From 29c4c19d597a2c6b2e141e22f59162e15b4a2a90 Mon Sep 17 00:00:00 2001 From: Samirbous <64742097+Samirbous@users.noreply.github.com> Date: Mon, 6 Oct 2025 09:24:33 +0100 Subject: [PATCH] [Tuning] Startup or Run Key Registry Modification (#5137) * [Tuning] Startup or Run Key Registry Modification high percentage of the FPs are for programfiles and localappdata files in the registry data string value. This tuning should drop FPs/volume significantly. * Update rules/windows/persistence_run_key_and_startup_broad.toml --------- Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> --- ...persistence_run_key_and_startup_broad.toml | 241 +++--------------- 1 file changed, 29 insertions(+), 212 deletions(-) diff --git a/rules/windows/persistence_run_key_and_startup_broad.toml b/rules/windows/persistence_run_key_and_startup_broad.toml index 844770fd1..6cdfda1c0 100644 --- a/rules/windows/persistence_run_key_and_startup_broad.toml +++ b/rules/windows/persistence_run_key_and_startup_broad.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/18" integration = ["endpoint"] maturity = "production" -updated_date = "2025/05/08" +updated_date = "2025/09/18" [transform] [[transform.osquery]] @@ -137,217 +137,34 @@ registry where host.os.type == "windows" and event.type == "change" and not registry.data.strings : "ctfmon.exe /n" and not (registry.value : "Application Restart #*" and process.name : "csrss.exe") and not user.id : ("S-1-5-18", "S-1-5-19", "S-1-5-20") and - not registry.data.strings : ("?:\\Program Files\\*.exe", "?:\\Program Files (x86)\\*.exe") and - not process.executable : ("?:\\Windows\\System32\\msiexec.exe", "?:\\Windows\\SysWOW64\\msiexec.exe") and - not ( - /* Logitech G Hub */ - ( - process.code_signature.trusted == true and process.code_signature.subject_name == "Logitech Inc" and - ( - process.name : "lghub_agent.exe" and registry.data.strings : ( - "\"?:\\Program Files\\LGHUB\\lghub.exe\" --background", - "\"?:\\Program Files\\LGHUB\\system_tray\\lghub_system_tray.exe\" --minimized" - ) - ) or - ( - process.name : "LogiBolt.exe" and registry.data.strings : ( - "?:\\Program Files\\Logi\\LogiBolt\\LogiBolt.exe --startup", - "?:\\Users\\*\\AppData\\Local\\Logi\\LogiBolt\\LogiBolt.exe --startup" - ) - ) - ) or - - /* Google Drive File Stream, Chrome, and Google Update */ - ( - process.code_signature.trusted == true and process.code_signature.subject_name == "Google LLC" and - ( - process.name : "GoogleDriveFS.exe" and registry.data.strings : ( - "\"?:\\Program Files\\Google\\Drive File Stream\\*\\GoogleDriveFS.exe\" --startup_mode" - ) or - - process.name : "chrome.exe" and registry.data.strings : ( - "\"?:\\Program Files\\Google\\Chrome\\Application\\chrome.exe\" --no-startup-window /prefetch:5", - "\"?:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe\" --no-startup-window /prefetch:5" - ) or - - process.name : ("GoogleUpdate.exe", "updater.exe") and registry.data.strings : ( - "\"?:\\Users\\*\\AppData\\Local\\Google\\Update\\*\\GoogleUpdateCore.exe\"", - "\"?:\\Users\\*\\AppData\\Local\\Google\\GoogleUpdater\\*\\updater.exe\" --wake" - ) - ) - ) or - - /* MS Programs */ - ( - process.code_signature.trusted == true and process.code_signature.subject_name in ("Microsoft Windows", "Microsoft Corporation") and - ( - process.name : "msedge.exe" and registry.data.strings : ( - "\"?:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --no-startup-window --win-session-start /prefetch:5", - "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --win-session-start", - "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --no-startup-window --win-session-start" - ) or - - process.name : ("Update.exe", "Teams.exe", "ms-teamsupdate.exe") and registry.data.strings : ( - "?:\\Users\\*\\AppData\\Local\\Microsoft\\Teams\\Update.exe --processStart \"Teams.exe\" --process-start-args \"--system-initiated\"", - "?:\\ProgramData\\*\\Microsoft\\Teams\\Update.exe --processStart \"Teams.exe\" --process-start-args \"--system-initiated\"", - "ms-teamsupdate.exe -UninstallT20" - ) or - - process.name : ("OneDrive*.exe", "Microsoft.SharePoint.exe") and registry.data.strings : ( - "?:\\Program Files\\Microsoft OneDrive\\OneDrive.exe /background *", - "?:\\Program Files (x86)\\Microsoft OneDrive\\OneDrive.exe /background*", - "\"?:\\Program Files (x86)\\Microsoft OneDrive\\OneDrive.exe\" /background*", - "\"?:\\Users\\*\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe\" /background", - "?:\\Users\\*\\AppData\\Local\\Microsoft\\OneDrive\\??.???.????.????