Correlation of Registry key creation/modification events under known Run/Startup keys with new or unusual binary paths or script-based payloads. Multi-event detection includes registry modification followed by process execution from non-standard directories or abnormal parent-child process relationships.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | WinEventLog:Sysmon | EventCode=1 |
| Windows Registry Key Modification (DC0063) | WinEventLog:Sysmon | EventCode=13 |
| File Creation (DC0039) | WinEventLog:Microsoft-Windows-Shell-Core | New startup folder shortcut or binary placed in Startup directory |
| Field | Description |
|---|---|
| ImagePath | Full path of the binary/script being registered in Run keys. Tunable to exclude known software baselines. |
| RegistryKeyPath | Tunable list of startup-related registry keys to monitor more/less aggressively based on enterprise software context. |
| TimeWindow | Correlate registry key creation and process execution within this window. Defaults between 5–10 minutes. |
| UserContext | Filter for specific user SIDs or exclude known admin/script accounts. |