← Back to Explore
sigmamediumHunting
CurrentVersion NT Autorun Keys Modification
Detects modification of autostart extensibility point (ASEP) in registry.
Detection Query
selection_nt_current_version_base:
TargetObject|contains: \SOFTWARE\Microsoft\Windows NT\CurrentVersion
selection_nt_current_version:
TargetObject|contains:
- \Winlogon\VmApplet
- \Winlogon\Userinit
- \Winlogon\Taskman
- \Winlogon\Shell
- \Winlogon\GpExtensions
- \Winlogon\AppSetup
- \Winlogon\AlternateShells\AvailableShells
- \Windows\IconServiceLib
- \Windows\Appinit_Dlls
- \Image File Execution Options
- \Font Drivers
- \Drivers32
- \Windows\Run
- \Windows\Load
filter_main_empty:
Details: (Empty)
filter_main_null:
Details: null
filter_main_poqexec:
Image: C:\Windows\System32\poqexec.exe
filter_main_legitimate_subkey:
TargetObject|contains: \Image File Execution Options\
TargetObject|endswith:
- \DisableExceptionChainValidation
- \MitigationOptions
filter_main_security_extension_dc:
Image: C:\Windows\system32\svchost.exe
TargetObject|contains:
- \Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}\PreviousPolicyAreas
- \Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}\MaxNoGPOListChangesInterval
Details:
- DWORD (0x00000001)
- DWORD (0x00000009)
- DWORD (0x000003c0)
filter_main_runtimebroker:
Image: C:\Windows\System32\RuntimeBroker.exe
TargetObject|contains: \runtimebroker.exe\Microsoft.Windows.ShellExperienceHost
filter_optional_edge:
Image|startswith: C:\Program Files (x86)\Microsoft\Temp\
Image|endswith: \MicrosoftEdgeUpdate.exe
filter_optional_avguard:
Image|startswith:
- C:\Program Files (x86)\Avira\Antivirus\avguard.exe
- C:\Program Files\Avira\Antivirus\avguard.exe
TargetObject|contains: SOFTWARE\WOW6432Node\Avira\Antivirus\Overwrite_Keys\HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon\
TargetObject|endswith:
- \userinit\UseAsDefault
- \shell\UseAsDefault
Details:
- explorer.exe
- C:\Windows\system32\userinit.exe,
filter_optional_msoffice:
- TargetObject|contains:
- \ClickToRunStore\HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
- \ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows
NT\CurrentVersion\
- Image:
- C:\Program Files\Microsoft Office\root\integration\integrator.exe
- C:\Program Files (x86)\Microsoft Office\root\integration\integrator.exe
filter_optional_officeclicktorun:
Image|startswith:
- C:\Program Files\Common Files\Microsoft Shared\ClickToRun\
- C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\
Image|endswith: \OfficeClickToRun.exe
filter_optional_ngen:
Image|startswith: C:\Windows\Microsoft.NET\Framework
Image|endswith: \ngen.exe
filter_optional_onedrive:
Image|endswith: \AppData\Local\Microsoft\OneDrive\StandaloneUpdater\OneDriveSetup.exe
TargetObject|endswith: \Microsoft\Windows\CurrentVersion\RunOnce\Delete Cached Update Binary
Details|startswith: C:\Windows\system32\cmd.exe /q /c del /q "C:\Users\
Details|endswith: \AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe"
condition: all of selection_* and not 1 of filter_main_* and not 1 of filter_optional_*
Author
Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)
Created
2019-10-25
Data Sources
windowsRegistry Set Events
Platforms
windows
References
Tags
attack.privilege-escalationattack.persistenceattack.t1547.001
Raw Content
title: CurrentVersion NT Autorun Keys Modification
id: cbf93e5d-ca6c-4722-8bea-e9119007c248
related:
- id: 17f878b8-9968-4578-b814-c4217fc5768c
type: obsolete
status: test
description: Detects modification of autostart extensibility point (ASEP) in registry.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md
- https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns
