Updated and Added rule related to Autorun Registry

rules/windows/powershell/powershell_module/posh_pm_susp_invocation_specific.yml

@@ -11,9 +11,10 @@ status: test
 description: Detects suspicious PowerShell invocation command parameters
 references:
     - Internal Research
+    - https://github.com/HackTricks-wiki/hacktricks/blob/e4c7b21b8f36c97c35b7c622732b38a189ce18f7/src/windows-hardening/windows-local-privilege-escalation/privilege-escalation-with-autorun-binaries.md
 author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro
 date: 2017-03-05
-modified: 2023-01-05
+modified: 2025-02-17
 tags:
     - attack.execution
     - attack.t1059.001
@@ -50,7 +51,10 @@ detection:
             - 'powershell'
             - 'reg'
             - 'add'
-            - 'HKCU\software\microsoft\windows\currentversion\run'
+        ContextInfo|contains:
+            - '\software\microsoft\windows\currentversion\run'
+            - '\software\wow6432node\microsoft\windows\currentversion\run'
+            - '\software\microsoft\windows\currentversion\policies\explorer\run'
     selection_webclient:
         ContextInfo|contains|all:
             - 'bypass'

rules/windows/powershell/powershell_script/posh_ps_susp_invocation_specific.yml

@@ -11,9 +11,10 @@ status: test
 description: Detects suspicious PowerShell invocation command parameters
 references:
     - Internal Research
+    - https://github.com/HackTricks-wiki/hacktricks/blob/e4c7b21b8f36c97c35b7c622732b38a189ce18f7/src/windows-hardening/windows-local-privilege-escalation/privilege-escalation-with-autorun-binaries.md
 author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro
 date: 2017-03-05
-modified: 2023-01-05
+modified: 2025-02-17
 tags:
     - attack.execution
     - attack.t1059.001
@@ -50,7 +51,10 @@ detection:
             - 'powershell'
             - 'reg'
             - 'add'
-            - 'HKCU\software\microsoft\windows\currentversion\run'
+        ScriptBlockText|contains:
+            - '\software\microsoft\windows\currentversion\run'
+            - '\software\wow6432node\microsoft\windows\currentversion\run'
+            - '\software\microsoft\windows\currentversion\policies\explorer\run'
     selection_webclient_selection:
         ScriptBlockText|contains|all:
             - 'bypass'

rules/windows/process_creation/proc_creation_win_autorun_registry_modified_via_wmic.yml

@@ -0,0 +1,61 @@
+title: Suspicious Autorun Registry Modified via WMI
+id: c80e66d8-1780-48a9-b412-46663fd21ac0
+status: experimental
+description: |
+    Detects suspicious activity where the WMIC process is used to create an autorun registry entry via reg.exe, which is often indicative of persistence mechanisms employed by malware.
+references:
+    - Internal Research
+    - https://github.com/HackTricks-wiki/hacktricks/blob/e4c7b21b8f36c97c35b7c622732b38a189ce18f7/src/windows-hardening/windows-local-privilege-escalation/privilege-escalation-with-autorun-binaries.md
+author: Swachchhanda Shrawan Poudel (Nextron Systems)
+date: 2025-02-17
+tags:
+    - attack.execution
+    - attack.persistence
+    - attack.t1547.001
+    - attack.t1047
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection_execution_img:
+        - Image|endswith: '\wmic.exe'
+        - OriginalFileName: 'wmic.exe' # wmic process call create 'reg.exe add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Desktops /t REG_SZ /d "\"C:\Users\user\AppData\Roaming\Microsoft\tre\Desktops.exe\" random" /f'
+        - ParentImage|endswith: '\wmiprvse.exe'
+    selection_execution_cmd:
+        CommandLine|contains|all:
+            - 'reg'
+            - ' add '
+        CommandLine|contains:
+            - '\Software\Microsoft\Windows\CurrentVersion\Run'
+            - '\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run'
+            - '\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run'
+    selection_suspicious_paths_1:
+        CommandLine|contains:
+            - ':\Perflogs'
+            - :\ProgramData'
+            - ':\Windows\Temp'
+            - ':\Temp'
+            - '\AppData\Local\Temp'
+            - '\AppData\Roaming'
+            - ':\$Recycle.bin'
+            - ':\Users\Default'
+            - ':\Users\public'
+            - '%temp%'
+            - '%tmp%'
+            - '%Public%'
+            - '%AppData%'
+    selection_suspicious_paths_user_1:
+        CommandLine|contains: ':\Users\'
+    selection_suspicious_paths_user_2:
+        CommandLine|contains:
+            - '\Favorites'
+            - '\Favourites'
+            - '\Contacts'
+            - '\Music'
+            - '\Pictures'
+            - '\Documents'
+            - '\Photos'
+    condition: all of selection_execution_* and (selection_suspicious_paths_1 or (all of selection_suspicious_paths_user_*))
+falsepositives:
+    - Legitimate administrative activity or software installations
+level: high

