15. RunKeyCheck
The RunKeyCheck
module processes entries in the RUN Key.
15.1. Samples
Aug 6 11:22:11 server11.local/10.252.8.237
THOR: Warning: MODULE: RunKeyCheck
MESSAGE: Suspicious file name in value detected
ELEMENT: "C:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
PATTERN: (?i)\msseces\.exe
SCORE: 60
DESC: Executable used by PlugX DLL side-loading in non-standard location Run Key Entry
NAME: MSC
VALUE: "C:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
FILE: C:\Program Files\Microsoft Security Client\msseces.exe
FIRSTBYTES: 4d5a90000300000004000000ffff0000b8000000 / MZ
SHA1: 71fac169a5f04af634d06c367e7d832e72c1cdf2
15.2. Typical False Positives
Elements matching known system files in suspicious locations (see example with
msseces.exe
)
15.3. Attribute Evaluation
Attribute |
Question |
Answer |
Indication |
Weight |
---|---|---|---|---|
USER |
Does the user name look suspicious to a human eye? (e.g. |
Yes |
Good |
Medium |
No |
Bad |
Medium |