\\Microsoft.SharePoint.exe", - "?:\\Windows\\system32\\cmd.exe /q /c * \"?:\\Users\\*\\AppData\\Local\\Microsoft\\OneDrive\\*\"" - ) or - - process.name : "MicrosoftEdgeUpdate.exe" and registry.data.strings : ( - "\"?:\\Users\\*\\AppData\\Local\\Microsoft\\EdgeUpdate\\*\\MicrosoftEdgeUpdateCore.exe\"" - ) or - - process.executable : "?:\\Program Files (x86)\\Microsoft\\EdgeWebView\\Application\\*\\Installer\\setup.exe" and - registry.data.strings : ( - "\"?:\\Program Files (x86)\\Microsoft\\EdgeWebView\\Application\\*\\Installer\\setup.exe\" --msedgewebview --delete-old-versions --system-level --verbose-logging --on-logon" - ) or - - process.name : "BingWallpaper.exe" and registry.data.strings : ( - "C:\\Users\\*\\AppData\\Local\\Temp\\*\\UnInstDaemon.exe" - ) or - - /* Discord Update.exe via reg.exe */ - process.name : "reg.exe" and registry.data.strings : ( - "\"C:\\Users\\*\\AppData\\Local\\Discord\\Update.exe\" --processStart Discord.exe" - ) - ) - ) or - - /* Slack */ - ( - process.code_signature.trusted == true and process.code_signature.subject_name in ( - "Slack Technologies, Inc.", "Slack Technologies, LLC" - ) and process.name : "slack.exe" and registry.data.strings : ( - "\"?:\\Users\\*\\AppData\\Local\\slack\\slack.exe\" --process-start-args --startup", - "\"?:\\ProgramData\\*\\slack\\slack.exe\" --process-start-args --startup", - "\"?:\\Program Files\\Slack\\slack.exe\" --process-start-args --startup" - ) - ) or - - /* Cisco */ - ( - process.code_signature.trusted == true and process.code_signature.subject_name in ("Cisco WebEx LLC", "Cisco Systems, Inc.") and - ( - process.name : "WebexHost.exe" and registry.data.strings : ( - "\"?:\\Users\\*\\AppData\\Local\\WebEx\\WebexHost.exe\" /daemon /runFrom=autorun" - ) - ) or - ( - process.name : "CiscoJabber.exe" and registry.data.strings : ( - "\"?:\\Program Files (x86)\\Cisco Systems\\Cisco Jabber\\CiscoJabber.exe\" /min" - ) - ) - ) or - - /* Loom */ - ( - process.code_signature.trusted == true and process.code_signature.subject_name == "Loom, Inc." and - process.name : "Loom.exe" and registry.data.strings : ( - "?:\\Users\\*\\AppData\\Local\\Programs\\Loom\\Loom.exe --process-start-args \"--loomHidden\"" - ) - ) or - - /* Adobe */ - ( - process.code_signature.trusted == true and process.code_signature.subject_name == "Adobe Inc." and - process.name : ("Acrobat.exe", "FlashUtil32_*_Plugin.exe") and registry.data.strings : ( - "\"?:\\Program Files\\Adobe\\Acrobat DC\\Acrobat\\AdobeCollabSync.exe\"", - "\"?:\\Program Files (x86)\\Adobe\\Acrobat DC\\Acrobat\\AdobeCollabSync.exe\"", - "?:\\WINDOWS\\SysWOW64\\Macromed\\Flash\\FlashUtil32_*_Plugin.exe -update plugin" - ) - ) or - - /* CCleaner */ - ( - process.code_signature.trusted == true and - process.code_signature.subject_name in ("PIRIFORM SOFTWARE LIMITED", "Gen Digital Inc.") and - process.name : ("CCleanerBrowser.exe", "CCleaner64.exe") and registry.data.strings : ( - "\"C:\\Program Files (x86)\\CCleaner Browser\\Application\\CCleanerBrowser.exe\" --check-run=src=logon --auto-launch-at-startup --profile-directory=\"Default\"", - "\"C:\\Program Files\\CCleaner\\CCleaner64.exe\" /MONITOR" - ) - ) or - - /* Opera */ - ( - process.code_signature.trusted == true and process.code_signature.subject_name == "Opera Norway AS" and - process.name : ("opera.exe", "assistant_installer.exe") and registry.data.strings : ( - "?:\\Users\\*\\AppData\\Local\\Programs\\Opera\\launcher.exe", - "?:\\Users\\*\\AppData\\Local\\Programs\\Opera\\opera.exe", - "?:\\Users\\*\\AppData\\Local\\Programs\\Opera