Startup or Run Key Registry Modificationedit

Identifies run key or startup key registry modifications. In order to survive reboots and other system interrupts, attackers will modify run keys within the registry or leverage startup folder items as a form of persistence.

Rule type: eql

Rule indices:

  • winlogbeat-*

Severity: low

Risk score: 21

Runs every: 5 minutes

Searches indices from: now-6m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100


  • Elastic
  • Host
  • Windows
  • Threat Detection
  • Persistence

Version: 2 (version history)

Added (Elastic Stack release): 7.11.0

Last modified (Elastic Stack release): 7.11.2

Rule authors: Elastic

Rule license: Elastic License

Rule queryedit

/* uncomment length once stable */ registry where /*
length( > 0 and */ registry.path : ( /*
Machine Hive */
Shell Folders\\*",
Folders\\*", "HKLM\\Software\\Microsoft\\Windows\\CurrentVersion
NT\\CurrentVersion\\Winlogon\\Shell\\*", /* Users Hive */
\*", "HKEY_USERS\\*\\Software\\Microsoft\\Windows\\CurrentVersio
n\\RunOnceEx\\*", "HKEY_USERS\\*\\Software\\Microsoft\\Windows\\
CurrentVersion\\Explorer\\User Shell Folders\\*", "HKEY_USERS\\*
Folders\\*", "HKEY_USERS\\*\\Software\\Microsoft\\Windows\\Curre
NT\\CurrentVersion\\Winlogon\\Shell\\*" ) and /* add here
common legit changes without making too restrictive as this is one of
the most abused AESPs */ not : "ctfmon.exe /n"
and not (registry.value : "Application Restart #*" and
: "csrss.exe") and user.domain != "NT AUTHORITY" and not : ("C:\\Program Files\\*.exe", "C:\\Program
Files (x86)\\*.exe") and not process.executable :

Threat mappingedit


Rule version historyedit

Version 2 (7.11.2 release)
  • Formatting only