IMPORTANT: No additional bug fixes or documentation updates will be released for this version. For the latest information, see the current release documentation.

« Startup Folder Persistence via Unsigned Process Strace Process Activity »

› › ›

Startup or Run Key Registry Modification

edit

IMPORTANT: This documentation is no longer updated. Refer to Elastic's version policy and the latest documentation.

Startup or Run Key Registry Modification

edit

Identifies run key or startup key registry modifications. In order to survive reboots and other system interrupts, attackers will modify run keys within the registry or leverage startup folder items as a form of persistence.

Rule type: eql

Rule indices:

winlogbeat-*
logs-endpoint.events.*
logs-windows.*

Severity: low

Risk score: 21

Runs every: 5 minutes

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

Tags:

Elastic
Host
Windows
Threat Detection
Persistence

Version: 3 (version history)

Added (Elastic Stack release): 7.11.0

Last modified (Elastic Stack release): 7.12.0

Rule authors: Elastic

Rule license: Elastic License v2

Rule query

edit

/* uncomment length once stable */ registry where /*
length(registry.data.strings) > 0 and */ registry.path : ( /*
Machine Hive */
"HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\*",
"HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\*",
"HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx\\*",
"HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User
Shell Folders\\*",
"HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell
Folders\\*", "HKLM\\Software\\Microsoft\\Windows\\CurrentVersion
\\Policies\\Explorer\\Run\\*",
"HKLM\\Software\\Microsoft\\Windows
NT\\CurrentVersion\\Winlogon\\Shell\\*", /* Users Hive */
"HKEY_USERS\\*\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\*",
"HKEY_USERS\\*\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\
\*", "HKEY_USERS\\*\\Software\\Microsoft\\Windows\\CurrentVersio
n\\RunOnceEx\\*", "HKEY_USERS\\*\\Software\\Microsoft\\Windows\\
CurrentVersion\\Explorer\\User Shell Folders\\*", "HKEY_USERS\\*
\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell
Folders\\*", "HKEY_USERS\\*\\Software\\Microsoft\\Windows\\Curre
ntVersion\\Policies\\Explorer\\Run\\*",
"HKEY_USERS\\*\\Software\\Microsoft\\Windows
NT\\CurrentVersion\\Winlogon\\Shell\\*" ) and /* add here
common legit changes without making too restrictive as this is one of
the most abused AESPs */ not registry.data.strings : "ctfmon.exe /n"
and not (registry.value : "Application Restart #*" and process.name
: "csrss.exe") and user.domain != "NT AUTHORITY" and not
registry.data.strings : ("C:\\Program Files\\*.exe", "C:\\Program
Files (x86)\\*.exe") and not process.executable :
("C:\\Windows\\System32\\msiexec.exe",
"C:\\Windows\\SysWOW64\\msiexec.exe")

Threat mapping

edit

Framework: MITRE ATT&CK^TM

Tactic:
- Name: Persistence
- ID: TA0003
- Reference URL: https://attack.mitre.org/tactics/TA0003/
Technique:
- Name: Boot or Logon Autostart Execution
- ID: T1547
- Reference URL: https://attack.mitre.org/techniques/T1547/

Rule version history

edit

Version 3 (7.12.0 release)

Formatting only

Version 2 (7.11.2 release)

Formatting only

« Startup Folder Persistence via Unsigned Process Strace Process Activity »