Hunting CurrentVersion Run Key and Startup events
Hunting startup events can be tricky but rewarding. There are a lot of events which makes filtering difficult and there are some tricks to isolating the data. One way is to look at the registry keys and directories being written too but for hunting I assume that there are some past events that were missed. Here is a method of profiling the events at run time.
For events from currentversion/run or start menu events the parent will be explorer.exe and the grandparent will be userinit.exe. But, they need to occur in a smallish time from after userinit executes.
This example is limiting the results to keywords .vbs .wsf .bat, but we can look for all sorts of interesting things, hta files, powershell, temp directory, etc.
Run key or Start Menu .vbs .wsf .bat
- The OR statement groups two types of process events, explorer.exe where the parent is userinit.exe, and explorer as the parent where we match the keywords .vbs or .wsf or .bat. The NOT is for keyword filters which we will need quit a few of to get rid of normal startup events.
- The bucket is important and anchors the signature to the first 5 minutes of operation. I found 1 minute to be too short but you can play with it.
- The stats is where we group the events where explorer is both parent and child from the two types of events. It is dirty because the data is in multivalue fields and can be out of order and contains non pertinent events like the userinit as parent to explorer. In practice it works pretty well visually.
- The last statement is to make sure we have at least two different parents, one will be userinit and the other explorer. Explorer as parent are the target events.
Here is an example that uses this technique.
Wscript calls powershell which creates a .url file in startup.
On the next startup explorer as parent runs the .url file which is executed by wscript.exe.