From 01bed616239e1f737f75773c2a16045f403a8e46 Mon Sep 17 00:00:00 2001
From: rabbitstack <rabbitstack7@gmail.com>
Date: Mon, 23 Dec 2024 15:46:14 +0100
Subject: [PATCH] chore(rules): Expand registry persistence keys list macro

Include registry paths that adversaries can use to
run programs to automatically launch at boot.
---
 rules/macros/macros.yml | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/rules/macros/macros.yml b/rules/macros/macros.yml
index f08852f4b..95695f2c4 100644
--- a/rules/macros/macros.yml
+++ b/rules/macros/macros.yml
@@ -297,7 +297,11 @@
     "HKEY_CURRENT_USER\\SOFTWARE\\Policies\\Microsoft\\Windows\\System\\Scripts\\Startup\\Script",
     "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Ctf\\LangBarAddin\\*\\FilePath",
     "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Internet Explorer\\Extensions\\*\\Exec",
-    "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Command Processor\\Autorun"
+    "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Command Processor\\Autorun",
+    "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\BootExecute",
+    "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\SetupExecute",
+    "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Execute",
+    "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\S0InitialCommand"
    ]
   description: |
     Contains the patterns for the registry keys which are commonly abused for