← Back to Explore
sigmamediumHunting
Classes Autorun Keys Modification
Detects modification of autostart extensibility point (ASEP) in registry.
Detection Query
selection_classes_base:
TargetObject|contains: \Software\Classes
selection_classes_target:
TargetObject|contains:
- \Folder\ShellEx\ExtShellFolderViews
- \Folder\ShellEx\DragDropHandlers
- \Folder\Shellex\ColumnHandlers
- \Filter
- \Exefile\Shell\Open\Command\(Default)
- \Directory\Shellex\DragDropHandlers
- \Directory\Shellex\CopyHookHandlers
- \CLSID\{AC757296-3522-4E11-9862-C17BE5A1767E}\Instance
- \CLSID\{ABE3B9A4-257D-4B97-BD1A-294AF496222E}\Instance
- \CLSID\{7ED96837-96F0-4812-B211-F13C24117ED3}\Instance
- \CLSID\{083863F1-70DE-11d0-BD40-00A0C911CE86}\Instance
- \Classes\AllFileSystemObjects\ShellEx\DragDropHandlers
- \.exe
- \.cmd
- \ShellEx\PropertySheetHandlers
- \ShellEx\ContextMenuHandlers
filter_main_drivers:
Image: C:\Windows\System32\drvinst.exe
filter_main_empty:
Details: (Empty)
filter_main_null:
Details: null
filter_main_svchost:
Image: C:\Windows\System32\svchost.exe
TargetObject|contains: \lnkfile\shellex\ContextMenuHandlers\
filter_optional_msoffice:
Details: "{807583E5-5146-11D5-A672-00B0D022E945}"
condition: all of selection_* and not 1 of filter_main_* and not 1 of filter_optional_*
Author
Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)
Created
2019-10-25
Data Sources
windowsRegistry Set Events
Platforms
windows
References
Tags
attack.privilege-escalationattack.persistenceattack.t1547.001
Raw Content
title: Classes Autorun Keys Modification
id: 9df5f547-c86a-433e-b533-f2794357e242
related:
- id: 17f878b8-9968-4578-b814-c4217fc5768c
type: obsolete
status: test
description: Detects modification of autostart extensibility point (ASEP) in registry.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md
- https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns
- https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys
author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)
date: 2019-10-25
modified: 2025-10-22
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1547.001
logsource:
category: registry_set
product: windows
detection:
selection_classes_base:
TargetObject|contains: '\Software\Classes'
selection_classes_target:
TargetObject|contains:
- '\Folder\ShellEx\ExtShellFolderViews'
- '\Folder\ShellEx\DragDropHandlers'
- '\Folder\Shellex\ColumnHandlers'
- '\Filter'
- '\Exefile\Shell\Open\Command\(Default)'
- '\Directory\Shellex\DragDropHandlers'
- '\Directory\Shellex\CopyHookHandlers'
- '\CLSID\{AC757296-3522-4E11-9862-C17BE5A1767E}\Instance'
- '\CLSID\{ABE3B9A4-257D-4B97-BD1A-294AF496222E}\Instance'
- '\CLSID\{7ED96837-96F0-4812-B211-F13C24117ED3}\Instance'
- '\CLSID\{083863F1-70DE-11d0-BD40-00A0C911CE86}\Instance'
- '\Classes\AllFileSystemObjects\ShellEx\DragDropHandlers'
- '\.exe'
- '\.cmd'
- '\ShellEx\PropertySheetHandlers'
- '\ShellEx\ContextMenuHandlers'
filter_main_drivers:
Image: 'C:\Windows\System32\drvinst.exe'
filter_main_empty:
Details: '(Empty)'
filter_main_null:
Details: null
filter_main_svchost:
Image: 'C:\Windows\System32\svchost.exe'
# If more targets are found from "svchost". Please exclude the whole image
TargetObject|contains: '\lnkfile\shellex\ContextMenuHandlers\'
filter_optional_msoffice:
Details: '{807583E5-5146-11D5-A672-00B0D022E945}'
condition: all of selection_* and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason
- Legitimate administrator sets up autorun keys for legitimate reason
level: medium