Detects modification of autostart extensibility point (ASEP) in registry.
title: CurrentVersion NT Autorun Keys Modification
id: cbf93e5d-ca6c-4722-8bea-e9119007c248
related:
- id: 17f878b8-9968-4578-b814-c4217fc5768c
type: obsolete
status: test
description: Detects modification of autostart extensibility point (ASEP) in registry.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md
- https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns
- https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys
author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)
date: 2019-10-25
modified: 2025-10-22
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1547.001
logsource:
category: registry_set
product: windows
detection:
selection_nt_current_version_base:
TargetObject|contains: '\SOFTWARE\Microsoft\Windows NT\CurrentVersion'
selection_nt_current_version:
TargetObject|contains:
- '\Winlogon\VmApplet'
- '\Winlogon\Userinit'
- '\Winlogon\Taskman'
- '\Winlogon\Shell'
- '\Winlogon\GpExtensions'
- '\Winlogon\AppSetup'
- '\Winlogon\AlternateShells\AvailableShells'
- '\Windows\IconServiceLib'
- '\Windows\Appinit_Dlls'
- '\Image File Execution Options' # Covered in better details in 36803969-5421-41ec-b92f-8500f79c23b0
- '\Font Drivers'
- '\Drivers32'
- '\Windows\Run'
- '\Windows\Load'
filter_main_empty:
Details: '(Empty)'
filter_main_null:
Details: null
filter_main_poqexec:
Image: 'C:\Windows\System32\poqexec.exe'
filter_main_legitimate_subkey: # Legitimately used subkeys of \Image File Execution Options, which are not used for persistence (see https://pentestlab.blog/2020/01/13/persistence-image-file-execution-options-injection/)
TargetObject|contains: '\Image File Execution Options\'
TargetObject|endswith:
- '\DisableExceptionChainValidation'
- '\MitigationOptions'
filter_main_security_extension_dc:
Image: 'C:\Windows\system32\svchost.exe'
TargetObject|contains:
- '\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}\PreviousPolicyAreas'
- '\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}\MaxNoGPOListChangesInterval'
Details:
- 'DWORD (0x00000001)'
- 'DWORD (0x00000009)'
- 'DWORD (0x000003c0)'
filter_main_runtimebroker:
Image: 'C:\Windows\System32\RuntimeBroker.exe'
TargetObject|contains: '\runtimebroker.exe\Microsoft.Windows.ShellExperienceHost'
filter_optional_edge:
Image|startswith: 'C:\Program Files (x86)\Microsoft\Temp\'
Image|endswith: '\MicrosoftEdgeUpdate.exe'
filter_optional_avguard:
Image|startswith:
- 'C:\Program Files (x86)\Avira\Antivirus\avguard.exe'
- 'C:\Program Files\Avira\Antivirus\avguard.exe'
TargetObject|contains: 'SOFTWARE\WOW6432Node\Avira\Antivirus\Overwrite_Keys\HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\'
TargetObject|endswith:
- '\userinit\UseAsDefault'
- '\shell\UseAsDefault'
Details:
- 'explorer.exe'
- 'C:\Windows\system32\userinit.exe,'
filter_optional_msoffice:
- TargetObject|contains:
- '\ClickToRunStore\HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\'
- '\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows NT\CurrentVersion\'
- Image:
- 'C:\Program Files\Microsoft Office\root\integration\integrator.exe'
- 'C:\Program Files (x86)\Microsoft Office\root\integration\integrator.exe'
filter_optional_officeclicktorun:
Image|startswith:
- 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\'
- 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\'
Image|endswith: '\OfficeClickToRun.exe'
filter_optional_ngen:
Image|startswith: 'C:\Windows\Microsoft.NET\Framework'
Image|endswith: '\ngen.exe'
filter_optional_onedrive:
Image|endswith: '\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\OneDriveSetup.exe'
TargetObject|endswith: '\Microsoft\Windows\CurrentVersion\RunOnce\Delete Cached Update Binary'
Details|startswith: 'C:\Windows\system32\cmd.exe /q /c del /q "C:\Users\'
