T1547.001 Potential Persistence Attempt Via Run Keys Using Reg.EXE

T1547.001 - Potential Persistence Attempt Via Run Keys Using Reg.EXE

DESCRIPTION

Detects suspicious command line reg.exe tool adding key to Autoruns key in Registry

Example:

REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "softoz" /t REG_SZ /F /D "C:\Users\admin\AppData\Roaming\sihostt.exe"

Related

common persistance

Reference:

https://github.com/SigmaHQ/sigma/blob/cac07b8ecd07ffe729ed82dfa2082fdb6a1ceabc/rules/windows/process_creation/proc_creation_win_reg_add_run_key.yml#L22
https://docs.microsoft.com/en-us/windows/win32/setupapi/run-and-runonce-registry-keys

ATT&CK TACTICS

T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Data Source(s): Command

SENTINEL RULE QUERY

let selection= dynamic(['reg',' ADD', @'Software\Microsoft\Windows\CurrentVersion\Run']);
let filter_known = dynamic(['Discord.exe','Skype.exe','LiveChat.exe','Promethean Desktop.exe']);
DeviceProcessEvents
| where ActionType == "ProcessCreated"
| where ProcessCommandLine has_all (selection)
| where InitiatingProcessFileName !in (filter_known) //Known False-Positive
| where ProcessCommandLine !contains "PaperCut"
//| summarize count(), set_InitiatingProcessFolderPath = make_set(InitiatingProcessFolderPath) by InitiatingProcessFileName, FolderPath, FileName, ProcessCommandLine, TenantId

Triage

1. Inspect if the software is approved
2. Validate the folder path of the initiating process
3. Use summarize statement to remove duplication

FalsePositive

• Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reasons.
• Legitimate administrator sets up autorun keys for legitimate reasons.
• Discord/ Skype/ Other applications

VERSION

Version 2.0 (date: 09/02/2024)