sigma icon indicating copy to clipboard operation
sigma copied to clipboard
verified publisher icon SigmaHQ

Updated and Added rule related to Autorun Registry

Open swachchhanda000 opened this issue 10 months ago • 2 comments

Summary of the Pull Request

Updated and Added rule related to Autorun Registry

Changelog

new: Suspicious Autorun Registry Modified via WMI update: Suspicious PowerShell Invocations - Specific - PowerShell Module update: Suspicious PowerShell Invocations - Specific update: Potential Persistence Attempt Via Run Keys Using Reg.EXE update: New RUN Key Pointing to Suspicious Folder update: Suspicious Powershell In Registry Run Keys update: Direct Autorun Keys Modification update: Suspicious Run Key from Download

Example Log Event

Fixed Issues

SigmaHQ Rule Creation Conventions

  • If your PR adds new rules, please consider following and applying these conventions

swachchhanda000 avatar Feb 17 '25 12:02 swachchhanda000

hello, Can you give me some references for the new run keys ? thanks

frack113 avatar Feb 22 '25 09:02 frack113

hello, Can you give me some references for the new run keys ? thanks Hi @frack113 , There are various references in the red canary's atomic red team, new tasks being registered under these new registry https://grep.app/search?f.repo=redcanaryco%2Fatomic-red-team&q=%5Csoftware%5Cmicrosoft%5Cwindows%5Ccurrentversion%5Cpolicies%5Cexplorer%5Crun https://github.com/HackTricks-wiki/hacktricks/blob/master/src/windows-hardening/windows-local-privilege-escalation/privilege-escalation-with-autorun-binaries.md image

swachchhanda000 avatar Feb 23 '25 06:02 swachchhanda000