← Back to SOC feed Coverage →

Wow6432Node Windows NT CurrentVersion Autorun Keys Modification

sigma MEDIUM SigmaHQ
T1547.001
imRegistry
persistence
This rule was pulled from an open-source repository and enriched with AI. Validate in a test environment before deploying to production.
View original rule at SigmaHQ →
Retrieved: 2026-05-25T23:00:00Z · Confidence: medium

Hunt Hypothesis

Detects modification of autostart extensibility point (ASEP) in registry.

Detection Rule

Sigma (Original)

title: Wow6432Node Windows NT CurrentVersion Autorun Keys Modification
id: 480421f9-417f-4d3b-9552-fd2728443ec8
related:
    - id: 17f878b8-9968-4578-b814-c4217fc5768c
      type: obsolete
status: test
description: Detects modification of autostart extensibility point (ASEP) in registry.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md
    - https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns
    - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys
author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)
date: 2019-10-25
modified: 2025-10-22
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.t1547.001
logsource:
    category: registry_set
    product: windows
detection:
    selection_wow_nt_current_version_base:
        TargetObject|contains: '\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion'
    selection_wow_nt_current_version:
        TargetObject|contains:
            - '\Windows\Appinit_Dlls'
            - '\Image File Execution Options'
            - '\Drivers32'
    filter_main_empty:
        Details: '(Empty)'
    filter_main_null:
        Details: null
    filter_main_file_exec_options:
        Details|endswith: '\Microsoft\Windows NT\CurrentVersion\Image File Execution Options'
    condition: all of selection_* and not 1 of filter_main_*
falsepositives:
    - Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason
    - Legitimate administrator sets up autorun keys for legitimate reason
level: medium

KQL (Azure Sentinel)

imRegistry
| where (RegistryKey contains "\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion" and (RegistryKey contains "\\Windows\\Appinit_Dlls" or RegistryKey contains "\\Image File Execution Options" or RegistryKey contains "\\Drivers32")) and (not((RegistryValueData =~ "(Empty)" or isnull(RegistryValueData) or RegistryValueData endswith "\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options")))

KQL (Microsoft 365 Defender)

DeviceRegistryEvents
| where (RegistryKey contains "\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion" and (RegistryKey contains "\\Windows\\Appinit_Dlls" or RegistryKey contains "\\Image File Execution Options" or RegistryKey contains "\\Drivers32")) and (not((RegistryValueData =~ "(Empty)" or isnull(RegistryValueData) or RegistryValueData endswith "\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options")))

Required Data Sources

Sentinel TableNotes
imRegistryEnsure this data connector is enabled

False Positive Guidance

MITRE ATT&CK Context

References

Original source: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node_currentversion.yml