rules/windows/process_creation/proc_creation_win_reg_add_run_key.yml

@@ -5,9 +5,10 @@ description: Detects suspicious command line reg.exe tool adding key to RUN key
 references:
     - https://app.any.run/tasks/9c0f37bc-867a-4314-b685-e101566766d7/
     - https://learn.microsoft.com/en-us/windows/win32/setupapi/run-and-runonce-registry-keys
-author: Florian Roth (Nextron Systems)
+    - https://github.com/HackTricks-wiki/hacktricks/blob/e4c7b21b8f36c97c35b7c622732b38a189ce18f7/src/windows-hardening/windows-local-privilege-escalation/privilege-escalation-with-autorun-binaries.md
+author: Florian Roth (Nextron Systems), Swachchhanda Shrawan Poudel (Nextron Systems)
 date: 2021-06-28
-modified: 2023-01-30
+modified: 2025-02-17
 tags:
     - attack.persistence
     - attack.t1547.001
@@ -16,10 +17,14 @@ logsource:
     product: windows
 detection:
     selection:
+        Image|endswith: '\reg.exe'
         CommandLine|contains|all:
             - 'reg'
-            - ' ADD '
+            - ' add '
+        CommandLine|contains:
             - 'Software\Microsoft\Windows\CurrentVersion\Run'
+            - '\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run'
+            - '\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run'
     condition: selection
 falsepositives:
     - Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reasons.

rules/windows/process_creation/proc_creation_win_reg_direct_asep_registry_keys_modification.yml

@@ -4,9 +4,10 @@ status: test
 description: Detects direct modification of autostart extensibility point (ASEP) in registry using reg.exe.
 references:
     - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md
-author: Victor Sergeev, Daniil Yugoslavskiy, oscd.community
+    - https://github.com/HackTricks-wiki/hacktricks/blob/e4c7b21b8f36c97c35b7c622732b38a189ce18f7/src/windows-hardening/windows-local-privilege-escalation/privilege-escalation-with-autorun-binaries.md
+author: Victor Sergeev, Daniil Yugoslavskiy, oscd.community, Swachchhanda Shrawan Poudel (Nextron Systems)
 date: 2019-10-25
-modified: 2022-08-04
+modified: 2025-02-17
 tags:
     - attack.persistence
     - attack.t1547.001
@@ -20,6 +21,8 @@ detection:
     selection_2:
         CommandLine|contains:           # need to improve this list, there are plenty of ASEP reg keys
             - '\software\Microsoft\Windows\CurrentVersion\Run' # Also covers the strings "RunOnce", "RunOnceEx", "RunServices", "RunServicesOnce"
+            - '\software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run'
+            - '\software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run'
             - '\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit'
             - '\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell'
             - '\software\Microsoft\Windows NT\CurrentVersion\Windows'

rules/windows/registry/registry_event/registry_event_susp_download_run_key.yml

@@ -4,9 +4,10 @@ status: test
 description: Detects the suspicious RUN keys created by software located in Download or temporary Outlook/Internet Explorer directories
 references:
     - https://app.any.run/tasks/c5bef5b7-f484-4c43-9cf3-d5c5c7839def/
-author: Florian Roth (Nextron Systems)
+    - https://github.com/HackTricks-wiki/hacktricks/blob/e4c7b21b8f36c97c35b7c622732b38a189ce18f7/src/windows-hardening/windows-local-privilege-escalation/privilege-escalation-with-autorun-binaries.md
+author: Florian Roth (Nextron Systems), Swachchhanda Shrawan Poude (Nextron Systems)
 date: 2019-10-01
-modified: 2021-11-27
+modified: 2025-02-17
 tags:
     - attack.persistence
     - attack.t1547.001
@@ -16,10 +17,15 @@ logsource:
 detection:
     selection:
         Image|contains:
+            - '\AppData\Local\Packages\Microsoft.Outlook_'
+            - '\AppData\Local\Microsoft\Olk\Attachments\'
             - '\Downloads\'
             - '\Temporary Internet Files\Content.Outlook\'
             - '\Local Settings\Temporary Internet Files\'
-        TargetObject|contains: '\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\'
+        TargetObject|contains:
+            - '\Software\Microsoft\Windows\CurrentVersion\Run'
+            - '\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run'
+            - '\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run'
     condition: selection
 falsepositives:
     - Software installers downloaded and used by users