Details|endswith: '\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe"'
condition: all of selection_* and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason
- Legitimate administrator sets up autorun keys for legitimate reason
level: medium
imRegistry
| where (RegistryKey contains "\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion" and (RegistryKey contains "\\Winlogon\\VmApplet" or RegistryKey contains "\\Winlogon\\Userinit" or RegistryKey contains "\\Winlogon\\Taskman" or RegistryKey contains "\\Winlogon\\Shell" or RegistryKey contains "\\Winlogon\\GpExtensions" or RegistryKey contains "\\Winlogon\\AppSetup" or RegistryKey contains "\\Winlogon\\AlternateShells\\AvailableShells" or RegistryKey contains "\\Windows\\IconServiceLib" or RegistryKey contains "\\Windows\\Appinit_Dlls" or RegistryKey contains "\\Image File Execution Options" or RegistryKey contains "\\Font Drivers" or RegistryKey contains "\\Drivers32" or RegistryKey contains "\\Windows\\Run" or RegistryKey contains "\\Windows\\Load")) and (not((RegistryValueData =~ "(Empty)" or isnull(RegistryValueData) or ActingProcessName =~ "C:\\Windows\\System32\\poqexec.exe" or (RegistryKey endswith "\\Image File Execution Options*" and (RegistryKey endswith "\\DisableExceptionChainValidation" or RegistryKey endswith "\\MitigationOptions")) or (ActingProcessName =~ "C:\\Windows\\system32\\svchost.exe" and (RegistryKey contains "\\Winlogon\\GPExtensions\\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}\\PreviousPolicyAreas" or RegistryKey contains "\\Winlogon\\GPExtensions\\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}\\MaxNoGPOListChangesInterval") and (RegistryValueData in~ ("DWORD (0x00000001)", "DWORD (0x00000009)", "DWORD (0x000003c0)"))) or (ActingProcessName =~ "C:\\Windows\\System32\\RuntimeBroker.exe" and RegistryKey contains "\\runtimebroker.exe\\Microsoft.Windows.ShellExperienceHost")))) and (not(((ActingProcessName startswith "C:\\Program Files (x86)\\Microsoft\\Temp\\" and ActingProcessName endswith "\\MicrosoftEdgeUpdate.exe") or ((ActingProcessName startswith "C:\\Program Files (x86)\\Avira\\Antivirus\\avguard.exe" or ActingProcessName startswith "C:\\Program Files\\Avira\\Antivirus\\avguard.exe") and RegistryKey endswith "SOFTWARE\\WOW6432Node\\Avira\\Antivirus\\Overwrite_Keys\\HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon*" and (RegistryKey endswith "\\userinit\\UseAsDefault" or RegistryKey endswith "\\shell\\UseAsDefault") and (RegistryValueData in~ ("explorer.exe", "C:\\Windows\\system32\\userinit.exe,"))) or ((RegistryKey endswith "\\ClickToRunStore\\HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion*" or RegistryKey endswith "\\ClickToRun\\REGISTRY\\MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion*") or (ActingProcessName in~ ("C:\\Program Files\\Microsoft Office\\root\\integration\\integrator.exe", "C:\\Program Files (x86)\\Microsoft Office\\root\\integration\\integrator.exe"))) or ((ActingProcessName startswith "C:\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\" or ActingProcessName startswith "C:\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\Updates\\") and ActingProcessName endswith "\\OfficeClickToRun.exe") or (ActingProcessName startswith "C:\\Windows\\Microsoft.NET\\Framework" and ActingProcessName endswith "\\ngen.exe") or (ActingProcessName endswith "\\AppData\\Local\\Microsoft\\OneDrive\\StandaloneUpdater\\OneDriveSetup.exe" and RegistryKey endswith "\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\Delete Cached Update Binary" and RegistryValueData startswith "C:\\Windows\\system32\\cmd.exe /q /c del /q \"C:\\Users\\" and RegistryValueData endswith "\\AppData\\Local\\Microsoft\\OneDrive\\Update\\OneDriveSetup.exe\""))))| Sentinel Table | Notes |
|---|---|
imRegistry | Ensure this data connector is enabled |