Correlation of registry key modification for Run/RunOnce with abnormal parent-child process relationships and outlier execution at user logon or system startup
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | WinEventLog:Security | EventCode=4688 |
| Windows Registry Key Modification (DC0063) | WinEventLog:Sysmon | EventCode=13 |
| Field | Description |
|---|---|
| ParentProcessName | Customize based on expected parent-child process lineage for autostarts |
| StartupRegistryPath | May vary based on organization policy or installed software |
Correlates creation/modification of systemd service files or /etc/init.d scripts with outlier process behavior during boot
| Data Component | Name | Channel |
|---|---|---|
| File Creation (DC0039) | auditd:SYSCALL | creat |
| File Modification (DC0061) | auditd:SYSCALL | write |
| Process Creation (DC0032) | auditd:SYSCALL | Execution of binaries located in /etc/init.d/ or systemd service paths |
| Field | Description |
|---|---|
| FilePath | Organizations may use different init systems or custom startup paths |
| UserContext | Autostart scripts should run as root or system users; deviations are suspect |
Observes creation or modification of LaunchAgent/LaunchDaemon property list files combined with anomalous plist payload execution after user logon
| Data Component | Name | Channel |
|---|---|---|
| Service Metadata (DC0041) | macos:unifiedlog | Observed loading of new LaunchAgent or LaunchDaemon plist |
| File Modification (DC0061) | macos:unifiedlog | write |
| Process Creation (DC0032) | macos:unifiedlog | Execution of binary listed in newly modified LaunchAgent plist |
| Field | Description |
|---|---|
| PlistKey | Organizations may use specific keys or additional payload parameters |
| TimeWindow | Tunable based on expected delay between plist write and execution |