How to Detect Modifications to Startup Items in the Windows Registry
Why It is Important
Suspicious changes in startup registry keys may be a sign of malware activity. For example, if a keylogger creates a registry key, this program will be launched by default every time the system starts. If it stays unnoticed and appropriate measures are not taken, there is a chance that users’ passwords will be stolen.
Native Auditing
- Run gpedit.msc → Create a new GPO → Edit it: Go to "Computer Configuration" → Policies → Windows Settings → Security Settings → Local Policies → Audit Policy:
- Audit object access → Define → "Success" and "Failures".
- Go to Event Log → Define:
- Maximum security log size to 4gb
- Retention method for security log to "Overwrite events as needed".
Link the new GPO to OU with Windows servers: Go to "Group Policy Management" → Right-click the defined OU → Choose "Link an Existing GPO" → Choose the GPO that you’ve created.
Force the group policy update: In "Group Policy Management" right-click on the defined OU → Click "Group Policy Update".
Run "regedit" → Navigate to "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" → Right-click "Run" key and select "permissions" → Click "Advanced" → Select "Auditing" tab → Click "Add" button:
- Select Principal: "Everyone"
- Select Type: "All"
- Select Applies to: "This keys and subkeys"
- Select Advanced Permissions: "Create Subkey", "Set Value", "Create Link", "Write DAC", and "Delete".
- Take the same steps with the following registry keys:
- HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\ CurrentVersion\Run"
- HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components"
- HKLM\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components".
- Open Event Viewer → Search security log for event ID 4657 (a registry value was modified).
https://img.netwrix.com/landings/howtofriday/28/native.png
Credits
Originally posted - https://www.netwrix.com/how_to_detect_modification_to_startup_items.html