rules/windows/registry/registry_set/registry_set_powershell_in_run_keys.yml

@@ -5,9 +5,10 @@ description: Detects potential PowerShell commands or code within registry run k
 references:
     - https://github.com/frack113/atomic-red-team/blob/a9051c38de8a5320b31c7039efcbd3b56cf2d65a/atomics/T1547.001/T1547.001.md#atomic-test-9---systembc-malware-as-a-service-registry
     - https://www.trendmicro.com/en_us/research/22/j/lv-ransomware-exploits-proxyshell-in-attack.html
+    - https://github.com/HackTricks-wiki/hacktricks/blob/e4c7b21b8f36c97c35b7c622732b38a189ce18f7/src/windows-hardening/windows-local-privilege-escalation/privilege-escalation-with-autorun-binaries.md
 author: frack113, Florian Roth (Nextron Systems)
 date: 2022-03-17
-modified: 2023-08-17
+modified: 2025-02-17
 tags:
     - attack.persistence
     - attack.t1547.001
@@ -16,7 +17,10 @@ logsource:
     product: windows
 detection:
     selection:
-        TargetObject|contains: '\Software\Microsoft\Windows\CurrentVersion\Run' # Also covers "RunOnce" and "RunOnceEx"
+        TargetObject|contains:
+            - '\Software\Microsoft\Windows\CurrentVersion\Run' # Also covers "RunOnce" and "RunOnceEx"
+            - '\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run'
+            - '\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run'
         Details|contains:
             - 'powershell'
             - 'pwsh '

rules/windows/registry/registry_set/registry_set_susp_run_key_img_folder.yml

@@ -4,9 +4,10 @@ status: experimental
 description: Detects suspicious new RUN key element pointing to an executable in a suspicious folder
 references:
     - https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html
-author: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing
+    - https://github.com/HackTricks-wiki/hacktricks/blob/e4c7b21b8f36c97c35b7c622732b38a189ce18f7/src/windows-hardening/windows-local-privilege-escalation/privilege-escalation-with-autorun-binaries.md
+author: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing, Swachchhanda Shrawan Poudel (Nextron Systems)
 date: 2018-08-25
-modified: 2024-07-16
+modified: 2025-02-17
 tags:
     - attack.persistence
     - attack.t1547.001
@@ -16,23 +17,35 @@ logsource:
 detection:
     selection_target:
         TargetObject|contains:
-            - '\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\'
-            - '\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\'
-    selection_details:
-        - Details|contains:
-              - ':\$Recycle.bin\'
-              - ':\Temp\'
-              - ':\Users\Default\'
-              - ':\Users\Desktop\'
-              - ':\Users\Public\'
-              - ':\Windows\Temp\'
-              - '\AppData\Local\Temp\'
-              - '%temp%\'
-              - '%tmp%\'
-        - Details|startswith:
-              - '%Public%\'
-              - 'wscript'
-              - 'cscript'
+            - '\Software\Microsoft\Windows\CurrentVersion\Run'
+            - '\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run'
+            - '\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run'
+    selection_suspicious_paths_1:
+        Details|contains:
+            - ':\Perflogs'
+            - :\ProgramData'
+            - ':\Windows\Temp'
+            - ':\Temp'
+            - '\AppData\Local\Temp'
+            - '\AppData\Roaming'
+            - ':\$Recycle.bin'
+            - ':\Users\Default'
+            - ':\Users\public'
+            - '%temp%'
+            - '%tmp%'
+            - '%Public%'
+            - '%AppData%'
+    selection_suspicious_paths_user_1:
+        Details|contains: ':\Users\'
+    selection_suspicious_paths_user_2:
+        Details|contains:
+            - '\Favorites'
+            - '\Favourites'
+            - '\Contacts'
+            - '\Music'
+            - '\Pictures'
+            - '\Documents'
+            - '\Photos'
     filter_main_windows_update:
         TargetObject|contains: '\Microsoft\Windows\CurrentVersion\RunOnce\'
         Image|startswith: 'C:\Windows\SoftwareDistribution\Download\'
@@ -42,7 +55,7 @@ detection:
         Details|contains:
             - '\AppData\Local\Temp\'
             - 'C:\Windows\Temp\'
-    condition: all of selection_* and not 1 of filter_main_*
+    condition: selection_target and (selection_suspicious_paths_1 or (all of selection_suspicious_paths_user_* )) and not 1 of filter_main_*
 falsepositives:
     - Software using weird folders for updates
 level: high