SOC Investigation Report

Intel: Rule_Monitoring Suspicious Execution of Autorun Registry Keys

Executive Summary

This investigation was initiated following the detection of suspicious modifications to AutoRun registry keys, indicative of potential unauthorized software execution or persistence mechanisms. Analysis confirmed the activity stemmed from a user-initiated download outside the organization’s approved software deployment channels. The user reported issues with the version of Notepad++ available via Software Center and Coupa, prompting them to download an alternative version from the internet. While the behavior was not malicious, it constitutes a policy violation. The downloaded software was identified as grayware (PUP), and a removal request was submitted. The user was educated on proper software installation procedures. Closing this alert as Resolved | Bad BAU. (Location: Corp – South Africa)

Alert Details

This detection rule identifies suspicious modifications to AutoRun registry keys via Microsoft Defender for Endpoint (MDE), often leveraged by threat actors or unauthorized tools for persistence.

This alert was triggered on host JD-MKT-001 for user CORP\jdoe, following the detection of a registry key modification associated with the installation of Notepad++ software.

Raw command line string observed:
n/a in this case

Initial Enrichment

Source User: CORP\jdoe | John Doe | Marketing Analyst | Marketing Department | Cape Town
Source Host: JD-MKT-001.domain.local | IP: 192.168.10.45 | OS: Windows 10 Enterprise | AV Status: 1 alert in MDE

Endpoint & Network Analysis (Splunk + MDE Insights)

No abnormal login or process behavior detected in the past 24 hours.
Process Tree: explorer.exe > chrome.exe > notepadplus_setup.exe
Execution chain confirms user-initiated download via Chrome browser.
Download Source: http://freefiles.download/notepadplus_setup.exe
Registry Modification:
- Key Hive: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
- Value Name: NotepadPlus
- Set Data: C:\Users\jdoe\AppData\Roaming\NotepadPlus\notepad++.exe
- Original Value: [None]
No evidence of suspicious child processes, lateral movement, or additional persistence mechanisms post-installation.
Based on current findings, this is categorized as bad BAU.

IOC & Threat Intelligence

VirusTotal: SHA256 hash flagged by 7 vendors as potentially unwanted (PUP)
VirusTotal Analysis: View on VirusTotal
urlscan.io: Domain freefiles.download is blacklisted — Scan Results
AbuseIPDB: n/a in this case unless there is an IP observed
Joe Sandbox: No malicious indicators observed in behavioral analysis

Documentation & Business Justification

Notepad++ is officially approved and available via Software Center and Coupa.
No Remedy ticket was logged for this installation.
User acknowledged bypassing policy due to issues with the approved version and was unaware of the associated risks.

Conclusion

User was advised on policy-compliant software installation procedures.
Work order submitted for software removal: WO0026738637388
Investigation concluded that the activity was user-driven and not malicious in nature.
No evidence of compromise or persistence beyond the initial execution.
Closing this alert as: Resolved | Bad BAU

Critical Artifacts Checklist (DO NOT FORGET TO COLLECT)

Hostname (FQDN): JD-MKT-001.domain.local
Devicename: JD-MKT-001
Source IP: 192.01.16.10
Account Domain: CORP\jdoe
EID: jdoe
Email ID: john.doe@company.com
Filename: notepadplus_setup.exe
File Hashes:
- SHA256: e4f6c9...f2d3
- SHA1: [to be collected]
- MD5: [to be collected]
File Source: http://freefiles.download/notepadplus_setup.exe
File Path: C:\Users\jdoe\Downloads\notepadplus_setup.exe
Command Line: N/A
Parent Process Path: N/A
User Location: Cape Town, ZA
Communication Evidence:
- Email or Teams screenshots documenting user justification
- Example: Screenshot provided showing user explanation for Notepad++ installation