Files
Anthropic-Cybersecurity-Skills/skills/hunting-for-registry-run-key-persistence/references/api-reference.md
T

3.1 KiB

Registry Run Key Persistence (T1547.001) Detection Reference

Sysmon Event ID 13 - RegistryEvent (Value Set)

Event Fields

Field Description
UtcTime Timestamp of registry modification
ProcessGuid Unique process identifier
Image Full path of modifying process
TargetObject Full registry key path + value name
Details New registry value data
User User account context

Registry Paths to Monitor

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders

Sysmon Configuration

<Sysmon schemaversion="4.90">
  <EventFiltering>
    <RuleGroup name="RegistryPersistence" groupRelation="or">
      <RegistryEvent onmatch="include">
        <TargetObject condition="contains">CurrentVersion\Run</TargetObject>
        <TargetObject condition="contains">CurrentVersion\RunOnce</TargetObject>
        <TargetObject condition="contains">Explorer\Shell Folders</TargetObject>
      </RegistryEvent>
    </RuleGroup>
  </EventFiltering>
</Sysmon>

Splunk Detection Query

index=sysmon EventCode=13
| where match(TargetObject, "(?i)CurrentVersion\\\\Run")
| eval suspicious=if(match(Details, "(?i)(temp|appdata|downloads|programdata)"), "yes", "no")
| where suspicious="yes"
| stats count by Image, TargetObject, Details, User, host

Sigma Rule

title: Suspicious Run Key Persistence
status: stable
logsource:
  product: windows
  category: registry_set
detection:
  selection:
    EventType: SetValue
    TargetObject|contains: '\CurrentVersion\Run'
  filter_legitimate:
    Details|contains:
      - 'SecurityHealth'
      - 'WindowsDefender'
  condition: selection and not filter_legitimate
level: medium
tags:
  - attack.persistence
  - attack.t1547.001

Windows Registry Query (reg.exe)

reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

CLI Usage

python agent.py --input sysmon_events.json --output report.json
python agent.py --input registry_snapshot.json --output report.json

MITRE ATT&CK Reference

  • Technique: T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys
  • Tactic: Persistence
  • Platforms: Windows
  • Detection: Sysmon Event 13, Windows Security Event 4657

References