GX\\launcher.exe", - "?:\\Users\\*\\AppData\\Local\\Programs\\Opera GX\\opera.exe", - "?:\\Users\\*\\AppData\\Local\\Programs\\Opera\\assistant\\browser_assistant.exe" - ) - ) or - - /* Avast */ - ( - process.code_signature.trusted == true and process.code_signature.subject_name == "Avast Software s.r.o." and - process.name : "AvastBrowser.exe" and registry.data.strings : ( - "\"?:\\Users\\*\\AppData\\Local\\AVAST Software\\Browser\\Application\\AvastBrowser.exe\" --check-run=src=logon --auto-launch-at-startup*", - "\"?:\\Program Files (x86)\\AVAST Software\\Browser\\Application\\AvastBrowser.exe\" --check-run=src=logon --auto-launch-at-startup*", - "" - ) - ) or - - /* Grammarly */ - ( - process.code_signature.trusted == true and process.code_signature.subject_name == "Grammarly, Inc." and - process.name : "GrammarlyInstaller.exe" and registry.data.strings : ( - "?:\\Users\\*\\AppData\\Local\\Grammarly\\DesktopIntegrations\\Grammarly.Desktop.exe", - "\"?:\\Users\\*\\AppData\\Local\\Grammarly\\DesktopIntegrations\\Grammarly.Desktop.exe\"" - ) - ) or - - /* AVG */ - ( - process.code_signature.trusted == true and process.code_signature.subject_name == "AVG Technologies USA, LLC" and - process.name : "AVGBrowser.exe" and registry.data.strings : ( - "\"C:\\Program Files\\AVG\\Browser\\Application\\AVGBrowser.exe\"*", - "\"C:\\Users\\*\\AppData\\Local\\AVG\\Browser\\Application\\AVGBrowser.exe\"*" - ) - ) or - - /* HP */ - ( - process.code_signature.trusted == true and process.code_signature.subject_name == "HP Inc." and - process.name : "ScanToPCActivationApp.exe" and registry.data.strings : ( - "\"C:\\Program Files\\HP\\HP*" - ) - ) or - - /* 1Password */ - ( - process.code_signature.trusted == true and process.code_signature.subject_name == "Agilebits" and - process.name : "1PasswordSetup*.exe" and registry.data.strings : ( - "\"C:\\Users\\*\\AppData\\Local\\1Password\\app\\?\\1Password.exe\" --silent" - ) - ) or - - /* OpenVPN */ - ( - process.code_signature.trusted == true and process.code_signature.subject_name == "OpenVPN Inc." and - process.name : "OpenVPNConnect.exe" and registry.data.strings : ( - "C:\\Program Files\\OpenVPN Connect\\OpenVPNConnect.exe --opened-at-login --minimize" - ) - ) or - - /* Docker */ - ( - process.code_signature.trusted == true and process.code_signature.subject_name == "Docker Inc" and - process.name: "com.docker.backend.exe" and registry.data.strings : ( - "C:\\Program Files\\Docker\\Docker\\Docker Desktop.exe -Autostart" - ) - ) - ) + not registry.data.strings : ("*:\\Program Files\\*", + "*:\\Program Files (x86)\\*", + "*:\\Users\\*\\AppData\\Local\\*", + "* --processStart *", + "* --process-start-args *", + "ms-teamsupdate.exe -UninstallT20", + " ", + "grpconv -o", "* /burn.runonce*", "* /startup", + "?:\\WINDOWS\\SysWOW64\\Macromed\\Flash\\FlashUtil32_*_Plugin.exe -update plugin") and + not process.executable : ("?:\\Windows\\System32\\msiexec.exe", + "?:\\Windows\\SysWOW64\\msiexec.exe", + "D:\\*", + "\\Device\\Mup*", + "C:\\Windows\\SysWOW64\\reg.exe", + "C:\\Windows\\System32\\changepk.exe", + "C:\\Windows\\System32\\netsh.exe", + "C:\\$WINDOWS.~BT\\Sources\\SetupPlatform.exe", + "C:\\$WINDOWS.~BT\\Sources\\SetupHost.exe", + "C:\\Program Files\\Cisco Spark\\CiscoCollabHost.exe", + "C:\\Sistemas\\Programas MP\\CCleaner\\CCleaner64.exe", + "C:\\Program Files (x86)\\FastTrack Software\\Admin By Request\\AdminByRequest.exe", + "C:\\Program Files (x86)\\Exclaimer Ltd\\Cloud Signature Update Agent\\Exclaimer.CloudSignatureAgent.exe", + "C:\\ProgramData\\Lenovo\\Vantage\\AddinData\\LenovoBatteryGaugeAddin\\x64\\QSHelper.exe", + "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\*\\Installer\\setup.exe", + "C:\\ProgramData\\bomgar-scc-*\\bomgar-scc.exe", + "C:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil*_pepper.exe", + "C:\\Windows\\System32\\spool\\drivers\\x64\\3\\*.EXE", + "C:\\Program Files (x86)\\Common Files\\Adobe\\ARM\\*\\AdobeARM.exe") '''