Registry Boot Key Altered

About the rule

Rule Type

Standard

Rule Description

Detects changes to the registry keys that control which programs run during the boot process. Specifically, it monitors the "BootExecute" value within the Session Manager, which can be abused to launch malware before the OS fully loads.

Why this rule?

Modifications to registry boot keys can establish persistence that activates during system startup, ensuring malware runs automatically. This technique gives attackers reliable re-entry to compromised systems even after reboots or remediation attempts. Early detection of boot key changes is essential to prevent persistent compromise.

Severity

Trouble

Rule journey

Attack chain scenario

Execution → Persistence → Registry Modification (Boot Key) → Automatic execution of malicious binary on system startup.

Impact

Establishment of persistent access that survives system reboots and may execute before many security services have fully started.

Rule Requirement

Prerequisites

Enable Registry auditing for the path: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager.

Criteria

Detection

Execution Mode

realtime

Log Sources

Windows

MITRE ATT&CK

Defense Evasion: Modify Registry (T1112)

Future actions

Known False Positives

Legitimate system updates, disk checking utilities (chkdsk), or specialized maintenance software that requires a one-time execution during boot.

Next Steps

1. Identification: Verify the specific command or path added to the BootExecute key.
2. Analysis: Cross-reference the added binary with known-good system files.
3. Response: Revert the registry key to its default state (autocheck autochk *) if the entry is unauthorized.

Mitigation