistryValueData in~ ("\"C:\\Program Files\\AVG\\Antivirus\\AvLaunch.exe\" /gui", "\"C:\\Program Files (x86)\\AVG\\Antivirus\\AvLaunch.exe\" /gui", "{472083B0-C522-11CF-8763-00608CC02F24}", "{472083B1-C522-11CF-8763-00608CC02F24}"))) or ((ActingProcessName contains "C:\\Program Files\\Avast Software\\Avast\\Setup\\" or ActingProcessName contains "C:\\Program Files (x86)\\Avast Software\\Avast\\Setup\\" or ActingProcessName contains "\\instup.exe") and (RegistryValueData in~ ("\"C:\\Program Files\\Avast Software\\Avast\\AvLaunch.exe\" /gui", "\"C:\\Program Files (x86)\\Avast Software\\Avast\\AvLaunch.exe\" /gui"))) or ((ActingProcessName in~ ("C:\\Program Files\\AVG\\Antivirus\\avgToolsSvc.exe", "C:\\Program Files (x86)\\AVG\\Antivirus\\avgToolsSvc.exe")) and RegistryKey endswith "\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\StartupApproved\\Run*" and RegistryValueData =~ "Binary Data") or ((ActingProcessName endswith "\\aurora-agent-64.exe" or ActingProcessName endswith "\\aurora-agent.exe") and RegistryKey endswith "\\Microsoft\\Windows\\CurrentVersion\\Run\\aurora-dashboard" and RegistryValueData =~ "C:\\Program Files\\Aurora-Agent\\tools\\aurora-dashboard.exe") or (RegistryKey endswith "\\Microsoft\\Windows\\CurrentVersion\\Run\\Everything" and RegistryValueData endswith "\\Everything\\Everything.exe\" -startup") or (RegistryKey endswith "\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Discord" and RegistryValueData endswith "\\Discord\\Update.exe --processStart Discord.exe"))))| Sentinel Table | Notes |
|---|---|
imRegistry | Ensure this data connector is enabled |