EXPLORE
Sign In
← Back to Explore
sigmahighHunting

Suspicious Run Key from Download

Detects the suspicious RUN keys created by software located in Download or temporary Outlook/Internet Explorer directories

MITRE ATT&CK

T1547.001
privilege-escalationpersistence

Detection Query

selection:
  Image|contains:
    - \AppData\Local\Packages\Microsoft.Outlook_
    - \AppData\Local\Microsoft\Olk\Attachments\
    - \Downloads\
    - \Temporary Internet Files\Content.Outlook\
    - \Local Settings\Temporary Internet Files\
  TargetObject|contains:
    - \Software\Microsoft\Windows\CurrentVersion\Run
    - \Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
    - \Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
condition: selection

Author

Florian Roth (Nextron Systems), Swachchhanda Shrawan Poude (Nextron Systems)

Created

2019-10-01

Data Sources

windowsRegistry Events

Platforms

windows

References

Tags

attack.privilege-escalationattack.persistenceattack.t1547.001
Raw Content
title: Suspicious Run Key from Download
id: 9c5037d1-c568-49b3-88c7-9846a5bdc2be
status: test
description: Detects the suspicious RUN keys created by software located in Download or temporary Outlook/Internet Explorer directories
references:
    - https://app.any.run/tasks/c5bef5b7-f484-4c43-9cf3-d5c5c7839def/
    - https://github.com/HackTricks-wiki/hacktricks/blob/e4c7b21b8f36c97c35b7c622732b38a189ce18f7/src/windows-hardening/windows-local-privilege-escalation/privilege-escalation-with-autorun-binaries.md
author: Florian Roth (Nextron Systems), Swachchhanda Shrawan Poude (Nextron Systems)
date: 2019-10-01
modified: 2025-02-17
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.t1547.001
logsource:
    category: registry_event
    product: windows
detection:
    selection:
        Image|contains:
            - '\AppData\Local\Packages\Microsoft.Outlook_'
            - '\AppData\Local\Microsoft\Olk\Attachments\'
            - '\Downloads\'
            - '\Temporary Internet Files\Content.Outlook\'
            - '\Local Settings\Temporary Internet Files\'
        TargetObject|contains:
            - '\Software\Microsoft\Windows\CurrentVersion\Run'
            - '\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run'
            - '\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run'
    condition: selection
falsepositives:
    - Software installers downloaded and used by users
level: high