Monitor AutoRun Registry Keys

Monitor AutoRun Registry Keys

Description

Attackers often add malware to the Windows Autorun registry keys to maintain persistence. This search looks through registry data for suspicious activities.

Content Mapping

This content is not mapped to any local saved search. Add mapping


Use Case

Advanced Threat Detection

Category

Endpoint Compromise, Ransomware, Zero Trust

Alert Volume

High

SPL Difficulty

Basic

Data Availability

Bad

Journey

Stage 3

MITRE ATT&CK Tactics

Persistence

MITRE ATT&CK Techniques

Boot or Logon Autostart Execution
Registry Run Keys / Startup Folder

Kill Chain Phases

Installation

Data Sources

Endpoint Detection and Response

   How to Implement

This use case requires a universal forwarder on the Windows endpoints you wish to monitor as well as the Windows add-on configured to send your logs to Splunk. Alternatively, data from endpoint solutions such as Carbon Black can also report registry modifications for this use case.

   Known False Positives

None at the moment

   How To Respond

When this search fires, you will want to start your incident response process for dealing and verify the activities of the process that wrote the registry key.

   Help

Monitor AutoRun Registry Keys Help

Often, attackers add malware to the Windows Autorun registry keys. This allows the malware to execute after a restart of the computer, which enables it to persist across reboots, and potentially delays the execution of the code until after a reboot to make its activities harder to detect. While legitimate applications also write to these keys, it is a good idea to monitor them and investigate anything that appears suspicious.

SPL for Monitor AutoRun Registry Keys

Demo Data

First we load our basic demo data
Then we filter for some of the most common AutoRuns keys that are seen in the wild
Finally we put everything in a table that is easy for analysts to read

Live Data

First we load our basic Windows Registry data and filter for some of the most common AutoRuns keys that are seen in the wild
Finally we put everything in a table that is easy for analysts to read