Suspicious NT Windows Autorun Key Modification - Registry

Rule Info

Name
Suspicious NT Windows Autorun Key Modification - Registry
Author
Swachchhanda Shrawan Poudel (Nextron Systems)
Description
Detects suspicious modifications patterns to the Windows NT autorun key. This could be an indication of an adversary's attempt to persist in a stealthy manner.
Reference
https://securelist.com/goffee-apt-new-attacks/116139/
Date
2025-04-23 00:00:00
Modified
None
Id
4ca28718-556e-48e1-8247-c4077f397096
Tags
attack.persistence attack.t1547.001
Type
Nextron Sigma feed only (private)

Rule History

THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022