Skip to content

Hide Navigation Hide TOC

Suspicious Autorun Registry Modified via WMI (c80e66d8-1780-48a9-b412-46663fd21ac0)

Detects suspicious activity where the WMIC process is used to create an autorun registry entry via reg.exe, which is often indicative of persistence mechanisms employed by malware.

Cluster A Galaxy A Cluster B Galaxy B Level
Suspicious Autorun Registry Modified via WMI (c80e66d8-1780-48a9-b412-46663fd21ac0) Sigma-Rules Windows Management Instrumentation - T1047 (01a5a209-b94c-450b-b7f9-946497d91055) Attack Pattern 1
Suspicious Autorun Registry Modified via WMI (c80e66d8-1780-48a9-b412-46663fd21ac0) Sigma-Rules Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279) Attack Pattern 1
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279) Attack Pattern Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf) Attack Pattern 2