A newer version is available. For the latest information, see the
current release documentation.
Startup or Run Key Registry Modification
editStartup or Run Key Registry Modification
editIdentifies run key or startup key registry modifications. In order to survive reboots and other system interrupts, attackers will modify run keys within the registry or leverage startup folder items as a form of persistence.
Rule type: eql
Rule indices:
- winlogbeat-*
- logs-endpoint.events.*
- logs-windows.*
Severity: low
Risk score: 21
Runs every: 5 minutes
Searches indices from: now-9m (Date Math format, see also Additional look-back time
)
Maximum alerts per execution: 100
Tags:
- Elastic
- Host
- Windows
- Threat Detection
- Persistence
Version: 4 (version history)
Added (Elastic Stack release): 7.11.0
Last modified (Elastic Stack release): 7.13.0
Rule authors: Elastic
Rule license: Elastic License v2
Rule query
editregistry where registry.data.strings != null and registry.path : ( /* Machine Hive */ "HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\*", "HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\*", "HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx\\*", "HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explore r\\Run\\*", "HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell\\*", /* Users Hive */ "HKEY_USERS\\*\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\*", "HKEY_USERS\\*\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\ \*", "HKEY_USERS\\*\\Software\\Microsoft\\Windows\\CurrentVersio n\\RunOnceEx\\*", "HKEY_USERS\\*\\Software\\Microsoft\\Windows\\C urrentVersion\\Policies\\Explorer\\Run\\*", "HKEY_USERS\\*\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell\\*" ) and /* add common legitimate changes without being too restrictive as this is one of the most abused AESPs */ not registry.data.strings : "ctfmon.exe /n" and not (registry.value : "Application Restart #*" and process.name : "csrss.exe") and user.id not in ("S-1-5-18", "S-1-5-19", "S-1-5-20") and not registry.data.strings : ("?:\\Program Files\\*.exe", "?:\\Program Files (x86)\\*.exe") and not process.executable : ("?:\\Windows\\System32\\msiexec.exe", "?:\\Windows\\SysWOW64\\msiexec.exe") and not (process.name : "OneDriveSetup.exe" and registry.value : ("Delete Cached Standalone Update Binary", "Delete Cached Update Binary", "amd64", "Uninstall *") and registry.data.strings : "?:\\Windows\\system32\\cmd.exe /q /c * \"?:\\Users\\*\\AppData\\Local\\Microsoft\\OneDrive\\*\"")
Threat mapping
editFramework: MITRE ATT&CKTM
-
Tactic:
- Name: Persistence
- ID: TA0003
- Reference URL: https://attack.mitre.org/tactics/TA0003/
-
Technique:
- Name: Boot or Logon Autostart Execution
- ID: T1547
- Reference URL: https://attack.mitre.org/techniques/T1547/
Rule version history
edit- Version 4 (7.13.0 release)
-
-
Updated query, changed from:
/* uncomment length once stable */ registry where /* length(registry.data.strings) > 0 and */ registry.path : ( /* Machine Hive */ "HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\*", "HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\*", "HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx\\*", "HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\*", "HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders\\*", "HKLM\\Software\\Microsoft\\Windows\\CurrentVersion \\Policies\\Explorer\\Run\\*", "HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell\\*", /* Users Hive */ "HKEY_USERS\\*\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\*", "HKEY_USERS\\*\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\ \*", "HKEY_USERS\\*\\Software\\Microsoft\\Windows\\CurrentVersio n\\RunOnceEx\\*", "HKEY_USERS\\*\\Software\\Microsoft\\Windows\\ CurrentVersion\\Explorer\\User Shell Folders\\*", "HKEY_USERS\\* \\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders\\*", "HKEY_USERS\\*\\Software\\Microsoft\\Windows\\Curre ntVersion\\Policies\\Explorer\\Run\\*", "HKEY_USERS\\*\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell\\*" ) and /* add here common legit changes without making too restrictive as this is one of the most abused AESPs */ not registry.data.strings : "ctfmon.exe /n" and not (registry.value : "Application Restart #*" and process.name : "csrss.exe") and user.domain != "NT AUTHORITY" and not registry.data.strings : ("C:\\Program Files\\*.exe", "C:\\Program Files (x86)\\*.exe") and not process.executable : ("C:\\Windows\\System32\\msiexec.exe", "C:\\Windows\\SysWOW64\\msiexec.exe")
-
- Version 3 (7.12.0 release)
-
- Formatting only
- Version 2 (7.11.2 release)
-
- Formatting only