- https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys
author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)
date: 2019-10-25
modified: 2025-10-22
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1547.001
logsource:
category: registry_set
product: windows
detection:
selection_nt_current_version_base:
TargetObject|contains: '\SOFTWARE\Microsoft\Windows NT\CurrentVersion'
selection_nt_current_version:
TargetObject|contains:
- '\Winlogon\VmApplet'
- '\Winlogon\Userinit'
- '\Winlogon\Taskman'
- '\Winlogon\Shell'
- '\Winlogon\GpExtensions'
- '\Winlogon\AppSetup'
- '\Winlogon\AlternateShells\AvailableShells'
- '\Windows\IconServiceLib'
- '\Windows\Appinit_Dlls'
- '\Image File Execution Options' # Covered in better details in 36803969-5421-41ec-b92f-8500f79c23b0
- '\Font Drivers'
- '\Drivers32'
- '\Windows\Run'
- '\Windows\Load'
filter_main_empty:
Details: '(Empty)'
filter_main_null:
Details: null
filter_main_poqexec:
Image: 'C:\Windows\System32\poqexec.exe'
filter_main_legitimate_subkey: # Legitimately used subkeys of \Image File Execution Options, which are not used for persistence (see https://pentestlab.blog/2020/01/13/persistence-image-file-execution-options-injection/)
TargetObject|contains: '\Image File Execution Options\'
TargetObject|endswith:
- '\DisableExceptionChainValidation'
- '\MitigationOptions'
filter_main_security_extension_dc:
Image: 'C:\Windows\system32\svchost.exe'
TargetObject|contains:
- '\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}\PreviousPolicyAreas'
- '\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}\MaxNoGPOListChangesInterval'
Details:
- 'DWORD (0x00000001)'
- 'DWORD (0x00000009)'
- 'DWORD (0x000003c0)'
filter_main_runtimebroker:
Image: 'C:\Windows\System32\RuntimeBroker.exe'
TargetObject|contains: '\runtimebroker.exe\Microsoft.Windows.ShellExperienceHost'
filter_optional_edge:
Image|startswith: 'C:\Program Files (x86)\Microsoft\Temp\'
Image|endswith: '\MicrosoftEdgeUpdate.exe'
filter_optional_avguard:
Image|startswith:
- 'C:\Program Files (x86)\Avira\Antivirus\avguard.exe'
- 'C:\Program Files\Avira\Antivirus\avguard.exe'
TargetObject|contains: 'SOFTWARE\WOW6432Node\Avira\Antivirus\Overwrite_Keys\HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\'
TargetObject|endswith:
- '\userinit\UseAsDefault'
- '\shell\UseAsDefault'
Details:
- 'explorer.exe'
- 'C:\Windows\system32\userinit.exe,'
filter_optional_msoffice:
- TargetObject|contains:
- '\ClickToRunStore\HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\'
- '\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows NT\CurrentVersion\'
- Image:
- 'C:\Program Files\Microsoft Office\root\integration\integrator.exe'
- 'C:\Program Files (x86)\Microsoft Office\root\integration\integrator.exe'
filter_optional_officeclicktorun:
Image|startswith:
- 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\'
- 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\'
Image|endswith: '\OfficeClickToRun.exe'
filter_optional_ngen:
Image|startswith: 'C:\Windows\Microsoft.NET\Framework'
Image|endswith: '\ngen.exe'
filter_optional_onedrive:
Image|endswith: '\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\OneDriveSetup.exe'
TargetObject|endswith: '\Microsoft\Windows\CurrentVersion\RunOnce\Delete Cached Update Binary'
Details|startswith: 'C:\Windows\system32\cmd.exe /q /c del /q "C:\Users\'
Details|endswith: '\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe"'
condition: all of selection_* and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason
- Legitimate administrator sets up autorun keys for legitimate reason
level: medium