Skip to content

Hide Navigation Hide TOC

Office Autorun Keys Modification (baecf8fb-edbf-429f-9ade-31fc3f22b970)

Detects modification of autostart extensibility point (ASEP) in registry. Adversaries may modify these keys to execute malicious code when Office files are opened. There are various legitimate add-ins that also use these keys and this filter list might not be exhaustive. Thus, it is recommended to review and tune filters for your environment to reduce false positives before deploying to production.

Cluster A Galaxy A Cluster B Galaxy B Level
Office Autorun Keys Modification (baecf8fb-edbf-429f-9ade-31fc3f22b970) Sigma-Rules Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279) Attack Pattern 1
Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf) Attack Pattern Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279) Attack Pattern 2