rules/windows/process_creation/proc_creation_win_runonce_execution.yml

title: Run Once Task Execution as Configured in Registry
id: 198effb6-6c98-4d0c-9ea3-451fa143c45c
status: test
description: This rule detects the execution of Run Once task as configured in the registry
references:
    - https://twitter.com/pabraeken/status/990717080805789697
    - https://lolbas-project.github.io/lolbas/Binaries/Runonce/
    - https://twitter.com/0gtweet/status/1602644163824156672?s=20&t=kuxbUnZPltpvFPZdCrqPXA
author: 'Avneet Singh @v3t0_, oscd.community, Christopher Peacock @SecurePeacock (updated)'
date: 2020-10-18
modified: 2022-12-13
tags:
    - attack.defense-evasion
    - attack.t1112
logsource:
    product: windows
    category: process_creation
detection:
    selection_img:
        - Image|endswith: '\runonce.exe'
        - Description: 'Run Once Wrapper'
    selection_cli:
        - CommandLine|contains: '/AlternateShellStartup'
        - CommandLine|endswith: '/r'
    condition: all of selection_*
falsepositives:
    - Unknown
level: low
[OSCD] Added a rule to detect execution of runonce with suspicious parameters 2020-10-18 22:38:13 -04:00			`title: Run Once Task Execution as Configured in Registry`
			`id: 198effb6-6c98-4d0c-9ea3-451fa143c45c`
$frack113$ Change status for old rules 2021-11-27 11:33:14 +01:00			`status: test`
[OSCD] Added a rule to detect execution of runonce with suspicious parameters 2020-10-18 22:38:13 -04:00			`description: This rule detects the execution of Run Once task as configured in the registry`
			`references:`
Update Ref+Selection 2 2022-07-11 17:48:40 +01:00			`- https://twitter.com/pabraeken/status/990717080805789697`
			`- https://lolbas-project.github.io/lolbas/Binaries/Runonce/`
Update proc_creation_win_susp_runonce_execution.yml 2022-12-13 09:50:43 -05:00			`- https://twitter.com/0gtweet/status/1602644163824156672?s=20&t=kuxbUnZPltpvFPZdCrqPXA`
			`author: 'Avneet Singh @v3t0_, oscd.community, Christopher Peacock @SecurePeacock (updated)'`
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes 2024-08-12 12:02:50 +02:00			`date: 2020-10-18`
			`modified: 2022-12-13`
$frack113$ order yaml 2022-10-28 15:06:36 +02:00			`tags:`
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes 2024-08-12 12:02:50 +02:00			`- attack.defense-evasion`
$frack113$ order yaml 2022-10-28 15:06:36 +02:00			`- attack.t1112`
[OSCD] Added a rule to detect execution of runonce with suspicious parameters 2020-10-18 22:38:13 -04:00			`logsource:`
Update Ref+Selection 2 2022-07-11 17:48:40 +01:00			`product: windows`
			`category: process_creation`
[OSCD] Added a rule to detect execution of runonce with suspicious parameters 2020-10-18 22:38:13 -04:00			`detection:`
Update Ref+Selection 2 2022-07-11 17:48:40 +01:00			`selection_img:`
			`- Image\|endswith: '\runonce.exe'`
			`- Description: 'Run Once Wrapper'`
			`selection_cli:`
fix: update commandline selection 2022-12-14 11:09:35 +01:00			`- CommandLine\|contains: '/AlternateShellStartup'`
			`- CommandLine\|endswith: '/r'`
fix: remove filter 2022-12-14 11:09:46 +01:00			`condition: all of selection_*`
[OSCD] Added a rule to detect execution of runonce with suspicious parameters 2020-10-18 22:38:13 -04:00			`falsepositives:`
Update Ref+Selection 2 2022-07-11 17:48:40 +01:00			`- Unknown`
Fixes and improvements 2021-04-03 00:00:43 +02:00			`level: low`