EXPLORE
Sign In
← Back to Explore
sigmamediumHunting

Wow6432Node Classes Autorun Keys Modification

Detects modification of autostart extensibility point (ASEP) in registry.

MITRE ATT&CK

T1547.001
privilege-escalationpersistence

Detection Query

wow_classes_base:
  TargetObject|contains: \Software\Wow6432Node\Classes
wow_classes:
  TargetObject|contains:
    - \Folder\ShellEx\ExtShellFolderViews
    - \Folder\ShellEx\DragDropHandlers
    - \Folder\ShellEx\ColumnHandlers
    - \Directory\Shellex\DragDropHandlers
    - \Directory\Shellex\CopyHookHandlers
    - \CLSID\{AC757296-3522-4E11-9862-C17BE5A1767E}\Instance
    - \CLSID\{ABE3B9A4-257D-4B97-BD1A-294AF496222E}\Instance
    - \CLSID\{7ED96837-96F0-4812-B211-F13C24117ED3}\Instance
    - \CLSID\{083863F1-70DE-11d0-BD40-00A0C911CE86}\Instance
    - \AllFileSystemObjects\ShellEx\DragDropHandlers
    - \ShellEx\PropertySheetHandlers
    - \ShellEx\ContextMenuHandlers
filter:
  Details: (Empty)
condition: wow_classes_base and wow_classes and not filter

Author

Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)

Created

2019-10-25

Data Sources

windowsRegistry Set Events

Platforms

windows

References

Tags

attack.privilege-escalationattack.persistenceattack.t1547.001
Raw Content
title: Wow6432Node Classes Autorun Keys Modification
id: 18f2065c-d36c-464a-a748-bcf909acb2e3
related:
    - id: 17f878b8-9968-4578-b814-c4217fc5768c
      type: obsolete
status: test
description: Detects modification of autostart extensibility point (ASEP) in registry.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md
    - https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns
    - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys
author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)
date: 2019-10-25
modified: 2023-08-17
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.t1547.001
logsource:
    category: registry_set
    product: windows
detection:
    wow_classes_base:
        TargetObject|contains: '\Software\Wow6432Node\Classes'
    wow_classes:
        TargetObject|contains:
            - '\Folder\ShellEx\ExtShellFolderViews'
            - '\Folder\ShellEx\DragDropHandlers'
            - '\Folder\ShellEx\ColumnHandlers'
            - '\Directory\Shellex\DragDropHandlers'
            - '\Directory\Shellex\CopyHookHandlers'
            - '\CLSID\{AC757296-3522-4E11-9862-C17BE5A1767E}\Instance'
            - '\CLSID\{ABE3B9A4-257D-4B97-BD1A-294AF496222E}\Instance'
            - '\CLSID\{7ED96837-96F0-4812-B211-F13C24117ED3}\Instance'
            - '\CLSID\{083863F1-70DE-11d0-BD40-00A0C911CE86}\Instance'
            - '\AllFileSystemObjects\ShellEx\DragDropHandlers'
            - '\ShellEx\PropertySheetHandlers'
            - '\ShellEx\ContextMenuHandlers'
    filter:
        Details: '(Empty)'
    condition: wow_classes_base and wow_classes and not filter
falsepositives:
    - Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason
    - Legitimate administrator sets up autorun keys for legitimate reason
level: medium