How to Detect Modifications to Startup Items in the Windows Registry

Why It is Important

Suspicious changes in startup registry keys may be a sign of malware activity. For example, if a keylogger creates a registry key, this program will be launched by default every time the system starts. If it stays unnoticed and appropriate measures are not taken, there is a chance that users’ passwords will be stolen.

Native Auditing

1. Run gpedit.msc → Create a new GPO → Edit it: Go to "Computer Configuration" → Policies → Windows Settings → Security Settings → Local Policies → Audit Policy:

• Audit object access → Define → "Success" and "Failures".

2. Go to Event Log → Define:

• Maximum security log size to 4gb
• Retention method for security log to "Overwrite events as needed".

3. Link the new GPO to OU with Windows servers: Go to "Group Policy Management" → Right-click the defined OU → Choose "Link an Existing GPO" → Choose the GPO that you’ve created.

4. Force the group policy update: In "Group Policy Management" right-click on the defined OU → Click "Group Policy Update".

5. Run "regedit" → Navigate to "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" → Right-click "Run" key and select "permissions" → Click "Advanced" → Select "Auditing" tab → Click "Add" button:

• Select Principal: "Everyone"
• Select Type: "All"
• Select Applies to: "This keys and subkeys"
• Select Advanced Permissions: "Create Subkey", "Set Value", "Create Link", "Write DAC", and "Delete".

6. Take the same steps with the following registry keys:

• HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\ CurrentVersion\Run"
• HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components"
• HKLM\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components".

7. Open Event Viewer → Search security log for event ID 4657 (a registry value was modified).

https://img.netwrix.com/landings/howtofriday/28/native.png

Credits

Originally posted - https://www.netwrix.com/how_to_detect_modification_to_startup_items.html