← Back to Explore
sigmamediumHunting
CurrentControlSet Autorun Keys Modification
Detects modification of autostart extensibility point (ASEP) in registry.
Detection Query
system_control_base:
TargetObject|contains: \SYSTEM\CurrentControlSet\Control
system_control_keys:
TargetObject|contains:
- \Terminal Server\WinStations\RDP-Tcp\InitialProgram
- \Terminal Server\Wds\rdpwd\StartupPrograms
- \SecurityProviders\SecurityProviders
- \SafeBoot\AlternateShell
- \Print\Providers
- \Print\Monitors
- \NetworkProvider\Order
- \Lsa\Notification Packages
- \Lsa\Authentication Packages
- \BootVerificationProgram\ImagePath
filter_empty:
Details: (Empty)
filter_cutepdf:
Image: C:\Windows\System32\spoolsv.exe
TargetObject|contains: \Print\Monitors\CutePDF Writer Monitor
Details:
- cpwmon64_v40.dll
- CutePDF Writer
filter_onenote:
Image: C:\Windows\System32\spoolsv.exe
TargetObject|contains: Print\Monitors\Appmon\Ports\Microsoft.Office.OneNote_
User|contains:
- AUTHORI
- AUTORI
filter_poqexec:
Image: C:\Windows\System32\poqexec.exe
TargetObject|endswith: \NetworkProvider\Order\ProviderOrder
filter_realvnc:
Image: C:\Windows\System32\spoolsv.exe
TargetObject|endswith: \Print\Monitors\MONVNC\Driver
Details: VNCpm.dll
condition: all of system_control_* and not 1 of filter_*
Author
Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)
Created
2019-10-25
Data Sources
windowsRegistry Set Events
Platforms
windows
References
Tags
attack.privilege-escalationattack.persistenceattack.t1547.001
Raw Content
title: CurrentControlSet Autorun Keys Modification
id: f674e36a-4b91-431e-8aef-f8a96c2aca35
related:
- id: 17f878b8-9968-4578-b814-c4217fc5768c
type: obsolete
status: test
description: Detects modification of autostart extensibility point (ASEP) in registry.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md
- https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns
- https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys
author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)
date: 2019-10-25
modified: 2023-08-17
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1547.001
logsource:
category: registry_set
product: windows
detection:
system_control_base:
TargetObject|contains: '\SYSTEM\CurrentControlSet\Control'
system_control_keys:
TargetObject|contains:
- '\Terminal Server\WinStations\RDP-Tcp\InitialProgram'
- '\Terminal Server\Wds\rdpwd\StartupPrograms'
- '\SecurityProviders\SecurityProviders'
- '\SafeBoot\AlternateShell'
- '\Print\Providers'
- '\Print\Monitors'
- '\NetworkProvider\Order'
- '\Lsa\Notification Packages'
- '\Lsa\Authentication Packages'
- '\BootVerificationProgram\ImagePath'
filter_empty:
Details: '(Empty)'
filter_cutepdf:
Image: 'C:\Windows\System32\spoolsv.exe'
TargetObject|contains: '\Print\Monitors\CutePDF Writer Monitor'
Details:
- 'cpwmon64_v40.dll'
- 'CutePDF Writer'
filter_onenote:
Image: C:\Windows\System32\spoolsv.exe
TargetObject|contains: 'Print\Monitors\Appmon\Ports\Microsoft.Office.OneNote_'
User|contains: # covers many language settings
- 'AUTHORI'
- 'AUTORI'
filter_poqexec:
Image: 'C:\Windows\System32\poqexec.exe'
TargetObject|endswith: '\NetworkProvider\Order\ProviderOrder'
filter_realvnc:
Image: 'C:\Windows\System32\spoolsv.exe'
TargetObject|endswith: '\Print\Monitors\MONVNC\Driver'
Details: 'VNCpm.dll'
condition: all of system_control_* and not 1 of filter_*
falsepositives:
- Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason
- Legitimate administrator sets up autorun keys for legitimate reason
level: medium