Session Manager Autorun Keys Modification

Hunt Hypothesis

Detects modification of autostart extensibility point (ASEP) in registry.

Detection Rule

Sigma (Original)

title: Session Manager Autorun Keys Modification
id: 046218bd-e0d8-4113-a3c3-895a12b2b298
related:
    - id: 17f878b8-9968-4578-b814-c4217fc5768c
      type: obsolete
status: test
description: Detects modification of autostart extensibility point (ASEP) in registry.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md
    - https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns
    - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys
author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)
date: 2019-10-25
modified: 2023-08-17
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.t1547.001
    - attack.t1546.009
logsource:
    category: registry_set
    product: windows
detection:
    session_manager_base:
        TargetObject|contains: '\System\CurrentControlSet\Control\Session Manager'
    session_manager:
        TargetObject|contains:
            - '\SetupExecute'
            - '\S0InitialCommand'
            - '\KnownDlls'
            - '\Execute'
            - '\BootExecute'
            - '\AppCertDlls'
    filter:
        Details: '(Empty)'
    condition: session_manager_base and session_manager and not filter
falsepositives:
    - Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason
    - Legitimate administrator sets up autorun keys for legitimate reason
level: medium

KQL (Azure Sentinel)

imRegistry
| where RegistryKey contains "\\System\\CurrentControlSet\\Control\\Session Manager" and (RegistryKey contains "\\SetupExecute" or RegistryKey contains "\\S0InitialCommand" or RegistryKey contains "\\KnownDlls" or RegistryKey contains "\\Execute" or RegistryKey contains "\\BootExecute" or RegistryKey contains "\\AppCertDlls") and (not(RegistryValueData =~ "(Empty)"))

KQL (Microsoft 365 Defender)

DeviceRegistryEvents
| where RegistryKey contains "\\System\\CurrentControlSet\\Control\\Session Manager" and (RegistryKey contains "\\SetupExecute" or RegistryKey contains "\\S0InitialCommand" or RegistryKey contains "\\KnownDlls" or RegistryKey contains "\\Execute" or RegistryKey contains "\\BootExecute" or RegistryKey contains "\\AppCertDlls") and (not(RegistryValueData =~ "(Empty)"))

Required Data Sources

False Positive Guidance

• Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason
• Legitimate administrator sets up autorun keys for legitimate reason

MITRE ATT&CK Context

• Tactic: Privilege Escalation
• Tactic: Persistence
• Technique: T1547.001 — T1547.001
• Technique: T1546.009 — T1546.009

References

• https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md
• https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns
• https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d
• SigmaHQ Rule