Windows registry persistence audit Run / RunOnce / Winlogon / SilentProcessExit deep audit (R1-R6) — completes the cross-platform persistence story.
Closes the third leg of the cross-platform persistence story
(macOS launchd +
Linux systemd /
cron /
shell rc + Windows
registry). The windows.registry_persistence collector
already enumerates the canonical persistence keys; no detector
currently audited those artifacts for malicious patterns until
this one.
Scope
Consumes windows.registry_persistence Artifacts.
Subkey classifier dispatches the audit by suffix-match:
\Run/\RunOnce(HKLM, HKCU, WOW6432Node)...\Winlogon...\SilentProcessExit
IFEO / COM CLSID / Office add-ins are collected but a deep audit
for them is a clean follow-up iteration (the collector's
subkey_sample field has the binary names but not the
per-binary Debugger / MonitorProcess sub-values).
Detection layers (R1–R6)
| ID | Severity | What it catches | MITRE |
|---|---|---|---|
| R1 | high | Run/RunOnce value with writable-path command. %TEMP%, %APPDATA%\Local\Temp, %PUBLIC%, %USERPROFILE%\Downloads, \Windows\Temp, \ProgramData\Temp. | T1547.001 |
| R2 | high | Run/RunOnce value with LOLBin proxy executor: rundll32 / mshta / regsvr32 / wscript / cscript / installutil / msbuild / certutil / bitsadmin / msxsl. | T1218 |
| R3 | high | Run/RunOnce value with encoded PowerShell — -EncodedCommand / -enc. Most common Windows-malware entry-point per ten years of MITRE-published incident reports. | T1059.001 |
| R4 | high | Run/RunOnce value with network-fetch (curl / wget / Invoke-WebRequest / certutil -urlcache / bitsadmin /transfer). | T1547.001 |
| R5 | critical | Winlogon Shell or Userinit overridden from defaults (explorer.exe / C:\Windows\System32\userinit.exe,). Textbook user-session takeover. | T1547.004 |
| R6 | high | SilentProcessExit has MonitorProcess subkeys — covert-IFEO ghost-process surveillance / re-spawn on EDR kill. | T1546.012 |
Operational notes
_first_token_basename() handles both quoted
("C:\X\my app.exe" --flag) and unquoted
(foo.exe arg) command forms, stripping .exe
for clean basename match. Non-string registry values (REG_DWORD
integers, etc.) are stringified — the detector never crashes on
unexpected types.
The Windows registry collector runs as part of
digger collect; the detector runs at
digger scan time.